Re: Fwd: Confusion about snapshots containers

["Austin S. Hemmelgarn" <ahferroin7@gmail.com>]

On 2017-03-30 09:07, Tim Cuthbertson wrote:
> On Wed, Mar 29, 2017 at 10:46 PM, Duncan <1i5t5.duncan@cox.net> wrote:
>> Tim Cuthbertson posted on Wed, 29 Mar 2017 18:20:52 -0500 as excerpted:
>>
>>> So, another question...
>>>
>>> Do I then leave the top level mounted all the time for snapshots, or
>>> should I create them, send them to external storage, and umount until
>>> next time?
>>
>> Keep in mind that because snapshots contain older versions of whatever
>> they're snapshotting, they're a potential security issue, at least if
>> some of those older versions are libs or binaries.  Consider the fact
>> that you may have had security-updates since the snapshot, thus leaving
>> your working copies unaffected by whatever security vulns the updates
>> fixed.  If the old versions remain around where normal users have access
>> to them, particularly if they're setuid or similar, they have access to
>> those old and now known vulns in setuid executables!  (Of course users
>> can grab vulnerable versions elsewhere or build them themselves, but they
>> can't set them setuid root unless they /are/ root, so finding an existing
>> setuid-root executable with known vulns is finding the keys to the
>> kingdom.)
>>
>> So keeping snapshots unmounted and out of the normally accessible
>> filesystem tree by default is recommended, at least if you're at all
>> concerned about someone untrusted getting access to a normal user account
>> and being able to use snapshots with known vulns of setuid executables as
>> root-escalation methods.
>>
>> Another possibility is setting the snapshot subdir 700 perms, so non-
>> super-users can't normally access anything in it anyway.  Of course
>> that's a problem if you want them to have access to snapshots of their
>> own stuff for recovery purposes, but it's useful if you can do it.
>>
>> Good admins will do both of these at once if possible as they know and
>> observe the defense-in-depth mantra, knowing all too well how easy a
>> single layer of defense yields to fat-fingering or previously unknown
>> vulns.
>>
>> --
>> Duncan - List replies preferred.   No HTML msgs.
>> "Every nonfree program has a lord, a master --
>> and if you use the program, he is your master."  Richard Stallman
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
> Thank you, Duncan. I will try to take all that into consideration.
> These are really just fairly simple personal home systems, but
> security is still important.
On the note of the old binaries and libraries bit, nodev, noexec, and 
nosuid are all per-mountpoint, not per-volume, so you can mitigate some 
of the rsik by always mounting with those flags.  Despite that, it's 
still a good idea to not have anything more than you need mounted at any 
given time (it's a lot harder to screw up a filesystem which isn't mounted).