Date: Fri, 31 Jan 2003 02:24:00 +0200
From: Giorgos Keramidas <[EMAIL PROTECTED]>
To: Garrett Wollman <[EMAIL PROTECTED]>
Cc: Kirk McKusick <[EMAIL PROTECTED]>,
[EMAIL PROTECTED]
Subject: Re: dump -L and privilege
X-ASK-Info: Confirmed by User
On 2003-01-30 15:52, Garrett Wollman <[EMAIL PROTECTED]> wrote:
> <<On Wed, 29 Jan 2003 18:17:31 -0800,
> Kirk McKusick <[EMAIL PROTECTED]> said:
> > The other alternative would be to
> > create a setuid-to-root program that would take a snapshot and
> > chown it to the user that does dumps.
>
> I think this would actually be a useful feature for more than just
> dumps. I might want to allow some users (say, those in group
> `operator') to be able to create snapshots on their own, without
> allowing arbitrary mounting privileges.
Do normal permissions apply for the files included in a snapshot?
It would be horrible from a security standpoint if any user could use
a setuid program to snapshot filesystems, mount the snapshot to places
of their own, and read random files from the mounted snapshot.
</knee jerk reaction>
- Giorgos
By default snapshots are mode 400 owned by root, so normal users
cannot access them. The setuid program is proposing to make them
mode 440 group operator which would let anyone in the operator
group read them. This is the same level of permission given to
disks, so is neither more nor less secure than regular disks.
If the snapshot is mounted, then the same filesystem permissions
are enforced as would be enforced for the mounted disk except
that the mount must be done read-only, so nothing in the snapshot
can be moved, deleted, or changed.
Kirk McKusick
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
