ZFS snapdir readability (Crosspost)

Jan Behrens jbe-mlist at magnetkern.de
Wed Nov 20 16:58:16 UTC 2019

On Wed, 20 Nov 2019 17:07:44 +0100
Borja Marcos <borjam at sarenet.es> wrote:

> > On 20 Nov 2019, at 16:34, Jan Behrens <jbe-mlist at magnetkern.de> wrote:
> > 
> > [...] Of course
> > limiting the security vulnerabilities to certain moments (partial
> > backup recovery) is a nice step forward, but an even better solution
> > would be to avoid security vulnerabilities at all times.
> True. 
> > The latter requires to either
> > (a) never mount snapshots ever, or
> Well, they are useful for a reason :)
> > (b) only mount snapshots when they are to be *completely* restored, or
> Cloning is atomic. Receiving a snapshot stream, sorry, I don’t remember :/

With "mounting snapshots", I meant mounting snapshots that are already
existent in a ZFS pool. Receiving a snapshot and creating a new
filesystem from it is a different issue. In that case, you can use
"zfs receive -u" and mount the file system manually under a directory with
a parent directory that is chmod 700, as in option (d).

> > (c) be able to specify the user, group, and mode (unless 700 by
> >    default) when mounting or auto-mounting the snapshots, or
> > (d) be able to specify a mount point such that the mount point can be
> >    within a directory that is not +x for everyone.
> Well, there are two options here.
> If by restoring snapshots you mean receiving a snapshot stream, you can always receive it under
> a properly protected dataset.

I did not mean receiving a snapshot stream, see above.

> If you intend to mount (ie, clone) it the solution is the same. Actually
> specifying a mount point when cloning a snapshot is mandatory. You are actually creating a dataset.
> root at micro1:~ # zfs create unpul/forbidden
> root at micro1:~ # chmod go-rwx /unpul/forbidden/
> Anything I restore or clone under this dataset will be only accessible to root. 
> For example:
> root at micro1:~ # zfs clone unpul/UniFi/data at 5.11.38 unpul/forbidden/testing
> (now back to a regular user)
> borjam at micro1:/unpul % cd /unpul/forbidden/
> /unpul/forbidden/: Permission denied.
> Anyway this is not a problem, it’s exactly what you would do if you were reading a tape. 
> The real problem is the “unexpected”, automatic, unavoidable mounting of the .zfs directory. 
> Or am I missing anything? 
> Borja.

Mounting is not the same as cloning and mounting. But you are right: If
snapshots are cloned first, you can specify the mountpoint. But then
you are mounting a new file system and not a snapshot technically.
Which brings us back to option (a) never mount snapshots ever ;-)

Given that we can prohibit the automounting of all snapshots, it would
be a nice workaround which would not have too much overhead.


More information about the freebsd-fs mailing list