A thought about filesystem snapshots
Here is an aphorism:
Filesystem snapshots preserve mistakes, and so public snapshots preserve mistakes publicly.
This isn't an issue unique to snapshots; it's common to any backup system that offers public or 'self serve' restores. In theory a system that only let you see or restore files that you owned would avoid the problem, but the simple version would make certain files inaccessible (files you owned inside directories that other people owned, unless the system made an exception for that). Plus it only really works for backup systems; filesystem snapshots count on the general filesystem for a lot of things, including permissions.
Our use of (ZFS) snapshots is likely to be both entirely administrative and short term, so I think we are probably not going to worry too much about this particular thought.
(On a side note, I must strongly encourage vendors of systems with such 'self serve' restore programs to not try to duplicate Unix file permissions checking; that way lies dragons, and I have seen some of them. And certainly it should be possible to selectively turn off the ability to do self-serve restores, so that some filesystems or directory trees can only be restored by sysadmins.)
|
|