Hi, Not sure if it's a real security issue, or if it's a feature. ZFS allows the admin to create noexec volumes, so that users won't be able to execute binaries sitting on these volume. But as soon as one of these binaries is available on a snapshot, it becomes available for the user to execute: # zfs create tank/test-exec # ls test-exec # zfs get -r exec tank/test-exec NAME PROPERTY VALUE SOURCE tank/test-exec exec off local # cp /bin/ls /tank/test-exec/ # /tank/test-exec/ls bash: /tank/test-exec/ls: Permission denied # zfs snapshot tank/test-exec@noexec # zfs get -r exec tank/test-exec NAME PROPERTY VALUE SOURCE tank/test-exec exec off local tank/test-exec@noexec exec off inherited from tank/test-exec # /tank/test-exec/.zfs/snapshot/noexec/ls test-exec Once the snapshot is accessed, it's mounted automatically, and gets back an exec=on property: # zfs get -r exec tank/test-exec NAME PROPERTY VALUE SOURCE tank/test-exec exec off local tank/test-exec@noexec exec on temporary So it makes it very easy for a user to install and use binaries on a shared server where (for example) every home is a ZFS volume with daily snapshots. regards, patpro