ZFS root-on-ZFS options and quotas for security

shepherdAZ

shepherdAZ

I am preparing to do a clean install of 10.1-RELEASE on a new system using root-on-ZFS. I have played with this a bit with some of the release candidates.

As part of my standard lockdown, I would previously specifiy sizes for /tmp and /var/tmp and set them to noexec and nosuid (https://forums.freebsd.org/threads/correct-way-of-securing-tmp-and-var-tmp-in-freebsd.30864/)

In the ZFS world, I need to set the properties of the ZFS mount appropriately, such as:

Code: 
# zfs set exec=off zroot/tmp
# zfs set setuid=off zroot/tmp
# zfs set exec=off zroot/var/tmp
# zfs set setuid=off zroot/var/tmp
In order to prevent disk space exhaustion from someone filling /tmp, I assume that I then need to set quotas (https://forums.freebsd.org/threads/zfs-limit-available-space-in.26218/). Say maximum of 512M each.
Code: 
# zfs set quota=512M zroot/tmp
# zfs set quota=512M zroot/var/tmp
So, a few questions:
  1. I see references to an older nodev option which is also present in other BSDs, but seems that since the introduction of devfs is no longer applicable in FreeBSD. Do I need to consider any equivalents in ZFS options?
  2. Are there any other ZFS options that I really should be setting for a secure ZFS layout?
  3. Does anyone have any good pointers to ZFS layouts and recommended quota sizes for a production server that will not be compiling from source?
  4. Are there any caveats when applying noexec to ZFS tmp directories?
Many thanks,
Nick
 
In response to your question 4, I assume that your zroot/tmp will be mounted at /tmp? If so, you should take special care to remember that you have marked it
Code: 
exec=off
because some programs that you may install later may require that files they store in /tmp are allowed to be executed (for an example from my system, the App Engine Go SDK stores its compiled binaries there).

I am not sure if anything in the base system will fail if /tmp or /var/tmp have
Code: 
exec=off
set. I do have an executable file at /tmp/.X11-unix/X0 which appears to be related to X.org (this is a desktop machine). I do not see any executables in /var/tmp.
 
Thank you bthomson. This particular server is headless and only going to be providing NTP/DNS/DHCP. I had noticed when using some Linux distros that they like to unpack some packages to, and run binaries from, directories like /var/tmp so was cautious about any similar activities in FreeBSD. I will keep an eye on the logs and see if anything crops up.
 
You must log in or register to reply here.
Back
Top