From: Duncan <1i5t5.duncan@cox.net>
To: linux-btrfs@vger.kernel.org
Subject: Re: btrfs receive leaves new subvolume modifiable during operation
Date: Wed, 1 Feb 2017 22:27:01 +0000 (UTC) [thread overview]
Message-ID: <pan$16525$cf7fe24b$7c044b9$74b32f27@cox.net> (raw)
In-Reply-To: 7ead5d42-9c00-b2df-3fbf-5b8f287760f6@cobb.uk.net
Graham Cobb posted on Wed, 01 Feb 2017 17:43:32 +0000 as excerpted:
> This first bug is more serious because it appears to allow a
> non-privileged user to disrupt the correct operation of receive,
> creating a form of denial-of-service of a send/receive based backup
> process. If I decided that I didn't want my pron collection (or my
> incriminating emails) appearing in the backups I could just make sure
> that I removed them from the receive snapshots while they were still
> writeable.
I'll prefix this question by noting that my own use-case doesn't use send/
receive, so while I know about it in general from following the list,
I've no personal experience with it...
With that said, couldn't the entire problem be eliminated by properly
setting the permissions on a directory/subvol upstream of the received
snapshot? If said upstream parent is only readable/enterable by root (or
some specific user), then one would have to be root or that user in
ordered to interfere, as nobody else could even get to the receiving
snapshot to commit mayhem.
IOW, it should work like directory permissions have always worked. If
you don't have enter access to the parent, you can't read/write the
child, thus no need for btrfs-receive specific permission-hoop-jumping.
(And of course SELinux or similar could be used to tighten permissions
even further, should that be justified by the use-case.)
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman
next prev parent reply other threads:[~2017-02-01 22:27 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-31 23:32 btrfs receive leaves new subvolume modifiable during operation Christian Lupien
2017-02-01 5:09 ` Duncan
2017-02-01 12:28 ` Austin S. Hemmelgarn
2017-02-01 17:43 ` Graham Cobb
2017-02-01 22:27 ` Duncan [this message]
2017-02-01 22:51 ` Graham Cobb
2017-02-02 0:02 ` Duncan
2017-02-02 10:52 ` Graham Cobb
2017-02-02 12:49 ` Austin S. Hemmelgarn
2017-02-03 9:14 ` Duncan
2017-02-03 12:44 ` Austin S. Hemmelgarn
2017-02-03 15:44 ` Graham Cobb
2017-02-03 16:01 ` Austin S. Hemmelgarn
2017-02-03 19:17 ` Graham Cobb
2017-02-03 19:37 ` Austin S. Hemmelgarn
2017-02-05 12:08 ` Kai Krakow
2017-02-06 22:56 ` Graham Cobb
2017-02-05 11:54 ` Kai Krakow
2017-02-06 12:30 ` Austin S. Hemmelgarn
2017-02-06 21:40 ` Kai Krakow
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='pan$16525$cf7fe24b$7c044b9$74b32f27@cox.net' \
--to=1i5t5.duncan@cox.net \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).