Project

General

Profile

Feature #24283

Add "exec" property to dataset configuration screen

Added by an odos about 2 years ago. Updated about 1 year ago.

Status:
Done
Priority:
Nice to have
Assignee:
William Grzybowski
Category:
Middleware
Target version:
Estimated time:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:

Description

I believe the zfs property "exec = off" would have mitigated the vulnerability CVE-2017-7494 (recent samba vulnerability). I believe it's the direct equivalent of mounting a filesystem as 'noexec'. Maybe we can have it be set when a dataset is configured to have "windows permissions type". Perhaps this should be the default for datasets that are NFS / SMB / AFP shares? I doubt it would adversely affect functionality, and there is clearly a benefit to it.


Related issues

Related to FreeNAS - Bug #34810: Display an error if user trys to install a plugin on a dataset configured with noexecDone
Copied to FreeNAS - Feature #27976: Add "exec" property to dataset configuration screen of new UIDone

Associated revisions

Revision f6cb3f88 (diff)
Added by William Grzybowski over 1 year ago

feat(gui): add `exec` option to dataset

Ticket: #24283

Revision ef554a77 (diff)
Added by Dru Lavigne about 1 year ago

Add Exec field for datasets.
Ticket: #24283

Revision eba26c89 (diff)
Added by Dru Lavigne about 1 year ago

Add Exec field for datasets.
Ticket: #24283

History

#1 Updated by an odos about 2 years ago

Mounting "noexec" is listed as a mitigation measure against this CVE in Red Hat's announcement here: https://access.redhat.com/security/cve/cve-2017-7494

#2 Updated by Alexander Motin about 2 years ago

  • Status changed from Unscreened to Screened

Mentioned CVE is already addressed by FreeNAS 9.10.2-U4 update. Disabling exec may possibly be an effective measure too, but I worry about some potential side effects, for example for jails/plugins.

#3 Updated by an odos about 2 years ago

Alexander Motin wrote:

Mentioned CVE is already addressed by FreeNAS 9.10.2-U4 update. Disabling exec may possibly be an effective measure too, but I worry about some potential side effects, for example for jails/plugins.

That's why I was thinking that it would be something to do specifically on datasets hosting file shares. If a person decides to share out their jails dataset, they already have some problems. I imagine "apply default permissions" would very effectively nuke the jail's permissions from orbit.

See Klaus Hartnegg's comment here: http://marc.info/?l=samba&m=149578684619853&w=2

I would have expected this to be standard security precaution on all pure file servers (which is probably the most common use of Samba).

The point is that it's a fairly simple / common way to reduce the potential attack surface on a file server. This is especially relevant because FreeNAS users may end up delaying updates for various reasons (for instance, updates breaking specific plugins).

If this is unacceptable, perhaps we can have a compromise: expose the option in the FreeNAS UI somewhere? :-)

#4 Updated by Alexander Motin about 2 years ago

That's a big change and we'll discuss it.

#5 Updated by Dru Lavigne almost 2 years ago

  • Status changed from Screened to 46

Sasha: do you have a target version in mind for this one?

#6 Updated by Alexander Motin almost 2 years ago

  • Category changed from OS to 129
  • Status changed from 46 to Unscreened
  • Assignee changed from Alexander Motin to Kris Moore

It is not about version. It is more about making decision and suffering possible consequences. I don't have strict opinion.

#7 Updated by Dru Lavigne almost 2 years ago

  • Status changed from Unscreened to 46

Kris: what are your thoughts?

#8 Avatar?id=14398&size=24x24 Updated by Kris Moore almost 2 years ago

At first thought it seems like something we could do, but I would share Sasha's concern here that this could bite us for jails or other things. Might be best to have it as a knob somewhere. Lets plan on discussing it at the Dev summit next week, since there may be other implications I'm not recalling at the moment.

#9 Updated by Dru Lavigne over 1 year ago

Kris: where do you see this on the roadmap?

#10 Avatar?id=14398&size=24x24 Updated by Kris Moore over 1 year ago

  • Status changed from 46 to Unscreened
  • Assignee changed from Kris Moore to William Grzybowski
  • Priority changed from No priority to Nice to have
  • Target version set to 11.2-BETA1

Lets go ahead and add the ability to do this via the UI for now (but not enabled by default). Over to William first, anything on middleware we need to support this? If not, lets pass it right back to Lola at on new UI team to expose this somewhere.

#11 Updated by William Grzybowski over 1 year ago

  • Status changed from Unscreened to 15
  • Assignee changed from William Grzybowski to Kris Moore

How do you envision this implemented?

Shares work over simple paths, not just datasets. There can be conflicts of subpaths of a dataset and multiple shares using same dataset with different share option.

Or are you referring to an "exec" field in Edit Dataset screen?

#12 Avatar?id=14398&size=24x24 Updated by Kris Moore over 1 year ago

  • Status changed from 15 to Screened
  • Assignee changed from Kris Moore to William Grzybowski

I was just thinking of the exec field in the dataset properties. I.E. expose it so the end-user can try enabling / disabling it at will. It could even be under "advanced" for now. (This is new UI I'm thinking BTW, so just need middleware hook from you first)

#13 Updated by William Grzybowski over 1 year ago

  • Category changed from 129 to 2

#14 Updated by William Grzybowski over 1 year ago

  • Status changed from Screened to Needs Developer Review
  • Assignee changed from William Grzybowski to Vladimir Vinogradenko

#15 Updated by Vladimir Vinogradenko over 1 year ago

  • Status changed from Needs Developer Review to Reviewed by Developer
  • Assignee changed from Vladimir Vinogradenko to William Grzybowski

#16 Updated by William Grzybowski over 1 year ago

  • Status changed from Reviewed by Developer to Ready For Release

#17 Updated by Michael Dexter over 1 year ago

Does this default to "noexec" with the exception of the jails dataset?

This would mitigate both SambaCry and Meltdown, plus most other arbitrary code execution vulnerabilities. There is an exception to every rule, but this is a good step in the right direction.

#18 Updated by William Grzybowski over 1 year ago

  • Subject changed from Set ZFS property "exec = off" on Shares to Expose "exec" dataset property in UI

Michael Dexter wrote:

Does this default to "noexec" with the exception of the jails dataset?

This would mitigate both SambaCry and Meltdown, plus most other arbitrary code execution vulnerabilities. There is an exception to every rule, but this is a good step in the right direction.

No, default has not changed.

#19 Avatar?id=13649&size=24x24 Updated by Ben Gadd over 1 year ago

  • Status changed from Ready For Release to Done

#20 Updated by Dru Lavigne over 1 year ago

  • Subject changed from Expose "exec" dataset property in UI to Add "exec" property to dataset configuration screen
  • Needs Merging changed from Yes to No

#21 Updated by Dru Lavigne over 1 year ago

  • Copied to Feature #27976: Add "exec" property to dataset configuration screen of new UI added

#23 Updated by Dru Lavigne about 1 year ago

  • Status changed from Done to Ready for Testing

#24 Updated by William Grzybowski about 1 year ago

  • Category changed from GUI (new) to Middleware

#25 Avatar?id=55038&size=24x24 Updated by Zackary Welch about 1 year ago

  • Severity set to New
  • Needs QA changed from Yes to No

Confirmed that the "exec" option was added and documented. Seems like it works, since I get a "list index out of range" error from iocage when "exec" is off, and everything works fine when it's on. It makes sense that you cannot install plugins with "exec" on, but there should be a message when trying to do so. There should be a more descriptive messages and documentation about the effects of the property, particularly when installing plugins.

#26 Updated by Vladimir Vinogradenko about 1 year ago

Issue for tracking comment above: https://redmine.ixsystems.com/issues/34810

#27 Updated by Dru Lavigne about 1 year ago

  • Related to Bug #34810: Display an error if user trys to install a plugin on a dataset configured with noexec added

#28 Updated by Dru Lavigne about 1 year ago

  • Status changed from Ready for Testing to Done

Also available in: Atom PDF