From: Graham Cobb <g.btrfs@cobb.uk.net>
To: Matt Zagrabelny <mzagrabe@d.umn.edu>,
Andrei Borzenkov <arvidjaar@gmail.com>
Cc: Btrfs BTRFS <linux-btrfs@vger.kernel.org>
Subject: Re: subvolumes as partitions and mount options
Date: Mon, 27 Mar 2023 21:24:43 +0100 [thread overview]
Message-ID: <30d48950-fc53-60fa-8fc1-61dbebf47102@cobb.uk.net> (raw)
In-Reply-To: <CAOLfK3UZDNO_jSOOHtnA+-Hh-V6_cjsL36iZU0a+V=k80KDenQ@mail.gmail.com>
On 27/03/2023 20:50, Matt Zagrabelny wrote:
> On Mon, Mar 27, 2023 at 2:25 PM Andrei Borzenkov <arvidjaar@gmail.com> wrote:
>>
>> On 27.03.2023 21:48, Matt Zagrabelny wrote:
>>> Greetings,
>>>
>>> I have a root partition btrfs file system.
>>>
>>> I need to have /tmp, /var, /var/tmp, /var/log, and other directories
>>> under separate partitions so that certain mount options can be set for
>>> those partitions/directories.
>>>
>>> I'm testing out a subvolume mount with the subvolume /subv_content
>>> mounted at /subv_mnt.
>>>
>>> For instance, the noexec mount option can be circumvented:
>>
>> "exec/noexec" option applies to mount instance, it is not persistent
>> property of underlying filesystem. It is not specific to btrfs at all.
>
> Agreed. My email was more about subvolumes and the mount point has the
> "noexec", but the actual subvolume doesn't - so there exists a path on
> disk where folks can exec the same file by circumventing the mount
> option by directly invoking the full path under the subvolume.
So, create the subvolume inside a non-world-readable directory? In fact,
I always create all the subvolumes inside top level (subvolid=5)
subvolume but that subvolume is not normally mounted. /, /tmp, /var, etc
are all subvolumes and subvolid=5 is not mounted at all (or can be
mounted with a mount point somewhere not world accessible).
Don't make the mistake of thinking that subvolumes have to be visible
anywhere in the filesystem except the place you mount them.
Graham
next prev parent reply other threads:[~2023-03-27 20:30 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-27 18:48 subvolumes as partitions and mount options Matt Zagrabelny
2023-03-27 19:25 ` Andrei Borzenkov
2023-03-27 19:50 ` Matt Zagrabelny
2023-03-27 20:24 ` Graham Cobb [this message]
2023-03-27 20:31 ` Matthew Warren
2023-03-27 21:06 ` Matt Zagrabelny
2023-03-28 1:42 ` Matthew Warren
2023-03-28 19:45 ` Matt Zagrabelny
2023-03-29 4:04 ` Andrei Borzenkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=30d48950-fc53-60fa-8fc1-61dbebf47102@cobb.uk.net \
--to=g.btrfs@cobb.uk.net \
--cc=arvidjaar@gmail.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=mzagrabe@d.umn.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.