PSA for paranoid users like myself, ZFS encryption + SMB shares

[winnielinnie]

This is a short, brief FYI for paranoid users, such as myself. I make no suggestions nor recommendations, but I thought I would share this tidbit on these forums.

The log file generated and appended by the SMB Service located at /var/log/samba4/log.smbd contains the full names of files being accessed via a network share. I don't recall changing the Log Level from its default, so I assume this is standard behavior "out of the box" with a fresh TrueNAS setup. I was under the impression that only critical errors and warnings were logged, but not every single file being accessed, to my surprise.

For reference, my Log Level was set to Normal, under the Service > SMB settings. The tooltip reads "By default, error and warning level messages are logged."

This means that if your System Dataset resides on your boot device (never encrypted) or a data pool without encryption, it's trivial to see what files live on your ZFS pools, even if you are using native ZFS encryption to obfuscate what is stored within. The boot device stores these logs in the clear (if this is where you chose to save your logs / System Dataset.)

Do with this knowledge what you will. The above requires someone to have physical access to your system or gain possession of your boot drives, as well as be proficient enough to understand and access a ZFS pool, as well as to intentionally read the contents of a log file. (It's not a simple matter of plug-and-play like one would do with a Windows PC and a USB stick.)

That is all.

 

[Pitfrr]

I was curious about this and I thought I'd check it out.
So here is my feedback on this topic.

I checked on my system (FreeNAS 9.10.x) and I don't see the same behavior.
What version of FreeNAS are you using (apparently TrueNAS I guess)?
Not sure if it would make a difference though... (I don't have a TrueNAS system ready to try with a SMB share)

There are some accessed files that are logged but not all of them. Apparently with the entry:
[2021/03/07 20:49:16.592424, 1] ../source3/smbd/oplock.c:377(lease_timeout_handler) lease break timed out for file ....

I don't have much entries in the log (not even every day).
I haven't changed any settings related to logging for samba.
And in /var/log/samba4, log.smbd is the only log file updated (no other log file is updated).

 

[winnielinnie]

I checked on my system (FreeNAS 9.10.x) and I don't see the same behavior.
What version of FreeNAS are you using (apparently TrueNAS I guess)?

TrueNAS Core 12.0-U2.1

SMB service is configured with the Log Level set to Normal.

I created an MS Word Document, and upon the simple action of opening it and closing it, I find this near the end of my log.smbd file:

Code:

[2021/03/07 16:57:05.594095,  2] ../../source3/smbd/open.c:1461(open_file)
  winnie opened file jessica_peabodys_will.docx read=Yes write=No (numopen=2)
[2021/03/07 16:57:16.303787,  2] ../../source3/smbd/close.c:828(close_normal_file)
  winnie closed file jessica_peabodys_will.docx (numopen=1) NT_STATUS_OK

No errors, nor any issues in accessing the above file. It was a simple open/close operation. Nothing fancy.

Every single accessed file is logged, revealing every single file name on the share that has been created or accessed. I retried the same thing by setting the Log Level to Minimum, and that seems to silence any logging of normal file access. (Of coures, Log Level None does the same thing.)

It's something to take note of, as I consider this a "spillover" of using encryption to presumably "hide everything at rest or when powered off."

 

[Redcoat]

I checked my TrueNAS Core 12.0-U2.1 also - my log level is at Minimum and I don't ever recall setting that (since the Freenas "9's").

 

[anodos]

This parameter hasn't changed for ages. Minimum is recommended level for production servers. Anything higher is for instances where you need to track down a particular issue. They map to the following:

Code:

LOGLEVEL_MAP = {
    '0': 'NONE',
    '1': 'MINIMUM',
    '2': 'NORMAL',
    '3': 'FULL',
    '10': 'DEBUG',
}

The default log level will generate entries for error conditions, but generally nothing else.

 

[winnielinnie]

I checked my TrueNAS Core 12.0-U2.1 also - my log level is at Minimum and I don't ever recall setting that (since the Freenas "9's").

This parameter hasn't changed for ages. Minimum is recommended level for production servers. Anything higher is for instances where you need to track down a particular issue. They map to the following:

I just confirmed this in a VM, so now I'm scratching my head wondering when and why I must have changed it sometime in the past? I quite possibly clicked the option out of curiosity at one point, and accidentally set it to "Normal" before saving my other changes to the Service's settings.

EDIT: Now that I think of it, I probably did click the dropdown menu, looked over the different levels, and then thought to myself "I'd rather not change it now, so I'll re-select the 'default' of Normal." Must have not realize the default is Minimum.