Debian Bug report logs - #888736
zfs-dkms: assign a seperate group zfsadm to /dev/zfs

version graph

Package: zfs-dkms; Maintainer for zfs-dkms is Debian ZFS on Linux maintainers <pkg-zfsonlinux-devel@alioth-lists.debian.net>; Source for zfs-dkms is src:zfs-linux (PTS, buildd, popcon).

Reported by: Hans Freitag <zem@fnordpol.de>

Date: Mon, 29 Jan 2018 11:15:01 UTC

Severity: wishlist

Found in version zfs-linux/0.7.5-1

Done: Aron Xu <aron@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, zem@fnordpol.de, Debian ZFS on Linux maintainers <pkg-zfsonlinux-devel@lists.alioth.debian.org>:
Bug#888736; Package zfs-dkms. (Mon, 29 Jan 2018 11:15:04 GMT) (full text, mbox, link).

Acknowledgement sent to Hans Freitag <zem@fnordpol.de>:
New Bug report received and forwarded. Copy sent to zem@fnordpol.de, Debian ZFS on Linux maintainers <pkg-zfsonlinux-devel@lists.alioth.debian.org>. (Mon, 29 Jan 2018 11:15:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Hans Freitag <zem@fnordpol.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: zfs-dkms: assign a seperate group zfsadm to /dev/zfs
Date: Mon, 29 Jan 2018 12:10:05 +0100
Package: zfs-dkms
Version: 0.7.5-1
Severity: wishlist

Dear Maintainer,

I would like to have /dev/zfs assigned to a seperate group zfsadm. The device
is
currently assigned to the group disk.

My problem with that is that every user who is in group disk can basicly read
and
write every disk block device on the system, including the root fs.

This is not needed for a zfs admin user. With ZFS you can allow access to a
user
like snapshotting one specific volume or filesystem and send it over to another
host as long as the user has access to /dev/zfs.

It would improve security and useability if it is possible by default to assign
such
a zfs administrator user to a zfsadm group instead of disk.

regards

    Hans



-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages zfs-dkms depends on:
ii  debconf      1.5.63
ii  dkms         2.3-3
ii  lsb-release  9.20170808
ii  spl-dkms     0.7.5-1

Versions of packages zfs-dkms recommends:
ii  zfs-zed         0.7.5-1
ii  zfsutils-linux  0.7.5-1

zfs-dkms suggests no packages.

-- debconf information:
  zfs-dkms/stop-build-for-32bit-kernel: true
  zfs-dkms/stop-build-for-unknown-kernel: true
* zfs-dkms/note-incompatible-licenses:

Information forwarded to debian-bugs-dist@lists.debian.org, Debian ZFS on Linux maintainers <pkg-zfsonlinux-devel@lists.alioth.debian.org>:
Bug#888736; Package zfs-dkms. (Mon, 29 Jan 2018 20:36:07 GMT) (full text, mbox, link).

Acknowledgement sent to Richard Laager <rlaager@wiktel.com>:
Extra info received and forwarded to list. Copy sent to Debian ZFS on Linux maintainers <pkg-zfsonlinux-devel@lists.alioth.debian.org>. (Mon, 29 Jan 2018 20:36:07 GMT) (full text, mbox, link).

Message #10 received at 888736@bugs.debian.org (full text, mbox, reply):

From: Richard Laager <rlaager@wiktel.com>
To: Hans Freitag <zem@fnordpol.de>, 888736@bugs.debian.org
Subject: Re: [Pkg-zfsonlinux-devel] Bug#888736: zfs-dkms: assign a seperate group zfsadm to /dev/zfs
Date: Mon, 29 Jan 2018 14:17:48 -0600
On 01/29/2018 05:10 AM, Hans Freitag wrote:
> I would like to have /dev/zfs assigned to a seperate group zfsadm. The device
> is currently assigned to the group disk.

As of 0.7.0, ZFS on Linux supports delegated administration. That is,
permission checks are handled by the ZFS module, not by the permissions
of /dev/zfs.

After 0.7.0, the permissions on /dev/zfs should be set to 0666.
Obviously the group no longer matters, and so it can be root.

See:
https://github.com/zfsonlinux/zfs/releases/tag/zfs-0.7.0

-- 
Richard

Information forwarded to debian-bugs-dist@lists.debian.org, Debian ZFS on Linux maintainers <pkg-zfsonlinux-devel@lists.alioth.debian.org>:
Bug#888736; Package zfs-dkms. (Wed, 31 Jan 2018 12:12:25 GMT) (full text, mbox, link).

Acknowledgement sent to Hans Freitag <zem@fnordpol.de>:
Extra info received and forwarded to list. Copy sent to Debian ZFS on Linux maintainers <pkg-zfsonlinux-devel@lists.alioth.debian.org>. (Wed, 31 Jan 2018 12:12:25 GMT) (full text, mbox, link).

Message #15 received at 888736@bugs.debian.org (full text, mbox, reply):

From: Hans Freitag <zem@fnordpol.de>
To: Richard Laager <rlaager@wiktel.com>, 888736@bugs.debian.org
Subject: Re: [Pkg-zfsonlinux-devel] Bug#888736: zfs-dkms: assign a seperate group zfsadm to /dev/zfs
Date: Wed, 31 Jan 2018 13:04:34 +0100
Hi,

On 29.01.2018 21:17, Richard Laager wrote:

> After 0.7.0, the permissions on /dev/zfs should be set to 0666.
> Obviously the group no longer matters, and so it can be root.

I thought about 0666 too, but that means we have to pretend that the zfs
modules has no bugs ever that can be exploited.

Adding a group zfsadm and use 0660 would add a seperate security layer
in case of any bugs in the zfs module that can be used to escalate
priviledges. Even audio has its own group, and I would consider that
device far less risky than a filsystem tool.

regards

     Hans

Information forwarded to debian-bugs-dist@lists.debian.org, Debian ZFS on Linux maintainers <pkg-zfsonlinux-devel@lists.alioth.debian.org>:
Bug#888736; Package zfs-dkms. (Wed, 31 Jan 2018 16:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Richard Laager <rlaager@wiktel.com>:
Extra info received and forwarded to list. Copy sent to Debian ZFS on Linux maintainers <pkg-zfsonlinux-devel@lists.alioth.debian.org>. (Wed, 31 Jan 2018 16:39:03 GMT) (full text, mbox, link).

Message #20 received at 888736@bugs.debian.org (full text, mbox, reply):

From: Richard Laager <rlaager@wiktel.com>
To: Hans Freitag <zem@fnordpol.de>, 888736@bugs.debian.org
Subject: Re: [Pkg-zfsonlinux-devel] Bug#888736: zfs-dkms: assign a seperate group zfsadm to /dev/zfs
Date: Wed, 31 Jan 2018 10:34:22 -0600
I was saying the default should be 0666 per upstream, so _all_ users
(humans and scripts) can use it. If you want something different on your
system, you're free to do so.

-- 
Richard

Reply sent to Aron Xu <aron@debian.org>:
You have taken responsibility. (Mon, 05 Mar 2018 08:57:14 GMT) (full text, mbox, link).

Notification sent to Hans Freitag <zem@fnordpol.de>:
Bug acknowledged by developer. (Mon, 05 Mar 2018 08:57:14 GMT) (full text, mbox, link).

Message #25 received at 888736-close@bugs.debian.org (full text, mbox, reply):

From: Aron Xu <aron@debian.org>
To: 888736-close@bugs.debian.org
Subject: Re: Bug #888736: zfs-dkms: assign a seperate group zfsadm to /dev/zfs
Date: Mon, 5 Mar 2018 16:53:49 +0800
Per Richard's comment in msg#10, we have /dev/zfs owned by root:root,
and permission is 0666.

Regards,
Aron

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 03 Apr 2018 07:28:33 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Jul 1 20:45:19 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.