From: Duncan <1i5t5.duncan@cox.net>
To: linux-btrfs@vger.kernel.org
Subject: Re: Fwd: Confusion about snapshots containers
Date: Thu, 30 Mar 2017 03:46:24 +0000 (UTC) [thread overview]
Message-ID: <pan$9f56c$63e254c1$b0a3dfea$f7b524f9@cox.net> (raw)
In-Reply-To: CAAKzf7n=e9Onnc5D-U_zBtXXpFk11QiN7RhisqAB5Ej0DQOcfA@mail.gmail.com
Tim Cuthbertson posted on Wed, 29 Mar 2017 18:20:52 -0500 as excerpted:
> So, another question...
>
> Do I then leave the top level mounted all the time for snapshots, or
> should I create them, send them to external storage, and umount until
> next time?
Keep in mind that because snapshots contain older versions of whatever
they're snapshotting, they're a potential security issue, at least if
some of those older versions are libs or binaries. Consider the fact
that you may have had security-updates since the snapshot, thus leaving
your working copies unaffected by whatever security vulns the updates
fixed. If the old versions remain around where normal users have access
to them, particularly if they're setuid or similar, they have access to
those old and now known vulns in setuid executables! (Of course users
can grab vulnerable versions elsewhere or build them themselves, but they
can't set them setuid root unless they /are/ root, so finding an existing
setuid-root executable with known vulns is finding the keys to the
kingdom.)
So keeping snapshots unmounted and out of the normally accessible
filesystem tree by default is recommended, at least if you're at all
concerned about someone untrusted getting access to a normal user account
and being able to use snapshots with known vulns of setuid executables as
root-escalation methods.
Another possibility is setting the snapshot subdir 700 perms, so non-
super-users can't normally access anything in it anyway. Of course
that's a problem if you want them to have access to snapshots of their
own stuff for recovery purposes, but it's useful if you can do it.
Good admins will do both of these at once if possible as they know and
observe the defense-in-depth mantra, knowing all too well how easy a
single layer of defense yields to fat-fingering or previously unknown
vulns.
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman
next prev parent reply other threads:[~2017-03-30 3:47 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-29 21:27 Confusion about snapshots containers Tim Cuthbertson
2017-03-29 21:55 ` Hugo Mills
2017-03-29 23:20 ` Fwd: " Tim Cuthbertson
2017-03-30 3:46 ` Duncan [this message]
2017-03-30 13:07 ` Tim Cuthbertson
2017-03-31 11:34 ` Austin S. Hemmelgarn
2017-03-31 17:40 ` Kai Krakow
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='pan$9f56c$63e254c1$b0a3dfea$f7b524f9@cox.net' \
--to=1i5t5.duncan@cox.net \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.