Page MenuHomeFreeBSD

Include warning about unintended consequences of using the operator account, and add note about GELI passing TRIM/UNMAP requests to ZFS FAQ
ClosedPublic

Authored by debdrup on Feb 8 2020, 5:57 PM.
Tags
None
Referenced Files
F81927582: D23585.diff
Wed, Dec 4, 11:38 PM
Unknown Object (File)
Sun, Dec 1, 2:35 AM
Unknown Object (File)
Fri, Nov 29, 11:54 PM
Unknown Object (File)
Sat, Nov 16, 6:41 PM
Unknown Object (File)
Fri, Nov 15, 2:54 PM
Unknown Object (File)
Fri, Nov 15, 10:40 AM
Unknown Object (File)
Sun, Nov 10, 2:24 AM
Unknown Object (File)
Sat, Nov 9, 5:07 AM

Details

Reviewers
bcr
trasz
crees
Group Reviewers
docs
Summary

Make it absolutely clear that the operator group grants access privileges that might not be immediately obvious.

Also catching up on a bit of documentation to reflect that GELI has been passing TRIM/UNMAP requests since 2015.

Test Plan

Ran igor on it, passed without incident for the few lines I added.

Diff Detail

Repository
rD FreeBSD doc repository - subversion
Lint
No Lint Coverage
Unit
No Test Coverage
Build Status
Buildable 29365
Build 27263: arc lint + arc unit

Event Timeline

Do you think some actual examples might help? As an example perhaps the shutdown privilege, but can you think of any others?

In your commit message, best to say 'group' rather than 'account'.

To quote Mastering FreeBSD and OpenBSD Security:

... the raw disk devices are owned by root, but the group operator has access to read them. This allows the operator group to bypass the filesystem and its permissions and read raw data blocks from the disk.

Add some examples as suggested by cress.

This should at least give an overview of how broad the unintended consequences can be.

Looks great. If no one else does so, I'll commit this in a few days when I get a chance.

This revision is now accepted and ready to land.Feb 12 2020, 12:29 PM

Added recently discovered filename tag around /dev

This revision now requires review to proceed.Feb 13 2020, 9:45 PM
debdrup retitled this revision from Include warning about unintended consequences of using the operator account to Include warning about unintended consequences of using the operator account, and add note about GELI passing TRIM/UNMAP requests to ZFS FAQ.Feb 13 2020, 9:50 PM
debdrup edited the summary of this revision. (Show Details)

I hope it's okay that I'm (apparently) combining two reviews into one? Or should I resubmit on each? I thought arc could handle multiple outstanding reviews, but apparently not.

They are separate actions, so should be separate commits and therefore separate reviews, but I'm happy to split them this time.

I don't wish to cause unnecessary noise, but it seems the accepted-status got lost in bumping things, so I'm wondering if you lost track of this review as I did?

@crees and/or @bcr if you don't have time. I can make the commit myself with your approval.

Good to go!
Thanks for taking care of it.

This revision is now accepted and ready to land.Mar 1 2020, 3:54 PM