[SA HW2] /snapshot存取
28 views
Skip to first unread message
蔡鳥
Nov 9, 2025, 11:55:24 AM (22 hours ago) Nov 9
to NYCU NASA 課程討論區
SnApper若要存取/snapshot,應該要把他掛載到哪裡?掛載方式有什麼限制?可以提前掛載到某個地方(如~/Downloads)嗎?
許仲宇
Nov 9, 2025, 9:50:05 PM (12 hours ago) Nov 9
to NYCU NASA 課程討論區
同學您好:
1. 「應該要把他掛載到哪裡?」
都可以
2. 「掛載方式有什麼限制?」
沒有
3. 「可以提前掛載到某個地方嗎?」
實務上不建議,但本次作業無限制
謝謝
TA hsuchy
1. 「應該要把他掛載到哪裡?」
都可以
2. 「掛載方式有什麼限制?」
沒有
3. 「可以提前掛載到某個地方嗎?」
實務上不建議,但本次作業無限制
謝謝
TA hsuchy
bestg...@gmail.com 在 2025年11月10日 星期一凌晨12:55:24 [UTC+8] 的信中寫道:
SnApper若要存取/snapshot,應該要把他掛載到哪裡?掛載方式有什麼限制?可以提前掛載到某個地方(如~/Downloads)嗎?
陳柏瑄
3:19 AM (7 hours ago) 3:19 AM
to NYCU NASA 課程討論區
許仲宇
5:24 AM (4 hours ago) 5:24 AM
to NYCU NASA 課程討論區
同學您好:
BTRFS Sysadmin Wiki 中建議僅在需要時 mount(例如操作 snapshot 時),並在操作結束後隨即 unmoumt
至於不建議將 root volume (subvolid=5) 一直持續掛載的理由,以下是原文節錄:
Care must be taken when snapshots are created that are then visible to any user (e.g. when they're created in a nested layout) as this may have security implications. Of course, the snapshot will have the same permissions as the subvolume from which it was created at the time it was, but these permissions may be tightened later on, while those of the snapshot wouldn't change, possibly allowing access to files that shouldn't be accessible anymore. Similarly, especially on the system's "main" filesystem, the snapshot would contain any files (for example setuid programs) of the state when it was created. In the meantime however, security updates may have been rolled out on the original subvolume, but when the snapshot is accessible (and for example the vulnerable setuid has been accessible before) a user could still invoke it.
大致來說,root volume 若持續掛載,可能使一部分使用者能夠直接摸到作為 snapshot 的 subvolume。這些 snapshot 中的 file 的 permission 和 state 都會保持在打 snapshot 的那一刻。即使管理員後來做了 security patch 去縮緊權限,也不會改到 snapshot 內的狀態,所以能直接 read snapshot 的 user 就有機會碰到一些他(現今)不該碰到的檔案。
此外,你也可能會想將一些與管理 BTRFS 相關的檔案放在 root volume 內。持續掛載 root volume 也會增加這些 data leak 的風險
不過因為這次作業中都不會涉及以上情境,因此並未要求。
希望這樣有為您解惑。
TA hsuchy
BTRFS Sysadmin Wiki 中建議僅在需要時 mount(例如操作 snapshot 時),並在操作結束後隨即 unmoumt
至於不建議將 root volume (subvolid=5) 一直持續掛載的理由,以下是原文節錄:
Care must be taken when snapshots are created that are then visible to any user (e.g. when they're created in a nested layout) as this may have security implications. Of course, the snapshot will have the same permissions as the subvolume from which it was created at the time it was, but these permissions may be tightened later on, while those of the snapshot wouldn't change, possibly allowing access to files that shouldn't be accessible anymore. Similarly, especially on the system's "main" filesystem, the snapshot would contain any files (for example setuid programs) of the state when it was created. In the meantime however, security updates may have been rolled out on the original subvolume, but when the snapshot is accessible (and for example the vulnerable setuid has been accessible before) a user could still invoke it.
大致來說,root volume 若持續掛載,可能使一部分使用者能夠直接摸到作為 snapshot 的 subvolume。這些 snapshot 中的 file 的 permission 和 state 都會保持在打 snapshot 的那一刻。即使管理員後來做了 security patch 去縮緊權限,也不會改到 snapshot 內的狀態,所以能直接 read snapshot 的 user 就有機會碰到一些他(現今)不該碰到的檔案。
此外,你也可能會想將一些與管理 BTRFS 相關的檔案放在 root volume 內。持續掛載 root volume 也會增加這些 data leak 的風險
不過因為這次作業中都不會涉及以上情境,因此並未要求。
希望這樣有為您解惑。
TA hsuchy
justi...@nycu.edu.tw 在 2025年11月10日 星期一下午4:19:38 [UTC+8] 的信中寫道:
Reply all
Reply to author
Forward
0 new messages