| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 06 Feb 2017 09:32:36 -0800
From: James Bottomley <James.Bottomley@...senPartnership.com>
To: lkml@...garu.com
Cc: Theodore Ts'o <tytso@....edu>,
"J. R. Okajima" <hooanon05g@...il.com>,
Djalal Harouni <tixxdz@...il.com>, Chris Mason <clm@...com>,
Josh Triplett <josh@...htriplett.org>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Andy Lutomirski <luto@...nel.org>,
Seth Forshee <seth.forshee@...onical.com>,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org,
Dongsu Park <dongsu@...ocode.com>,
David Herrmann <dh.herrmann@...glemail.com>,
Miklos Szeredi <mszeredi@...hat.com>,
Alban Crequy <alban.crequy@...il.com>,
Al Viro <viro@...IV.linux.org.uk>,
"Serge E. Hallyn" <serge@...lyn.com>, Phil Estes <estesp@...il.com>
Subject: Re: [RFC 1/1] shiftfs: uid/gid shifting bind mount
On Mon, 2017-02-06 at 09:38 -0600, lkml@...garu.com wrote:
> On Mon, Feb 06, 2017 at 07:18:16AM -0800, James Bottomley wrote:
> > On Mon, 2017-02-06 at 09:50 -0500, Theodore Ts'o wrote:
> > > On Sun, Feb 05, 2017 at 10:46:23PM -0800, James Bottomley wrote:
> > > > Yes, I know the problem. However, I believe most current linux
> > > > filesystems no longer guarantee stable, for the lifetime of the
> > > > file, inode numbers. The usual docker container root is
> > > > overlayfs,
> > > > which, similarly doesn't support stable inode numbers. I see
> > > > the
> > > > odd complaint about docker with overlayfs having unstable inode
> > > > numbers, but none seems to have any serious repercussions.
> > >
> > > Um, no. Most current linux file systems *do* guarantee stable
> > > inode
> > > numbers. For one thing, NFS would break horribly if you didn't
> > > have
> > > stable inode numbers. Never mind applications which depend on
> > > POSIX
> > > semantics. And you wouldn't be able to save games in rogue or
> > > nethack, either. :-)
> >
> > I believe that's why we have the superblock export operations to
> > manufacture unique filehandles in the absence of inode number
> > stability. The generic one uses inode numbers, but it doesn't have
> > to.
> > I thought reiserfs (if we can go back that far) was the first
> > generally used filesystem that didn't guarantee stable inode
> > numbers,
> > so we have a lot of historical precedence.
> >
> > Thanks to reiserfs, I thought we also iterated to weak stability
> > guarantees for inode numbers which mean no inconsistencies in
> > applications that use inode numbers for caching? It's still not
> > POSIX,
> > but I thought it was good enough for most use cases.
> >
>
> Even plain tar extraction is sensitive to directory inode stability:
> http://git.savannah.gnu.org/cgit/tar.git/tree/src/extract.c?h=release
> _1_29#n867
>
> This caused errors on overlayfs if the extraction churned through
> enough of the dentry cache to evict the relevant directory (can be
> forced to reproduce reliably via drop_caches).
Yes, I know the bug. I think it's up to tar maintainers, but if they
want to support weakly posix filesystems, they should really be using
the filehandle for this check, not device and inode number.
That said, I believe reiserfs was our only other filesystem with weak
inode number stability guarantees and that's hardly in common use
today, so if we can find a solution that gives strong stability
guarantees for out current problem filesystems, there's no reason not
to use it generally.
James
Powered by blists - more mailing lists