ZFS snapdir readability (Crosspost)

[Borja Marcos]

> On 7 Nov 2019, at 15:54, mike tancsa <mike at sentex.net> wrote:
> 
> On 11/6/2019 7:02 PM, Alan Somers wrote:
>> 
>> Your analysis of the snapdir is correct.  Setting it to hidden doesn't make
>> it inaccessible.  That's not unique to FreeBSD, however.  I believe it's
>> common to all ZFS implementations (I just double checked on Oracle
>> Solaris).  Also, the problem isn't unique to ZFS.  Any backup system would
>> have the same problem, as long as users are allowed to access the backups
>> directly.  And in fact, Bob could've directly observed Alice's id_rsa file
>> before she changed it.  So I don't think this should be considered a
>> security vulnerability.  The best course for Alice would be to consider her
>> id_rsa as compromised as soon as she notices the problem, and delete it.
> 
> Still, it would be a nice feature to have where .zfs could be set to
> root only read.    In a multi user system, my users (me included) do all
> sorts of accidental foot shooting things like making files readable for
> a brief period of time they should not make readable.  I think I recall
> ZoL adding this as a feature back when I ran into this issue via zfs
> allow / unallow ? Or at least I think I saw discussion about it.
> 
> https://github.com/zfsonlinux/zfs/issues/3963

The problem is, snapshot access breaks the semantics of chown() and chmod().

Maybe a lesser evil would be to define a uid with snapshot access for each dataset. At least
for systems with a dataset per home directory it would allow a user to access their past snapshots
while at the same time restricting to past snapshots to other users.




Borja.