On 01/24/2014 05:27 PM, Chris Murphy wrote: > On Jan 24, 2014, at 4:16 PM, Josh Stone <jistone@xxxxxxxxxx> wrote: >> This concerns me especially in the case of security updates -- for >> example, a vulnerable setuid-root binary should be locked up tight! > > The organization question is valid. But sudo or root could just mount > any subvolume. However, btrfs read-only snapshots can't be written to > even by root. Naturally root could just create a rw snapshot of a ro > snapshot and then delete the ro snapshot, but an audit probably ought > to show the subvolume UUIDs and creation dates involved so that we'd > know this is what happened. My point was not about what root can do. Suppose there's a vulnerable 'sudo' binary that gives everyone a root shell. If that binary is available on any executable path, even readonly, that's trouble. As you say, LVM snapshots are out of view, but with btrfs it needs to be an inaccessible subvolume path, or mounted noexec, etc. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
