Shadow copies on Samba over Btrfs snapshots - 2 simple reasons to avoid it!

Hi all,
I’m reporting my experience in a +40 users office and reasons why not to use shadow copies over samba and btrfs.

First of all, why did i decide to move to a non ext/ufs fs?? Simple answer: i wanted some “backup/versioning” for my office nas to avoid accidental deletes

Real answer: 10 days before XMas 2015 a colleague got a cryptolocker variant (Cryptolocker from Wikipedia) and I had to manage nearly 365K (yes, 365.000 files) files encrypted - I’m used to backup on a daily basis plus incremental backups every 2 hours so we just lost 10-20 files :slight_smile:

So, you have to know that ransomware don’t start to encrypt from local machine infected, but first try via network shares, also on hidden files and shadow copies on local pc / remote shadow copies (first reason to avoid shadow copies on Samba)

Secondo reason to avoid: your users don’t need another “toy” to damage theirselves :stuck_out_tongue:

EDIT - Special Note: Time to recover 365K files from backup, checking for old versions / new versions, etc : 3 days - time to recover via snapshots done every 15-20 minutes: 10-20 seconds, with possible loss of a small amount of files

After reading and thinking about this- how would a cryptolocker actually gain access to my server - you definitely need root to delete btrfs snapshots.

So I read your forum post more closely…you were never talking about btrfs/rockstor in your case. Seems more like FUD to me (prove me wrong!)

Hello

I don’t see how a BTRFS snapshot could be crypted by remote client, most of time for shadow copy seems it s Read Only snapshot that are used.

Should put light on how this possible.

So you don’t believe, uh? Ok, let’s see this @arneko @William_Ag_di

We assume that we’re in an office with AD, so our rockstor nas serve files to multiple domain users, so our samba share must have root / domain users as owner / group, right??
Or at least we need a subfolder that will be our users accessible folder with that rights, ok? OK

So, make you samba share with shadow copies, write down the snapshot prefix - create your snapshot task.

First test - snapshots not visible to users - say bye to shadow copies
I’ve changed this file 4-5 times afted 12.26, no details about it

Second test - snapshots visible to users - shadow copies ok
Hey cool, got my shadow copy, i can rollback

And now the nice part, you all think about system protection against deletion, right??? from windows explorer or similar, right (no delete option for shadow copies, see figure)

But here comes my nice cmd prompt from a “stupid win machine”, not a IBM Blue monster…

So imagine you got all your snapshots on, from the first one, and a stupid ransomware script encrypt your data and delete all your snapshots

@suman PLS ADD a big WARNING for shadows copies over Samba shares ( I would disable it )

1 Like

ADD - ALTERNATIVE TO TEST

  1. Set share ACL to root/root
  2. Add Domain Admin to samba Admin Users
  3. Create a folder with permissions AD Admin/AD Users
  4. Try to take snapshots & shadow copies

Will shadow copies be accessible??? Not sure, snapshots get root/root and only subdirs get AD Admin/AD Users

Don’t wanna try, have already destroyed my shares +10 times for testing xD

Pretty sure persistent VSS requires NTFS. Did you enable Samba VFS? That’s the only way Windows clients can use BTRFS snapshots -just like VSS. Looks like Rockstor supports VFS:

Second issue, seems reasonable that users can delete their snapshots with rwx access, right? Worried about ransomware? Remove admistration rights from domain accounts. Create read-only snapshots.

Hi @Steven_Jordan, and welcome to the community!

Thanks for your input, I actually would be interested in knowing a bit more about some of it:

During some of our work on Samba earlier this year, we pondered the idea of enabling the Btrfs vfs module in Samba. See the Github issue below:

Would you have any experience and feedback on using the Btrfs vfs module? I would appreciate your input you have any. From reading their docs, it seems like there would be only advantages, but there might be something I’m missing, hence my desire to get user feedback on this anytime possible.

Yes, we do enable some (either globally or on a per share basis) depending on the options selected by the user during the creation of a Samba export, but we also allow any custom setting to smb.conf during the configuration of the Samba service (as long as it doesn’t lead to testparm to error out), so one can enable any vfs module at that time. I believe one can also do that while creating a Samba share but I can’t remember for sure at the moment :-\ .

1 Like