On Wed, Feb 12, 2014 at 07:16:34PM -0700, Chris Murphy wrote:
isn't mounted by default. The other question is whether
there's a
meaningful distinction between persistently mounting this snapshots
subvolume, or only mounting it on demand when snapshots are about to
be taken? And then when it's mounted, should the mount option be
noexec or nosuid.
If old snapshots are mounted, there are several possible security
implications:
An old snapshot might contain
- A world-readable confidential files thats permissions were fixed after
creating the snapshot, e.g. /etc/pki/tls/private/foo.key
- A confidential file with too many ACLs that were fixed after creating
the snapshot
- A confidential file with the bad selinux context allowing to be read
by an exploited daemon
- A vulnerable suid binary
- A vulnerable binary with capabilities
- An executable with the wrong selinux context allowing an exploited
daemon to execute a binary that is not executable on the current
system
- A device file with bad permissions/ACL/selinux context
Therefore I guess it needs to be made sure that no unprivileged process
can access the contents of a mounted snapshot. Maybe the root directory
can be protected with strict permissions/ACLs and a selinux context that
does not allow anything else to access the contents.
Regards
Till