diff options
| author | Brian Behlendorf <[email protected]> | 2024-10-02 09:12:02 -0700 |
|---|---|---|
| committer | GitHub <[email protected]> | 2024-10-02 09:12:02 -0700 |
| commit | d34d4f97a81f6895de3da67ffbad6f986b2cdae6 (patch) | |
| tree | 90fcbe619bfb7a0b735c1b25ec455f21b67711c9 /man | |
| parent | 86737c5927c204dc866f1de7c95ab964e98be6af (diff) | |
snapdir: add 'disabled' value to make .zfs inaccessible
In some environments, just making the .zfs control dir hidden from sight
might not be enough. In particular, the following scenarios might
warrant not allowing access at all:
- old snapshots with wrong permissions/ownership
- old snapshots with exploitable setuid/setgid binaries
- old snapshots with sensitive contents
Introducing a new 'disabled' value that not only hides the control dir,
but prevents access to its contents by returning ENOENT solves all of
the above.
The new property value takes advantage of 'iuv' semantics ("ignore
unknown value") to automatically fall back to the old default value when
a pool is accessed by an older version of ZFS that doesn't yet know
about 'disabled' semantics.
I think that technically the zfs_dirlook change is enough to prevent
access, but preventing lookups and dir entries in an already opened .zfs
handle might also be a good idea to prevent races when modifying the
property at runtime.
Add zfs_snapshot_no_setuid parameter to control whether automatically
mounted snapshots have the setuid mount option set or not.
this could be considered a partial fix for one of the scenarios
mentioned in desired.
Reviewed-by: Alexander Motin <[email protected]>
Reviewed-by: Brian Behlendorf <[email protected]>
Reviewed-by: Tino Reichardt <[email protected]>
Signed-off-by: Fabian Grünbichler <[email protected]>
Co-authored-by: Fabian Grünbichler <[email protected]>
Closes #3963
Closes #16587
Diffstat (limited to 'man')
| -rw-r--r-- | man/man4/zfs.4 | 9 | ||||
| -rw-r--r-- | man/man7/zfsconcepts.7 | 2 | ||||
| -rw-r--r-- | man/man7/zfsprops.7 | 6 |
3 files changed, 13 insertions, 4 deletions
diff --git a/man/man4/zfs.4 b/man/man4/zfs.4 index 6840dc317..5a47cbbe2 100644 --- a/man/man4/zfs.4 +++ b/man/man4/zfs.4 @@ -1570,6 +1570,15 @@ which have the .Em no_root_squash option set. . +.It Sy zfs_snapshot_no_setuid Ns = Ns Sy 0 Ns | Ns 1 Pq int +Whether to disable +.Em setuid/setgid +support for snapshot mounts triggered by access to the +.Sy .zfs/snapshot +directory by setting the +.Em nosuid +mount option. +. .It Sy zfs_flags Ns = Ns Sy 0 Pq int Set additional debugging flags. The following flags may be bitwise-ored together: diff --git a/man/man7/zfsconcepts.7 b/man/man7/zfsconcepts.7 index 1be3d961c..1d2dff7e4 100644 --- a/man/man7/zfsconcepts.7 +++ b/man/man7/zfsconcepts.7 @@ -71,7 +71,7 @@ File system snapshots can be accessed under the directory in the root of the file system. Snapshots are automatically mounted on demand and may be unmounted at regular intervals. -The visibility of the +The availability and visibility of the .Pa .zfs directory can be controlled by the .Sy snapdir diff --git a/man/man7/zfsprops.7 b/man/man7/zfsprops.7 index 4ea91bb90..06e279796 100644 --- a/man/man7/zfsprops.7 +++ b/man/man7/zfsprops.7 @@ -1848,11 +1848,11 @@ Controls whether the volume snapshot devices under are hidden or visible. The default value is .Sy hidden . -.It Sy snapdir Ns = Ns Sy hidden Ns | Ns Sy visible +.It Sy snapdir Ns = Ns Sy disabled Ns | Ns Sy hidden Ns | Ns Sy visible Controls whether the .Pa .zfs -directory is hidden or visible in the root of the file system as discussed in -the +directory is disabled, hidden or visible in the root of the file system as +discussed in the .Sx Snapshots section of .Xr zfsconcepts 7 . |