Christoph Hellwig wrote:
On Tue, Nov 11, 2008 at 10:09:40AM +0000, Jamie Lokier wrote:
Christoph Hellwig wrote:
On Mon, Nov 10, 2008 at 04:58:17PM +0300, Pavel Shilovsky wrote:
#define O_DENYREAD 004000000 /* Do not permit read access */
#define O_DENYWRITE 010000000 /* Do not permit write access */
#define O_DENYDELETE 020000000 /* Do not permit delete or rename operations*/
(2) you also need to enforce these semantics in the VFS for local
filesystems
Now if (2) doesn't cause too much overhead I would say it's fine, if not
I would rather avoid it.
On the face of it, they look like they have similar denial-of-service
potential as mandatory locks. For example, a root process cleaning
out /tmp gets stuck because a user process has O_DENYDELETE set.
Oh, that's the part I forgot to mention in the previous mail, all of
these option of course can only be root only, everything else would
be - as you say - a complete security nightmare.
We suggest to switch on this flags with special options during mounting.
By default, it'll be switch off.
This solution deletes possibility of such situations, like in example.
Pavel Shilovsky.
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
