31 May
2019
31 May
'19
10:38 p.m.
On 31 May 2019 10:15 -0600, from tuhs(a)minnie.tuhs.org (Grant Taylor via TUHS):
(Baring any local privilege escalation....) I think that ZFS would protect
(snapshots) against ransomware running as an unprivileged user that can't
run zfs / zpool commands.
Yes, and that's the point I was (trying to) make: snapshots are only
immune to ransomware as long as (a) said ransomware isn't running as
root, and (b) said ransomware can't escalate to having root access (or
whatever capabilities might be required to poke around ZFS snapshots),
and of course (c) said ransomware doesn't know about ZFS snapshots.
Snapshots definitely raise the bar, which is a good thing, not to
mention how useful they are for bona fide "oh carp" moments. I do
however feel that "immune" is a bit too strong a word.
I'm pretty sure at least ZoL for Debian comes packages with a sudoers
file where all you need to do to allow read-only ZFS sudo access to
normal users is uncomment one or a few lines. It's been a while since
I set it up.
--
Michael Kjörling • https://michael.kjorling.se • michael(a)kjorling.se
“The most dangerous thought that you can have as a creative person
is to think you know what you’re doing.” (Bret Victor)
* snapshots are readonly, and thus, immune to
ransomware
attacks;
Let's hope said ransomware isn't smart enough to run "zfs list X -t
snapshot" and "zfs destroy X@Y". And while
"zfs list" is Mostly Harmless, let's hope the sysadmin is
smart enough to not let arbitrary users run "zfs destroy" anything
important.
I have found the zfs and zpool command sufficiently easy to allow limited
access via appropriate sudoers entries.