Re: Tried to reach out to the FreeBSD security team

From: Alexander Burke <alex_at_alexburke.ca>
Date: Sun, 17 Dec 2023 17:01:01 UTC
Hi Jan,

I had a look at the issue to which you are referring.

My understanding of your concern is that after a snapshot is taken, a user has their access to some portion of the data revoked, but would be able to work around this new restriction via `.zfs/snapshots` by virtue of the fact that all snapshots are faithful read-only reproductions of state at the time each snapshot was created and they thus do not inherit changes made to permissions later on.

If I have misunderstood, please let me know (and probably disregard the rest of this reply).

Changing a snapshot is impossible by design, and This Is A Feature Not A Bug; if you want a changeable snapshot, then a clone is what you're after.

It would seem as though the `.zfs/snapshots` feature is not well-known (it does not appear even when `ls -lA` is invoked by root in the root directory of a pool, for example) and should probably be better publicized so each sysadmin can make a decision as to whether or not they should restrict access to that "directory" to the root user (or wheel or whatnot).

That said, perhaps there should be a discussion regarding whether or not `.zfs/snapshots` should be simply disabled by default.

Cheers,
Alex
----------------------------------------

Dec 17, 2023 14:46:59 Jan Behrens <jbe-mlist@magnetkern.de>:

> Hi all,
> 
> I tried to contact the FreeBSD security team and/or officer to bring
> their attention to issue #265625, which I believe is security relevant
> and which doesn't get fixed.
> 
> None of my e-mails to secteam@FreeBSD.org or
> security-officer@FreeBSD.org were answered. After some time, I tried to
> write an e-mail to freebsd-security@freebsg.org. While that e-mail was
> accepted by mx1.freebsd.org, I never got any response and my e-mail
> didn't show up on the list. What is going on?
> 
> My e-mails were sent on 2023-11-24 to secteam@FreeBSD.org, on
> 2023-12-04 to security-officer@FreeBSD.org, and on 2023-12-11 to
> freebsd-security@freebsd.org.
> 
> Kind regards,
> Jan Behrens