[DragonFlyBSD - Bug #1469] (In Progress) Hammer history security concern

bugtracker-admin at leaf.dragonflybsd.org bugtracker-admin at leaf.dragonflybsd.org
Mon Feb 24 01:56:02 PST 2014


Issue #1469 has been updated by tuxillo.

Status changed from New to In Progress

Hi,

This is absolutely relevant. I am unsure how other filesystems address this.
I've done a little test that illustrates what corecode says.

We have an user that belongs to 'developers' group. In a HAMMER filesystem he is able to access to mydir/secret.txt. Later it's decided that group won't have access to the file anymore but snapshots would still retain the old file attributes and that'd allow this group of users to access the same file from the snapshots.

# id antonioh
uid=1000(antonioh) gid=1000(antonioh) groups=1000(antonioh), 1002(developers)
# ls -l mydir/secret.txt
-rw-rw----  1 root  developers  13 Feb 24 01:32 mydir/secret.txt
# chown root:wheel mydir/secret.txt
# ls -l mydir/secret.txt
-rw-rw----  1 root  wheel  13 Feb 24 01:32 mydir/secret.txt
# su - antonioh
If other operating systems have damaged your Master Boot Record, you can
reinstall it with boot0cfg(8).  See "man boot0cfg" for details.
$ cd /mnt
$ cat snap-20140224-0138/mydir/secret.txt
mysecretpass
$ cat mydir/secret.txt
cat: mydir/secret.txt: Permission denied

I also think the first proposal of "only allowing owners to access snapshots" is too restrictive. About the second proposal of 'merging' permissions from now/past I am not sure either if that'd be desirable.

It would be very good to know how other filesystems address this.

Cheers,
Antonio Huete

----------------------------------------
Bug #1469: Hammer history security concern
http://bugs.dragonflybsd.org/issues/1469#change-11836

* Author: corecode
* Status: In Progress
* Priority: Normal
* Assignee: tuxillo
* Category: VFS subsystem
* Target version: 3.8.0
----------------------------------------
Hammer history mounts allow access to deleted files.

This can be an issue if you realized that this data should not have been 
available in the first place.

An alternate scenario is that group membership changed, and you don't 
want the new group members to have access to past data.

I think we should address this in some sort in the release.  One way is 
to only allow the owner to access the snapshot, and ignore group/other 
permissions on snapshots.  This is probably very inconvenient, 
especially for root owned system directories.

Another way would be to somehow combine current and past owner/flags, 
but this is probably hard to reason about.

cheers
   simon



-- 
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://bugs.dragonflybsd.org/my/account



More information about the Bugs mailing list