btrfs snapshots, rollbacks
Hubert Kario
hkario at redhat.com
Tue Feb 18 11:23:12 UTC 2014
----- Original Message -----
> From: "Till Maas" <opensource at till.name>
> To: security at lists.fedoraproject.org
> Sent: Monday, 17 February, 2014 11:40:42 PM
> Subject: Re: btrfs snapshots, rollbacks
>
> On Wed, Feb 12, 2014 at 07:16:34PM -0700, Chris Murphy wrote:
>
> > isn't mounted by default. The other question is whether there's a
> > meaningful distinction between persistently mounting this snapshots
> > subvolume, or only mounting it on demand when snapshots are about to
> > be taken? And then when it's mounted, should the mount option be
> > noexec or nosuid.
>
> If old snapshots are mounted, there are several possible security
> implications:
>
> An old snapshot might contain
>
> - A world-readable confidential files thats permissions were fixed after
> creating the snapshot, e.g. /etc/pki/tls/private/foo.key
>
> - A confidential file with too many ACLs that were fixed after creating
> the snapshot
>
> - A confidential file with the bad selinux context allowing to be read
> by an exploited daemon
>
> - A vulnerable suid binary
>
> - A vulnerable binary with capabilities
>
> - An executable with the wrong selinux context allowing an exploited
> daemon to execute a binary that is not executable on the current
> system
>
> - A device file with bad permissions/ACL/selinux context
>
> Therefore I guess it needs to be made sure that no unprivileged process
> can access the contents of a mounted snapshot. Maybe the root directory
> can be protected with strict permissions/ACLs and a selinux context that
> does not allow anything else to access the contents.
I agree. That is needed for /, especially on multi user systems.
What about /home? Some of those issues apply to it too, problem is that
making snapshots readable only for root user will make snapshots on /home nearly
useless (if the admin needs to be involved to restore old version of a file
he may just as well restore them from backup).
I'm afraid we will have to relax the permissions of /home snapshots.
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
http://wiki.brq.redhat.com/hkario
Email: hkario at redhat.com
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
More information about the security
mailing list