lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 1 Jul 2019 20:20:51 +0300
From:   Boaz Harrosh <boaz@...xistor.com>
To:     "Darrick J. Wong" <darrick.wong@...cle.com>,
        matthew.garrett@...ula.com, yuchao0@...wei.com, tytso@....edu,
        ard.biesheuvel@...aro.org, josef@...icpanda.com, hch@...radead.org,
        clm@...com, adilger.kernel@...ger.ca, viro@...iv.linux.org.uk,
        jack@...e.com, dsterba@...e.com, jaegeuk@...nel.org, jk@...abs.org
Cc:     reiserfs-devel@...r.kernel.org, linux-efi@...r.kernel.org,
        devel@...ts.orangefs.org, linux-kernel@...r.kernel.org,
        linux-f2fs-devel@...ts.sourceforge.net, linux-xfs@...r.kernel.org,
        linux-mm@...ck.org, linux-nilfs@...r.kernel.org,
        linux-mtd@...ts.infradead.org, ocfs2-devel@....oracle.com,
        linux-fsdevel@...r.kernel.org, linux-ext4@...r.kernel.org,
        linux-btrfs@...r.kernel.org
Subject: Re: [PATCH v6 0/4] vfs: make immutable files actually immutable

On 28/06/2019 21:34, Darrick J. Wong wrote:
> Hi all,
> 
> The chattr(1) manpage has this to say about the immutable bit that
> system administrators can set on files:
> 
> "A file with the 'i' attribute cannot be modified: it cannot be deleted
> or renamed, no link can be created to this file, most of the file's
> metadata can not be modified, and the file can not be opened in write
> mode."
> 
> Given the clause about how the file 'cannot be modified', it is
> surprising that programs holding writable file descriptors can continue
> to write to and truncate files after the immutable flag has been set,
> but they cannot call other things such as utimes, fallocate, unlink,
> link, setxattr, or reflink.
> 
> Since the immutable flag is only settable by administrators, resolve
> this inconsistent behavior in favor of the documented behavior -- once
> the flag is set, the file cannot be modified, period.  We presume that
> administrators must be trusted to know what they're doing, and that
> cutting off programs with writable fds will probably break them.
> 

This effort sounds very logical to me and sound. But are we allowed to
do it? IE: Is it not breaking ABI. I do agree previous ABI was evil but
are we allowed to break it?

I would not mind breaking it if %99.99 of the time the immutable bit
was actually set manually by a human administrator. But what if there
are automated systems that set it relying on the current behaviour?

For example I have a very distant and vague recollection of a massive
camera capture system, that was DMAing directly to file (splice). And setting
the immutable bit right away on start. Then once the capture is done
(capture file recycled) the file becomes immutable. Such program is now
broken. Who's fault is it?

I'm totally not sure and maybe you are right. But have you made a
survey of the majority of immutable uses, and are positive that
the guys are not broken after this change?

For me this is kind of scary. Yes I am known to be a SW coward ;-)

Thanks
Boaz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ