[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250102181243.h46z53riai3zvze5@pali>
Date: Thu, 2 Jan 2025 19:12:43 +0100
From: Pali Rohár <pali@...nel.org>
To: Chuck Lever <chuck.lever@...cle.com>
Cc: Jan Kara <jack@...e.cz>, linux-fsdevel@...r.kernel.org,
linux-cifs@...r.kernel.org, linux-kernel@...r.kernel.org,
Steve French <sfrench@...ba.org>,
Alexander Viro <viro@...iv.linux.org.uk>,
Christian Brauner <brauner@...nel.org>
Subject: Re: Immutable vs read-only for Windows compatibility
On Thursday 02 January 2025 10:52:51 Chuck Lever wrote:
> On 1/2/25 9:37 AM, Jan Kara wrote:
> > Hello!
> >
> > On Fri 27-12-24 13:15:08, Pali Rohár wrote:
> > > Few months ago I discussed with Steve that Linux SMB client has some
> > > problems during removal of directory which has read-only attribute set.
> > >
> > > I was looking what exactly the read-only windows attribute means, how it
> > > is interpreted by Linux and in my opinion it is wrongly used in Linux at
> > > all.
> > >
> > > Windows filesystems NTFS and ReFS, and also exported over SMB supports
> > > two ways how to present some file or directory as read-only. First
> > > option is by setting ACL permissions (for particular or all users) to
> > > GENERIC_READ-only. Second option is by setting the read-only attribute.
> > > Second option is available also for (ex)FAT filesystems (first option via
> > > ACL is not possible on (ex)FAT as it does not have ACLs).
> > >
> > > First option (ACL) is basically same as clearing all "w" bits in mode
> > > and ACL (if present) on Linux. It enforces security permission behavior.
> > > Note that if the parent directory grants for user delete child
> > > permission then the file can be deleted. This behavior is same for Linux
> > > and Windows (on Windows there is separate ACL for delete child, on Linux
> > > it is part of directory's write permission).
> > >
> > > Second option (Windows read-only attribute) means that the file/dir
> > > cannot be opened in write mode, its metadata attribute cannot be changed
> > > and the file/dir cannot be deleted at all. But anybody who has
> > > WRITE_ATTRIBUTES ACL permission can clear this attribute and do whatever
> > > wants.
> >
> > I guess someone with more experience how to fuse together Windows & Linux
> > permission semantics should chime in here but here are my thoughts.
> >
> > > Linux filesystems has similar thing to Windows read-only attribute
> > > (FILE_ATTRIBUTE_READONLY). It is "immutable" bit (FS_IMMUTABLE_FL),
> > > which can be set by the "chattr" tool. Seems that the only difference
> > > between Windows read-only and Linux immutable is that on Linux only
> > > process with CAP_LINUX_IMMUTABLE can set or clear this bit. On Windows
> > > it can be anybody who has write ACL.
> > >
> > > Now I'm thinking, how should be Windows read-only bit interpreted by
> > > Linux filesystems drivers (FAT, exFAT, NTFS, SMB)? I see few options:
> > >
> > > 0) Simply ignored. Disadvantage is that over network fs, user would not
> > > be able to do modify or delete such file, even as root.
> > >
> > > 1) Smartly ignored. Meaning that for local fs, it is ignored and for
> > > network fs it has to be cleared before any write/modify/delete
> > > operation.
> > >
> > > 2) Translated to Linux mode/ACL. So the user has some ability to see it
> > > or change it via chmod. Disadvantage is that it mix ACL/mode.
> >
> > So this option looks sensible to me. We clear all write permissions in
> > file's mode / ACL. For reading that is fully compatible, for mode
> > modifications it gets a bit messy (probably I'd suggest to just clear
> > FILE_ATTRIBUTE_READONLY on modification) but kind of close.
>
> IMO Linux should store the Windows-specific attribute information but
> otherwise ignore it.
Ignoring attribute which affects fs operations for network filesystems
is a problem. And read-only attribute is such example. If Linux network
fs drivers are going to ignore them, then "rm -f" would not work for
files with read-only attribute set.
But attributes which does not affect fs operations like, "system",
"hidden", "archived", "offline", ... and whatever else is used, should
be ignored at all (well, what else such attributes could do if they do
not affect anything?).
> Modifying ACLs based seems like a road to despair.
> Plus there's no ACL representation for OFFLINE and some of the other
> items that we'd like to be able to support.
I mostly agree.
Just OFFLINE is not a permission which grants some access, right? So it
should not be in ACL at all, which controls and grants/deny access.
> If I were king-for-a-day (tm) I would create a system xattr namespace
> just for these items, and provide a VFS/statx API for consumers like
> Samba, ksmbd, and knfsd to set and get these items. Each local
> filesystem can then implement storage with either the xattr or (eg,
> ntfs) can store them directly.
>
> Semantics like READONLY or IMMUTABLE might be provided in the VFS if
> we care to expose these semantics to POSIX consumers.
For me it sounds like a good idea to export these attributes as xattrs
in system namespace.
Another "big" consumer of them can be wine.
Powered by blists - more mailing lists