On 01/24/2014 05:27 PM, Chris Murphy wrote:
On Jan 24, 2014, at 4:16 PM, Josh Stone <jistone(a)redhat.com>
wrote:
> This concerns me especially in the case of security updates -- for
> example, a vulnerable setuid-root binary should be locked up tight!
The organization question is valid. But sudo or root could just mount
any subvolume. However, btrfs read-only snapshots can't be written to
even by root. Naturally root could just create a rw snapshot of a ro
snapshot and then delete the ro snapshot, but an audit probably ought
to show the subvolume UUIDs and creation dates involved so that we'd
know this is what happened.
My point was not about what root can do. Suppose there's a vulnerable
'sudo' binary that gives everyone a root shell. If that binary is
available on any executable path, even readonly, that's trouble.
As you say, LVM snapshots are out of view, but with btrfs it needs to be
an inaccessible subvolume path, or mounted noexec, etc.