protecting zfs snapshot info

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

protecting zfs snapshot info

mdtancsa

Is there a way in zfs to protect non root users from seeing snapshots ?
lets say a user makes a permissions mistake on a sensitive homedirectory
on a Monday AM that is not discovered until the next day.  If there are
a whole mess of snapshots created between those two points in time,
there is no way to protect that directory without deleting the snapshots.

        ---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, [hidden email]
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-fs
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: protecting zfs snapshot info

Borja Marcos-2

> On 12 Aug 2017, at 19:14, Mike Tancsa <[hidden email]> wrote:
>
>
> Is there a way in zfs to protect non root users from seeing snapshots ?
> lets say a user makes a permissions mistake on a sensitive homedirectory
> on a Monday AM that is not discovered until the next day.  If there are
> a whole mess of snapshots created between those two points in time,
> there is no way to protect that directory without deleting the snapshots.

Good question and it’s a problem indeed. The .zfs directory is always created
and it can be hidden but it’s still accessible. It’s a security problem that prevents
an effective access revocation for a directory/file, I guess that’s what you mean.

Ideally, datasets should have a property preventing the snapshots to be auto mounted
when the relevant .zfs/snapshot directory was accessed or even preventing the creation
of .zfs.

Alternatively there could be a specific zfs permission covering this, like a  “snapaccess” for
snapshot access or “snapmount” for automatic mounting of snapshots, but it’s more
complicated to do.





Borja.

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-fs
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: protecting zfs snapshot info

mdtancsa
On 8/14/2017 2:47 AM, Borja Marcos wrote:

>
>> On 12 Aug 2017, at 19:14, Mike Tancsa <[hidden email]> wrote:
>>
>>
>> Is there a way in zfs to protect non root users from seeing snapshots ?
>> lets say a user makes a permissions mistake on a sensitive homedirectory
>> on a Monday AM that is not discovered until the next day.  If there are
>> a whole mess of snapshots created between those two points in time,
>> there is no way to protect that directory without deleting the snapshots.
>
> Good question and it’s a problem indeed. The .zfs directory is always created
> and it can be hidden but it’s still accessible. It’s a security problem that prevents
> an effective access revocation for a directory/file, I guess that’s what you mean.

Yes, something like an extra option
hidden | visible | unmounted

        ---Mike



--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, [hidden email]
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-fs
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: protecting zfs snapshot info

mdtancsa
On 8/14/2017 8:57 AM, Mike Tancsa wrote:
> On 8/14/2017 2:47 AM, Borja Marcos wrote:
>>
>>> On 12 Aug 2017, at 19:14, Mike Tancsa <[hidden email]> wrote:
>>>
>>>
>>> Is there a way in zfs to protect non root users from seeing snapshots ?

>> Good question and it’s a problem indeed. The .zfs directory is always created
>> and it can be hidden but it’s still accessible. It’s a security problem that prevents
>> an effective access revocation for a directory/file, I guess that’s what you mean.
>
> Yes, something like an extra option
> hidden | visible | unmounted

I did come across this thread

https://github.com/zfsonlinux/zfs/issues/3963

but it seems Linux specific or at least I dont see how its done on FreeBSD.

        ---Mike



--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, [hidden email]
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-fs
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: protecting zfs snapshot info

Borja Marcos-2

> On 15 Aug 2017, at 14:20, Mike Tancsa <[hidden email]> wrote:
>
> On 8/14/2017 8:57 AM, Mike Tancsa wrote:
>> On 8/14/2017 2:47 AM, Borja Marcos wrote:
>>>
>>>> On 12 Aug 2017, at 19:14, Mike Tancsa <[hidden email]> wrote:
>>>>
>>>>
>>>> Is there a way in zfs to protect non root users from seeing snapshots ?
>
>>> Good question and it’s a problem indeed. The .zfs directory is always created
>>> and it can be hidden but it’s still accessible. It’s a security problem that prevents
>>> an effective access revocation for a directory/file, I guess that’s what you mean.
>>
>> Yes, something like an extra option
>> hidden | visible | unmounted
>
> I did come across this thread
>
> https://github.com/zfsonlinux/zfs/issues/3963
>
> but it seems Linux specific or at least I dont see how its done on FreeBSD.

Yes, it seems to be Linux specific and as far as I know there’s no way to do it on FreeBSD right now.

I would vouch for a third state added to the “snapdir” variable, but I wouldn’t call it “disabled”. “unmounted” or
maybe “noauto” is much better in my opinion. The .zfs directory should still be created (maybe hidden when
in “noauto” state in order to prevent it from being created by a user.

I don’t think a new permission is needed to control that variable, though. The “snapshot” permission
implies that “mount” should be allowed as well at least in the current versions. So it’s redundant. Or,
actually, the “noauto” value for “snapdir” would eliminate the requirement for “mount” permissions.

I mean: Right now the “snapshot” permission requires “mount” because the snapshot is mounted upon creation
like it or not. If the snapshot was not automatically mounted thanks to the “noauto” value for “snapdir” it would be
possible to have a user authorized to manage snapshots but unable to mount them.

Given the very sensible nature of “mount” in Unix it makes sense.







Borja.


_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-fs
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: protecting zfs snapshot info

mdtancsa
cc'ing Andriy who knows a lot of ZFS...

        Andriy, is there any chance something like this is in the works in ZFS ?

        ---Mike

On 8/16/2017 6:12 AM, Borja Marcos wrote:

>
>> On 15 Aug 2017, at 14:20, Mike Tancsa <[hidden email]> wrote:
>>
>> On 8/14/2017 8:57 AM, Mike Tancsa wrote:
>>> On 8/14/2017 2:47 AM, Borja Marcos wrote:
>>>>
>>>>> On 12 Aug 2017, at 19:14, Mike Tancsa <[hidden email]> wrote:
>>>>>
>>>>>
>>>>> Is there a way in zfs to protect non root users from seeing snapshots ?
>>
>>>> Good question and it’s a problem indeed. The .zfs directory is always created
>>>> and it can be hidden but it’s still accessible. It’s a security problem that prevents
>>>> an effective access revocation for a directory/file, I guess that’s what you mean.
>>>
>>> Yes, something like an extra option
>>> hidden | visible | unmounted
>>
>> I did come across this thread
>>
>> https://github.com/zfsonlinux/zfs/issues/3963
>>
>> but it seems Linux specific or at least I dont see how its done on FreeBSD.
>
> Yes, it seems to be Linux specific and as far as I know there’s no way to do it on FreeBSD right now.
>
> I would vouch for a third state added to the “snapdir” variable, but I wouldn’t call it “disabled”. “unmounted” or
> maybe “noauto” is much better in my opinion. The .zfs directory should still be created (maybe hidden when
> in “noauto” state in order to prevent it from being created by a user.
>
> I don’t think a new permission is needed to control that variable, though. The “snapshot” permission
> implies that “mount” should be allowed as well at least in the current versions. So it’s redundant. Or,
> actually, the “noauto” value for “snapdir” would eliminate the requirement for “mount” permissions.
>
> I mean: Right now the “snapshot” permission requires “mount” because the snapshot is mounted upon creation
> like it or not. If the snapshot was not automatically mounted thanks to the “noauto” value for “snapdir” it would be
> possible to have a user authorized to manage snapshots but unable to mount them.
>
> Given the very sensible nature of “mount” in Unix it makes sense.
>
>
>
>
>
>
>
> Borja.
>
>
>
>


--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, [hidden email]
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-fs
To unsubscribe, send any mail to "[hidden email]"
Loading...