All of lore.kernel.org
 help / color / mirror / Atom feed
From: Duncan <1i5t5.duncan@cox.net>
To: linux-btrfs@vger.kernel.org
Subject: Re: Fwd: Confusion about snapshots containers
Date: Thu, 30 Mar 2017 03:46:24 +0000 (UTC)	[thread overview]
Message-ID: <pan$9f56c$63e254c1$b0a3dfea$f7b524f9@cox.net> (raw)
In-Reply-To: CAAKzf7n=e9Onnc5D-U_zBtXXpFk11QiN7RhisqAB5Ej0DQOcfA@mail.gmail.com

Tim Cuthbertson posted on Wed, 29 Mar 2017 18:20:52 -0500 as excerpted:

> So, another question...
> 
> Do I then leave the top level mounted all the time for snapshots, or
> should I create them, send them to external storage, and umount until
> next time?

Keep in mind that because snapshots contain older versions of whatever 
they're snapshotting, they're a potential security issue, at least if 
some of those older versions are libs or binaries.  Consider the fact 
that you may have had security-updates since the snapshot, thus leaving 
your working copies unaffected by whatever security vulns the updates 
fixed.  If the old versions remain around where normal users have access 
to them, particularly if they're setuid or similar, they have access to 
those old and now known vulns in setuid executables!  (Of course users 
can grab vulnerable versions elsewhere or build them themselves, but they 
can't set them setuid root unless they /are/ root, so finding an existing 
setuid-root executable with known vulns is finding the keys to the 
kingdom.)

So keeping snapshots unmounted and out of the normally accessible 
filesystem tree by default is recommended, at least if you're at all 
concerned about someone untrusted getting access to a normal user account 
and being able to use snapshots with known vulns of setuid executables as 
root-escalation methods.

Another possibility is setting the snapshot subdir 700 perms, so non-
super-users can't normally access anything in it anyway.  Of course 
that's a problem if you want them to have access to snapshots of their 
own stuff for recovery purposes, but it's useful if you can do it.

Good admins will do both of these at once if possible as they know and 
observe the defense-in-depth mantra, knowing all too well how easy a 
single layer of defense yields to fat-fingering or previously unknown 
vulns.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman


  reply	other threads:[~2017-03-30  3:47 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-29 21:27 Confusion about snapshots containers Tim Cuthbertson
2017-03-29 21:55 ` Hugo Mills
2017-03-29 23:20   ` Fwd: " Tim Cuthbertson
2017-03-30  3:46     ` Duncan [this message]
2017-03-30 13:07       ` Tim Cuthbertson
2017-03-31 11:34         ` Austin S. Hemmelgarn
2017-03-31 17:40 ` Kai Krakow

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='pan$9f56c$63e254c1$b0a3dfea$f7b524f9@cox.net' \
    --to=1i5t5.duncan@cox.net \
    --cc=linux-btrfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.