On Wed, Feb 12, 2014 at 07:16:34PM -0700, Chris Murphy wrote: > isn't mounted by default. The other question is whether there's a > meaningful distinction between persistently mounting this snapshots > subvolume, or only mounting it on demand when snapshots are about to > be taken? And then when it's mounted, should the mount option be > noexec or nosuid. If old snapshots are mounted, there are several possible security implications: An old snapshot might contain - A world-readable confidential files thats permissions were fixed after creating the snapshot, e.g. /etc/pki/tls/private/foo.key - A confidential file with too many ACLs that were fixed after creating the snapshot - A confidential file with the bad selinux context allowing to be read by an exploited daemon - A vulnerable suid binary - A vulnerable binary with capabilities - An executable with the wrong selinux context allowing an exploited daemon to execute a binary that is not executable on the current system - A device file with bad permissions/ACL/selinux context Therefore I guess it needs to be made sure that no unprivileged process can access the contents of a mounted snapshot. Maybe the root directory can be protected with strict permissions/ACLs and a selinux context that does not allow anything else to access the contents. Regards Till -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
