| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 29 Dec 2007 08:18:25 -0800 (PST) From: dean gaudet <dean@...tic.org> To: David Newall <david@...idnewall.com> cc: Mark Lord <lkml@....ca>, Al Viro <viro@....linux.org.uk>, Alexander Viro <viro@...iv.linux.org.uk>, Andrew Morton <akpm@...ux-foundation.org>, Linux Kernel <linux-kernel@...r.kernel.org> Subject: Re: RFC: permit link(2) to work across --bind mounts ? On Sat, 29 Dec 2007, David Newall wrote: > dean gaudet wrote: > > On Wed, 19 Dec 2007, David Newall wrote: > > > > > Mark Lord wrote: > > > > > > > But.. pity there's no mount flag override for smaller systems, > > > > where bind mounts might be more useful with link(2) actually working. > > > > > > > I don't see it. You always can make hard link on the underlying > > > filesystem. > > > If you need to make it on the bound mount, that is, if you can't locate > > > the > > > underlying filesystem to make the hard link, you can use a symbolic link. > > > > > > > i run into it on a system where /home is a bind mount of /var/home ... i did > > this because: > > > > - i prefer /home to be nosuid,nodev (multi-user system) > > > > Whatever security /home has, /var/home is the one that restricts because users > can still access their files that way. yep. and /var is nosuid,nodev as well. > > - i prefer /home to not be on same fs as / > > - the system has only one raid1 array, and i can't stand having two > > writable filesystems competing on the same set of spindles (i like to > > imagine that one fs competing for the spindles can potentially result > > in better seek patterns) > > ... > > - i didn't want to try to balance disk space between /var and /home > > - i didn't want to use a volume mgr just to handle disk space balance... > > > > Pffuff. That's what volume managers are for! You do have (at least) two > independent spindles in your RAID1 array, which give you less need to worry > about head-stack contention. this system is write intensive and writes go to all spindles, so you're assertion is wrong. a quick look at iostat shows the system has averaged 50/50 reads/writes over 34 days. that means 50% of the IO is going to both spindles. Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await svctm %util sda 1.96 2.24 33.65 33.16 755.50 465.45 36.55 0.56 8.43 5.98 39.96 > You probably want different mount restrictions > on /home than /var, so you really must use separate filesystems. not sure why you think i want different restrictions... i'm running fine with nosuid,nodev for /var. the main worry i have is some user maliciously hardlinks everything under /var/log somewhere else and slowly fills up the file system with old rotated logs. the users otherwise have quotas so they can't fill things up on their own. i could probably set up XFS quota trees (aka "projects") but haven't gone to this effort yet. > LVM is your friend. i disagree. but this is getting into personal taste -- i find volume managers to be an unnecessary layer of complexity. given i need quotas for the users anyhow i don't see why i should both manage my disk space via quotas and via an extra block layer. > > But with regards to bind mounts and hard links: If you want to be able to > hard-link /home/me/log to /var/tmp/my-log, then I see nothing to prevent > hard-linking /var/home/me/log to /var/tmp/my-log. you probably missed the point where i said that i was surprised i couldn't hardlink across the bind mount and actually wanted it to work. -dean -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists