From: Duncan <1i5t5.duncan@cox.net>
To: linux-btrfs@vger.kernel.org
Subject: Re: btrfs receive leaves new subvolume modifiable during operation
Date: Thu, 2 Feb 2017 00:02:16 +0000 (UTC) [thread overview]
Message-ID: <pan$5f1de$80937cf$9c306858$cafb9e40@cox.net> (raw)
In-Reply-To: 5c503d69-aaed-680f-de30-75a7323bc753@cobb.uk.net
Graham Cobb posted on Wed, 01 Feb 2017 22:51:34 +0000 as excerpted:
>> [C]ouldn't the entire problem be eliminated by properly
>> setting the permissions on a directory/subvol upstream of the received
>> snapshot?
>
> I (honestly) don't know. But even if that does work, it is clearly only
> a workround for the bug. Where in the documentation does it warn the
> system manager about the problem? Where does it tell them that they had
> better make sure they only receive into a directory tree which does not
> allow users read or execute access (not just not write access!)? What if
> part of the point of the backup strategy is that user's have read access
> to these snapshots so they can restore their own files?
>
> The possibility of a knowledgeable system manager being able to
> workround the problem by limiting how they use it doesn't stop it being
> a bug.
If it's a workaround, then many of the Linux procedures we as admins and
users use every day are equally workarounds. Setting 007 perms on a dir
that doesn't have anything immediately security vulnerable in it, simply
to keep other users from even potentially seeing or being able to write
to something N layers down the subdir tree, is standard practice.
Which is my point. This is no different than standard security practice,
that an admin should be familiar with and using without even having to
think about it. Btrfs is simply making the same assumptions that
everyone else does, that an admin knows what they are doing and sets the
upstream permissions with that in mind. If they don't, how is that
btrfs' fault?
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman
next prev parent reply other threads:[~2017-02-02 0:02 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-31 23:32 btrfs receive leaves new subvolume modifiable during operation Christian Lupien
2017-02-01 5:09 ` Duncan
2017-02-01 12:28 ` Austin S. Hemmelgarn
2017-02-01 17:43 ` Graham Cobb
2017-02-01 22:27 ` Duncan
2017-02-01 22:51 ` Graham Cobb
2017-02-02 0:02 ` Duncan [this message]
2017-02-02 10:52 ` Graham Cobb
2017-02-02 12:49 ` Austin S. Hemmelgarn
2017-02-03 9:14 ` Duncan
2017-02-03 12:44 ` Austin S. Hemmelgarn
2017-02-03 15:44 ` Graham Cobb
2017-02-03 16:01 ` Austin S. Hemmelgarn
2017-02-03 19:17 ` Graham Cobb
2017-02-03 19:37 ` Austin S. Hemmelgarn
2017-02-05 12:08 ` Kai Krakow
2017-02-06 22:56 ` Graham Cobb
2017-02-05 11:54 ` Kai Krakow
2017-02-06 12:30 ` Austin S. Hemmelgarn
2017-02-06 21:40 ` Kai Krakow
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='pan$5f1de$80937cf$9c306858$cafb9e40@cox.net' \
--to=1i5t5.duncan@cox.net \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).