Greg Troxel <g...@lexort.com> writes: > I'm contemplating using zfs over NFS for domU package builders, and I'm > basically allergic to NFS for security reasons but it should be > confined. > > So I'm trying to reduce exposure, and have set setuid=off on > zfs filesystems. That successfully prevented a suid binary from working. > > The other usual thing is "nodev", and zfs has a devices property on or > off. So I went to set it to off and got an error that FreeBSD doesn't > support that. > > I made a device node (just with mknod) for wd0d and I was able to dd > from it. > > Is there any good approach to avoiding this? Why doesn't devices=off > just lead to the nodev mount option and work, similar to setuid=off > leads to nosuid?
Not speaking for the total bug, but part of it exists in: src/external/cddl/osnet/dist/lib/libzfs/common/libzfs_dataset.c where there is a specific check to disallow the setting of the devices property and has the FreeBSD text. It would be a start to allow the property to be set. Once that is possible a "zfs set devices=off <pool>" should work (or panic??). Then the fileset may need to be umounted and remounted on NetBSD (zfs umount / zfs mount sort of thing). The second problem is that the mount may not pick up the property. That would be looking for zfs_mount(), zmount(), zfs_domount() and that ilk (probably zfs_main() in the zfs command itself too). I took a very brief look and did not see anything that would exclude the devices property, but did not have a great deal of time to sift though the code. There may be a translation missing somewhere too. -- Brad Spencer - b...@anduin.eldar.org - KC8VKS - http://anduin.eldar.org
