zfs icon indicating copy to clipboard operation
zfs copied to clipboard
verified publisher icon openzfs

Allow mounting snapshots in .zfs/snapshot as a regular user

Open allanjude opened this issue 3 years ago • 3 comments

Signed-off-by: Allan Jude [email protected] Sponsored-by: Modirum MDPay Sponsored-by: Klara Inc.

Motivation and Context

The current credential swapping is evil, see: https://github.com/openzfs/zfs/pull/11312

Description

Allow mounting snapshots in .zfs/snapshot as a regular user Rather than doing a terrible credential swapping hack, we just check that the thing being mounted is a snapshot, and the mountpoint is the zfsctl directory, then we allow it.

My plan was to extend this further to have a sysctl to control if non-root users can auto-mount when accessing .zfs, and there was the question of what about root, and non-root withing jails (non-global zone).

How Has This Been Tested?

Lightly

Types of changes

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [ ] New feature (non-breaking change which adds functionality)
  • [ ] Performance enhancement (non-breaking change which improves efficiency)
  • [ ] Code cleanup (non-breaking change which makes code smaller or more readable)
  • [ ] Breaking change (fix or feature that would cause existing functionality to change)
  • [ ] Library ABI change (libzfs, libzfs_core, libnvpair, libuutil and libzfsbootenv)
  • [ ] Documentation (a change to man pages or other documentation)

Checklist:

  • [ ] My code follows the OpenZFS code style requirements.
  • [ ] I have updated the documentation accordingly.
  • [ ] I have read the contributing document.
  • [ ] I have added tests to cover my changes.
  • [ ] I have run the ZFS Test Suite with this change applied.
  • [ ] All commit messages are properly formatted and contain Signed-off-by.

allanjude avatar Aug 09 '22 20:08 allanjude

This does seem better than the mess I was about to make of INGLOBALZONE.

I do not like the idea that a jail can mount snapshots of a dataset it has not been given actual access to via zfs jail. Is that negotiable? Either way this is still better than giving root to a whole process.

ghost avatar Aug 09 '22 20:08 ghost

This does seem better than the mess I was about to make of INGLOBALZONE.

I do not like the idea that a jail can mount snapshots of a dataset it has not been given actual access to via zfs jail. Is that negotiable? Either way this is still better than giving root to a whole process.

This was the actual bug report that started my investigation of this. My idea was to make a sysctl (off by default?) to allow mounting in jails, since in 12.x and earlier, that was a typical use case that was broken by the original change.

allanjude avatar Aug 09 '22 20:08 allanjude

I do not like the idea that a jail can mount snapshots of a dataset it has not been given actual access to via zfs jail. Is that negotiable? Either way this is still better than giving root to a whole process.

This was the actual bug report that started my investigation of this. My idea was to make a sysctl (off by default?) to allow mounting in jails, since in 12.x and earlier, that was a typical use case that was broken by the original change.

Something something spacebar heating... Sure, a sysctl should be nice. Secure by default sounds even nicer.

ghost avatar Aug 09 '22 21:08 ghost