ZFS snapdir readability (Crosspost)

mike tancsa mike at sentex.net
Mon Nov 18 13:09:10 UTC 2019

On 11/18/2019 5:01 AM, Borja Marcos wrote:
>> On 11/6/2019 7:02 PM, Alan Somers wrote:
>>> Your analysis of the snapdir is correct.  Setting it to hidden doesn't make
>>> it inaccessible.  That's not unique to FreeBSD, however.  I believe it's
>>> common to all ZFS implementations (I just double checked on Oracle
>>> Solaris).  Also, the problem isn't unique to ZFS.  Any backup system would
>>> have the same problem, as long as users are allowed to access the backups
>>> directly.  And in fact, Bob could've directly observed Alice's id_rsa file
>>> before she changed it.  So I don't think this should be considered a
>>> security vulnerability.  The best course for Alice would be to consider her
>>> id_rsa as compromised as soon as she notices the problem, and delete it.
>> Still, it would be a nice feature to have where .zfs could be set to
>> root only read.    In a multi user system, my users (me included) do all
>> sorts of accidental foot shooting things like making files readable for
>> a brief period of time they should not make readable.  I think I recall
>> ZoL adding this as a feature back when I ran into this issue via zfs
>> allow / unallow ? Or at least I think I saw discussion about it.
>> https://github.com/zfsonlinux/zfs/issues/3963
> The problem is, snapshot access breaks the semantics of chown() and chmod().
As the snapshots are always readonly, I think chown and chmod dont
really apply in this use case. Also, the fact that the mounts can be set
to be "visibile" or "invisible" has its own, different convention from
UFS/NFS who dont have that "invisibility" feature (that I know of anyway).

> Maybe a lesser evil would be to define a uid with snapshot access for each dataset. At least
> for systems with a dataset per home directory it would allow a user to access their past snapshots
> while at the same time restricting to past snapshots to other users.

the problem is you could have a "rogue" snapshot. eg. a user does chmod
a+rx ~ and leaves it on by mistake for a day. Any snapshots kept from
that period would leave that directory open. I think having a "snapshots
not mounted" option adds a layer of security flexibility safety. 


More information about the freebsd-fs mailing list