ZFS snapdir readability (Crosspost)

Thu Nov 21 11:19:36 UTC 2019

>>>>> On Wed, 20 Nov 2019 17:58:03 +0100, Jan Behrens said:
> 
> On Wed, 20 Nov 2019 17:07:44 +0100
> Borja Marcos <borjam at sarenet.es> wrote:
> 
> > > On 20 Nov 2019, at 16:34, Jan Behrens <jbe-mlist at magnetkern.de> wrote:
> > > 
> > > [...] Of course
> > > limiting the security vulnerabilities to certain moments (partial
> > > backup recovery) is a nice step forward, but an even better solution
> > > would be to avoid security vulnerabilities at all times.
> > 
> > True. 
> > 
> > > The latter requires to either
> > > (a) never mount snapshots ever, or
> > 
> > Well, they are useful for a reason :)
> > 
> > > (b) only mount snapshots when they are to be *completely* restored, or
> > 
> > Cloning is atomic. Receiving a snapshot stream, sorry, I don’t remember :/
> 
> With "mounting snapshots", I meant mounting snapshots that are already
> existent in a ZFS pool. Receiving a snapshot and creating a new
> filesystem from it is a different issue. In that case, you can use
> "zfs receive -u" and mount the file system manually under a directory with
> a parent directory that is chmod 700, as in option (d).
> 
> > 
> > > (c) be able to specify the user, group, and mode (unless 700 by
> > >    default) when mounting or auto-mounting the snapshots, or
> > > (d) be able to specify a mount point such that the mount point can be
> > >    within a directory that is not +x for everyone.
> > 
> > Well, there are two options here.
> > 
> > If by restoring snapshots you mean receiving a snapshot stream, you can always receive it under
> > a properly protected dataset.
> 
> I did not mean receiving a snapshot stream, see above.
> 
> > If you intend to mount (ie, clone) it the solution is the same. Actually
> > specifying a mount point when cloning a snapshot is mandatory. You are actually creating a dataset.
> > 
> > root at micro1:~ # zfs create unpul/forbidden
> > root at micro1:~ # chmod go-rwx /unpul/forbidden/
> > 
> > Anything I restore or clone under this dataset will be only accessible to root. 
> > 
> > For example:
> > 
> > root at micro1:~ # zfs clone unpul/UniFi/data at 5.11.38 unpul/forbidden/testing
> > 
> > (now back to a regular user)
> > 
> > borjam at micro1:/unpul % cd /unpul/forbidden/
> > /unpul/forbidden/: Permission denied.
> > 
> > Anyway this is not a problem, it’s exactly what you would do if you were reading a tape. 
> > 
> > The real problem is the “unexpected”, automatic, unavoidable mounting of the .zfs directory. 
> > 
> > Or am I missing anything? 
> > 
> > Borja.
> 
> Mounting is not the same as cloning and mounting. But you are right: If
> snapshots are cloned first, you can specify the mountpoint. But then
> you are mounting a new file system and not a snapshot technically.
> Which brings us back to option (a) never mount snapshots ever ;-)
> 
> Given that we can prohibit the automounting of all snapshots, it would
> be a nice workaround which would not have too much overhead.

Can't you already achieve (d) using /sbin/mount?

__Martin