proxmox-mirrors/mirror_zfs
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_zfs synced 2025-11-01 05:49:34 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9,548 Commits 2 Branches 41 Tags 93 MiB
C 70%
Shell 19.9%
Assembly 5%
M4 2%
Python 1.8%
Other 1.3%
d34d4f97a8
Go to file
Brian Behlendorf d34d4f97a8
snapdir: add 'disabled' value to make .zfs inaccessible 
In some environments, just making the .zfs control dir hidden from sight
might not be enough. In particular, the following scenarios might
warrant not allowing access at all:
- old snapshots with wrong permissions/ownership
- old snapshots with exploitable setuid/setgid binaries
- old snapshots with sensitive contents

Introducing a new 'disabled' value that not only hides the control dir,
but prevents access to its contents by returning ENOENT solves all of
the above.

The new property value takes advantage of 'iuv' semantics ("ignore
unknown value") to automatically fall back to the old default value when
a pool is accessed by an older version of ZFS that doesn't yet know
about 'disabled' semantics.

I think that technically the zfs_dirlook change is enough to prevent
access, but preventing lookups and dir entries in an already opened .zfs
handle might also be a good idea to prevent races when modifying the
property at runtime.

Add zfs_snapshot_no_setuid parameter to control whether automatically
mounted snapshots have the setuid mount option set or not.

this could be considered a partial fix for one of the scenarios
mentioned in desired.

Reviewed-by: Alexander Motin <mav@FreeBSD.org>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Tino Reichardt <milky-zfs@mcmilk.de>
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Co-authored-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Closes #3963
Closes #16587
2024-10-02 09:12:02 -07:00
.github ZTS: Replace MD5 and SHA256 wit XXH128 2024-09-28 09:24:05 -07:00
cmd Avoid computing strlen() inside loops 2024-10-02 09:10:06 -07:00
config Linux 6.12: PG_error flag was removed 2024-10-01 13:54:05 -07:00
contrib config: remove ZFS_GLOBAL_ZONE_PAGE_STATE and ZFS_ENUM_* generation 2024-09-18 11:23:50 -07:00
etc etc/init.d: decide which variant to use at build time. 2024-04-08 16:52:24 -07:00
include snapdir: add 'disabled' value to make .zfs inaccessible 2024-10-02 09:12:02 -07:00
lib Avoid computing strlen() inside loops 2024-10-02 09:10:06 -07:00
man snapdir: add 'disabled' value to make .zfs inaccessible 2024-10-02 09:12:02 -07:00
module snapdir: add 'disabled' value to make .zfs inaccessible 2024-10-02 09:12:02 -07:00
rpm Linux 6.10 compat: fix rpm-kmod and builtin 2024-08-15 14:00:18 -07:00
scripts config: remove ZFS_GLOBAL_ZONE_PAGE_STATE and ZFS_ENUM_* generation 2024-09-18 11:23:50 -07:00
tests snapdir: add 'disabled' value to make .zfs inaccessible 2024-10-02 09:12:02 -07:00
udev Avoid computing strlen() inside loops 2024-10-02 09:10:06 -07:00
.cirrus.yml CI: add FreeBSD build with Cirrus CI 2023-10-06 08:50:26 -07:00
.editorconfig Add an .editorconfig; document git whitespace settings 2020-01-27 13:32:52 -08:00
.gitignore Packaging: Auto-generate changelog during configure (#15528) 2023-11-16 08:58:47 -08:00
.gitmodules .gitmodules: link to openzfs github repository 2021-04-12 09:37:23 -07:00
.mailmap AUTHORS: refresh with recent new contributors 2024-09-24 09:03:05 -07:00
AUTHORS AUTHORS: refresh with recent new contributors 2024-09-24 09:03:05 -07:00
autogen.sh Ubuntu 22.04 integration: ShellCheck 2022-11-18 11:24:48 -08:00
CODE_OF_CONDUCT.md Documentation corrections 2022-12-22 11:34:28 -08:00
configure.ac config/kernel: enforce maximum kernel version, with escape hatch 2024-09-23 10:44:49 -07:00
copy-builtin copy-builtin: add hooks with sed/>> 2022-05-10 10:17:43 -07:00
COPYRIGHT Fix typos 2020-06-09 21:24:09 -07:00
LICENSE Update build system and packaging 2018-05-29 16:00:33 -07:00
Makefile.am Process script directory for all configs 2022-10-27 16:45:14 -07:00
META Linux 6.11 compat: META 2024-09-30 19:59:33 -07:00
NEWS Fix NEWS file 2020-08-26 21:44:41 -07:00
NOTICE Update build system and packaging 2018-05-29 16:00:33 -07:00
README.md FreeBSD: remove support for FreeBSD < 13.0-RELEASE (#16372) 2024-08-05 16:56:45 -07:00
RELEASES.md Add RELEASES.md file 2021-04-02 16:33:40 -07:00
TEST Remove CI builder customization from TEST 2020-03-16 10:46:03 -07:00
zfs.release.in Move zfs.release generation to configure step 2012-07-12 12:22:51 -07:00

README.md

img

OpenZFS is an advanced file system and volume manager which was originally developed for Solaris and is now maintained by the OpenZFS community. This repository contains the code for running OpenZFS on Linux and FreeBSD.

codecov coverity

Official Resources

Installation

Full documentation for installing OpenZFS on your favorite operating system can be found at the Getting Started Page.

Contribute & Develop

We have a separate document with contribution guidelines.

We have a Code of Conduct.

Release

OpenZFS is released under a CDDL license. For more details see the NOTICE, LICENSE and COPYRIGHT files; UCRL-CODE-235197

Supported Kernels

  • The META file contains the officially recognized supported Linux kernel versions.
  • Supported FreeBSD versions are any supported branches and releases starting from 13.0-RELEASE.