ZFS snapdir readability (Crosspost)
Martin Simmons
martin at lispworks.com
Thu Nov 21 11:19:36 UTC 2019
>>>>> On Wed, 20 Nov 2019 17:58:03 +0100, Jan Behrens said:
>
> On Wed, 20 Nov 2019 17:07:44 +0100
> Borja Marcos <borjam at sarenet.es> wrote:
>
> > > On 20 Nov 2019, at 16:34, Jan Behrens <jbe-mlist at magnetkern.de> wrote:
> > >
> > > [...] Of course
> > > limiting the security vulnerabilities to certain moments (partial
> > > backup recovery) is a nice step forward, but an even better solution
> > > would be to avoid security vulnerabilities at all times.
> >
> > True.
> >
> > > The latter requires to either
> > > (a) never mount snapshots ever, or
> >
> > Well, they are useful for a reason :)
> >
> > > (b) only mount snapshots when they are to be *completely* restored, or
> >
> > Cloning is atomic. Receiving a snapshot stream, sorry, I don’t remember :/
>
> With "mounting snapshots", I meant mounting snapshots that are already
> existent in a ZFS pool. Receiving a snapshot and creating a new
> filesystem from it is a different issue. In that case, you can use
> "zfs receive -u" and mount the file system manually under a directory with
> a parent directory that is chmod 700, as in option (d).
>
> >
> > > (c) be able to specify the user, group, and mode (unless 700 by
> > > default) when mounting or auto-mounting the snapshots, or
> > > (d) be able to specify a mount point such that the mount point can be
> > > within a directory that is not +x for everyone.
> >
> > Well, there are two options here.
> >
> > If by restoring snapshots you mean receiving a snapshot stream, you can always receive it under
> > a properly protected dataset.
>
> I did not mean receiving a snapshot stream, see above.
>
> > If you intend to mount (ie, clone) it the solution is the same. Actually
> > specifying a mount point when cloning a snapshot is mandatory. You are actually creating a dataset.
> >
> > root at micro1:~ # zfs create unpul/forbidden
> > root at micro1:~ # chmod go-rwx /unpul/forbidden/
> >
> > Anything I restore or clone under this dataset will be only accessible to root.
> >
> > For example:
> >
> > root at micro1:~ # zfs clone unpul/UniFi/data at 5.11.38 unpul/forbidden/testing
> >
> > (now back to a regular user)
> >
> > borjam at micro1:/unpul % cd /unpul/forbidden/
> > /unpul/forbidden/: Permission denied.
> >
> > Anyway this is not a problem, it’s exactly what you would do if you were reading a tape.
> >
> > The real problem is the “unexpected”, automatic, unavoidable mounting of the .zfs directory.
> >
> > Or am I missing anything?
> >
> > Borja.
>
> Mounting is not the same as cloning and mounting. But you are right: If
> snapshots are cloned first, you can specify the mountpoint. But then
> you are mounting a new file system and not a snapshot technically.
> Which brings us back to option (a) never mount snapshots ever ;-)
>
> Given that we can prohibit the automounting of all snapshots, it would
> be a nice workaround which would not have too much overhead.
Can't you already achieve (d) using /sbin/mount?
__Martin
More information about the freebsd-fs
mailing list