zfs noexec override, sort of.
Patrick Proniewski
patpro at patpro.net
Wed Feb 8 12:45:09 UTC 2012
Hi,
Not sure if it's a real security issue, or if it's a feature.
ZFS allows the admin to create noexec volumes, so that users won't be able to execute binaries sitting on these volume. But as soon as one of these binaries is available on a snapshot, it becomes available for the user to execute:
# zfs create tank/test-exec
# ls
test-exec
# zfs get -r exec tank/test-exec
NAME PROPERTY VALUE SOURCE
tank/test-exec exec off local
# cp /bin/ls /tank/test-exec/
# /tank/test-exec/ls
bash: /tank/test-exec/ls: Permission denied
# zfs snapshot tank/test-exec at noexec
# zfs get -r exec tank/test-exec
NAME PROPERTY VALUE SOURCE
tank/test-exec exec off local
tank/test-exec at noexec exec off inherited from tank/test-exec
# /tank/test-exec/.zfs/snapshot/noexec/ls
test-exec
Once the snapshot is accessed, it's mounted automatically, and gets back an exec=on property:
# zfs get -r exec tank/test-exec
NAME PROPERTY VALUE SOURCE
tank/test-exec exec off local
tank/test-exec at noexec exec on temporary
So it makes it very easy for a user to install and use binaries on a shared server where (for example) every home is a ZFS volume with daily snapshots.
regards,
patpro
More information about the freebsd-security
mailing list