On Feb 13, 2014, at 9:27 AM, Hubert Kario <hkario@xxxxxxxxxx> wrote: > ----- Original Message ----- >> From: "Chris Murphy" <lists@xxxxxxxxxxxxxxxxx> >> To: "Hubert Kario" <hkario@xxxxxxxxxx> >> Cc: security@xxxxxxxxxxxxxxxxxxxxxxx >> Sent: Thursday, 13 February, 2014 5:02:57 PM >> Subject: Re: btrfs snapshots, rollbacks >> >> >> >> >> On Feb 13, 2014, at 5:11 AM, Hubert Kario <hkario@xxxxxxxxxx> wrote: >> >>> As long as the old /bin and /usr/bin are not part of PATH, I'd say we've >>> done our job. We can't protect the user from shooting himself in the foot >>> in all cases. >> >> The snapshots aren't in PATH. However, the yum plugin would put them at >> >> /yum_<datetime>/bin /yum_<datetime>/usr/bin >> >> Snapper puts them in >> >> /.snapshots/<#>/snapshot/bin /.snapshots/<#>/snapshot/usr/bin >> >> I'm not sure what you mean by the user shooting himself - these locations >> aren't up to the user with these tools. And installer behavior can limit >> user choice as to where the snapshots can be placed. >> >> So, is the ability to hide snapshots in an unmounted portion of the (on-disk) >> file system valuable from a security perspective? Or it it trivial? > > I would consider it trivial. OK good. (There are other reasons why hidden snapshots may be preferred, such as keeping snapshot contents out of find results, and better parity with LVM snapshot behavior.) > >>> The logs are a different matter, we should aim to preserve them. Dunno >>> where >>> journald is in this picture (binary log forward and backward >>> compatibility). >> >> If by preserve you mean a single contiguous log location, then that implies >> needing a subvolume for logs. For example: >> >> http://lists.freedesktop.org/archives/systemd-devel/2014-January/016253.html >> >> I have implemented this and it appears to work, although probably it should >> be a log subvolume mounted at /var/log so that all logs can be kept >> contiguous, not just the journal. > > Yes, that's what I was thinking about. > > If we're going to support update rollback through snapshots I think that > /var/log should be kept separate in default install. I don't know where Fedora is at with Btrfs by default, let alone how the Workstation PRD envisions implementing "Better upgrade/rollback control" or how any other Fedora product considers such functionality should work. There is this: http://fedoraproject.org/wiki/Changes/Rollback But that only mentions LVM thin provisioning. Not Btrfs. Yet the same concern with logs applies to LVM snapshotting and rollback. So if /var/log should be kept separate in a default install then it sounds like you'd support an RFE for anaconda that calls for automatic partitioning creating a log subvolume/LV to be mounted at /var/log. True? I think the rule would be something like "if rootfs is on Btrfs or a virtual LV, then automatically create a "log" subvolume/LV and mount it at /var/log". Ack/nack/patch? Chris Murphy -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security