On Wed, Feb 12, 2014 at 07:16:34PM -0700, Chris Murphy wrote:
isn't mounted by default. The other question is whether there's a meaningful distinction between persistently mounting this snapshots subvolume, or only mounting it on demand when snapshots are about to be taken? And then when it's mounted, should the mount option be noexec or nosuid.
If old snapshots are mounted, there are several possible security implications:
An old snapshot might contain
- A world-readable confidential files thats permissions were fixed after creating the snapshot, e.g. /etc/pki/tls/private/foo.key
- A confidential file with too many ACLs that were fixed after creating the snapshot
- A confidential file with the bad selinux context allowing to be read by an exploited daemon
- A vulnerable suid binary
- A vulnerable binary with capabilities
- An executable with the wrong selinux context allowing an exploited daemon to execute a binary that is not executable on the current system
- A device file with bad permissions/ACL/selinux context
Therefore I guess it needs to be made sure that no unprivileged process can access the contents of a mounted snapshot. Maybe the root directory can be protected with strict permissions/ACLs and a selinux context that does not allow anything else to access the contents.
Regards Till