|
|
|
|
|
|
by senozhatsky
2499 days ago
|
|
|
Somehow reminds me of this conversation [0]: > Al Viro asked if there is a plan to allow mounting hand-crafted XFS or ext4
> filesystem images. That is an easy way for an attacker to run their own code
> in ring 0, he said. The filesystems are not written to expect that kind of
> (ab)use. When asked if it really was that easy to crash the kernel with a
> hand-crafted filesystem image, Viro said: "is water wet?"
[0] https://lwn.net/Articles/718639/ |
|
|
This is why an rsync.net account that is enabled to allow zfs send/recv is actually inside a VM and the customer is given their own zpool and their own root login.
It's really resource intensive to do it this way and there are other, much simpler and scalable ways to provide the ability to zfs send into cloud storage ...
However, there is universal agreement among the ZFS coding community[1] that allowing someone to 'zfs send' an arbitrary datastream (in this case, a snapshot) is tremendously dangerous.
In the best case, the malicious actor can crash the kernel and deny service. In the worst case, the malicious actor could destroy the underlying zpool.
[1] Please consider attending the OpenZFS developer Summit in November if you have any interest in this ...