lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 24 Oct 2007 11:02:58 -0400
From:	Peter Staubach <staubach@...hat.com>
To:	Miklos Szeredi <miklos@...redi.hu>
CC:	akpm@...ux-foundation.org, hch@...radead.org,
	linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH] VFS: new fgetattr() file operation

Miklos Szeredi wrote:
>> Miklos Szeredi wrote:
>>     
>>> I don't think Christoph will like the patch better, regardless of how
>>> I change the description.
>>>
>>> Of course, I'm open to suggestion on how to improve the interface, but
>>> I think fundamentally this is the only way to correctly deal with the
>>> below problem.
>>>
>>> Anyway, here's the patch another time, please consider adding it to
>>> -mm.  For 2.6.25 obviously.
>>>
>>> Thanks,
>>> Miklos
>>> ----
>>>
>>> From: Miklos Szeredi <mszeredi@...e.cz>
>>>
>>> Add a new file operation: f_op->fgetattr(), that is invoked by
>>> fstat().  Fall back to i_op->getattr() if it is not defined.
>>>
>>> We need this because fstat() semantics can in some cases be better
>>> implemented if the filesystem has the open file available.
>>>
>>> Let's take the following example: we have a network filesystem, with
>>> the server implemented as an unprivileged userspace process running on
>>> a UNIX system (this is basically what sshfs does).
>>>
>>> We want the filesystem to follow the familiar UNIX file semantics as
>>> closely as possible.  If for example we have this sequence of events,
>>> we still would like fstat to work correctly:
>>>
>>>  1) file X is opened on client
>>>  2) file X is renamed to Y on server
>>>  3) fstat() is performed on open file descriptor on client
>>>
>>> This is only possible if the filesystem server acutally uses fstat()
>>> on a file descriptor obtained when the file was opened.  Which means,
>>> the filesystem client needs a way to get this information from the
>>> VFS.
>>>
>>>   
>>>       
>> This true iff the protocol that this mythical
>>     
>
> Not mythical at all.  As noted in the description, there's sshfs, a
> live and quite popular example of this sort of filesystem.
>
>   
>> network file system uses the name of the file on the server to
>> actually identify the file on the server.
>>     
>
> The constraint is that the server has to be an ordinary unprivileged
> process.  How should it identify the file, other than by name, or by
> an open file descriptor?
>
>   

I explained this.  The fileid and the generation count along
with the file system id will uniquely identify the file.

>> Clearly, this is broken on many levels.  It can't handle
>> situations as described nor can it handle different instances
>> of the same filename being used.
>>     
>
> Can you please give concrete examples what it can't handle, and how
> should the implementation be improved to be able to handle it, given
> the above constraints?
>
>   
>> This is why NFS, a network file system, does not use the filename
>> as part of the file handle.
>>     
>
> And the nfs server isn't a userspace process, or if it is, it must use
> horrible hacks to convert the file handle to a name, that don't work
> half the time.
>
>   

Nice try.  Wrong.  Try a different rationalization.

>> Wouldn't you be better off by attempting to implement an "open
>> by ino" operation and an operation to get the generation count
>> for the file and then modifying the network protocol of interest
>> to use these as identifiers for the file to be manipulated?
>>     
>
> You mean an "open by inode" on the userspace API?  My guess, it
> wouldn't get very far.
>
>   

This isn't a new idea and has been implemented on a variety of
different systems.

> Anyway, that would still not work on old servers, and servers running
> other OS's.
>
>   

I didn't think that we were talking about old servers and other
OS's.  My concern at the moment is Linux and the changes being
made to it.

> Note, the point is _not_ to make a brand new NFS replacement
> filesystem, that can use names instead of file handles.  The point is
> to use existing infrastructure, to make the setup as easy as ssh'ing
> to a different machine.  And sshfs does just that.

And the solution is limiting.  It is not scalable nor particularly
interesting to anyone interested in security.  Unless there is a
way of limiting access to a particular set of files, then it is
not generally useful outside of hackers or perhaps small groups
of users not concerned about too many aspects of security.

I am not interested in an extended discussion of this topic.

    Thanx...

       ps
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ