[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1256917658.3145.20.camel@mini>
Date: Fri, 30 Oct 2009 16:47:38 +0100
From: Alexey Fisher <bug-track@...her-privat.net>
To: Greg Freemyer <greg.freemyer@...il.com>
Cc: Ted Augustine <taugustine@...hpathways.com>,
linux-ext4@...r.kernel.org
Subject: Re: xt4 - True Readonly mount [WAS - Re: [Bug 14354] Bad
corruption with 2.6.32-rc1 and upwards]
Am Freitag, den 30.10.2009, 10:20 -0400 schrieb Greg Freemyer:
> On Fri, Oct 30, 2009 at 4:22 AM, <bugzilla-daemon@...zilla.kernel.org> wrote:
> > http://bugzilla.kernel.org/show_bug.cgi?id=14354
> >
> > --- Comment #152 from Alexey Fisher <bug-track@...her-privat.net> 2009-10-30 08:22:10 ---
> > Ted,
> > Thank you for explanation :)
> > Notice: i learning computer forensic, and was trained to mount all evidence
> > systems with "-o ro" to not contaminate it. It seems like ext4 break this
> > tradition, so many forensics will surprised why md5sum do not match.
>
> Ted, (Alexey there is a response to further down).
>
> I have not followed this thread ultra-closely but Alexey's comment got
> my attention.
>
> Ignoring computer forensics, with LVM snapshots, hardware raid array
> snapshots, etc. even in the presence of a dirty log, we need to be
> able to mount a drive in true read-only fashion fro many backup
> operations to function correctly.
>
> XFS added an extra mount flag for that 5 or so years ago.
>
> I hope ext4 either has or will add a true read-only mount option.
> Maybe Eric Sandeen remembers the actual drivers for adding that
> feature to XFS.
>
> Alexey,
>
> I do computer forensics as part of my job (see my signature). Never
> trust the -o ro flag with any filesystem type to keep evidence from
> being modified. It is not designed for forensic use. And it is hard
> to test because it may work in most scenarios, but then under certain
> situations, the journal gets applied, or cleared, etc.
>
> fyi: Yes I have read where doing so is advised, but I think that
> technique was developed back before Journaled filesystems were common.
> With a modern FS, it is just not a reliable technique in all
> situations.
>
> If you must mount a filesystem readonly to perform an exam, then use a
> hardware write-blocker to prevent modification. If the filesystem
> cannot be mounted readonly because a writeblocker is in use, then you
> know you have issues.
>
> The reality is that in more complex exams, we clone the original
> evidence, then perform part of the exam in a live environment. This
> clearly modifies the clone, but not the original. But the process
> should be repeatable by simply making more clones, etc.
>
> Greg
Greg,
thank you for the comment,
as a student i do not own a hardware write-blocker. But even for normal
admin work, this can cause some frustration. With your comment i
realized that i probably screwed up some raid1 array. I used "-o ro" to
open one of disks. :( need to check it now.
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists