On 2014/03/12 09:31 PM, Chris Murphy wrote:
On Mar 12, 2014, at 1:12 PM, Goffredo Baroncelli <kreijack@xxxxxxxxx> wrote:
On 03/12/2014 06:24 PM, Chris Mason wrote:
Your suggestion also sounds like it places snapshots outside of their parent subvolume? If so it mitigates a possible security concern if the snapshot contains (old) binaries with vulnerabilities. I asked about how to go about assessing this on the Fedora security list:
https://lists.fedoraproject.org/pipermail/security/2014-February/001748.html
There aren't many replies but the consensus is that it's a legitimate concern, so either the snapshots shouldn't be persistently available (which is typical with e.g. snapper, and also yum-plugin-fs-snapshot), and/or when the subvolume containing snapshots is mounted, it's done with either mount option noexec or nosuid (no consensus on which one, although Gnome Shell uses nosuid by default when automounting removable media).
This is exactly the same result if following the previously-recommended
subvolume layout given on the Arch wiki. It seems this wiki advice has
"disappeared" so I can't give a link for it ...
My apologies if the rest of my mail is off-topic.
Though not specifically for rollback, my snapshots prior to btrfs {send
| , receive} backup is done via temporary mountpoint. Until two days ago
I was still using rsync to a secondary btrfs volume and the __snapshots
folder had been sitting empty for about a year. The performance
difference with send|receive is magnitudes apart: A daily backup to the
secondary disk now takes between 30 and 40 seconds whereas it took 20 to
30 minutes with rsync.
Here are my current subvolumes:
__active
__active/home
__active/usr
__active/var
__snapshots/__2014-03-12-23h00m01s+0200
__snapshots/_home_2014-03-12-23h00m01s+0200
__snapshots/_usr_2014-03-12-23h00m01s+0200
__snapshots/_var_2014-03-12-23h00m01s+0200
I hadn't thought of noexec or nosuid. On a single-user system you don't
really expect that type of incursion. I will put up my work after I've
properly automated cleanup.
The only minor gripe I have with the temporary mount is that I feel it
should be possible to perform snapshots and use send|receive without the
requirement of having the subvolumes be "visible" in userspace.
--
__________
Brendan Hide
http://swiftspirit.co.za/
http://www.webafrica.co.za/?AFF1E97
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
