Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752310AbcCLHUQ (ORCPT ); Sat, 12 Mar 2016 02:20:16 -0500 Received: from imap.thunk.org ([74.207.234.97]:35858 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751028AbcCLHUF (ORCPT ); Sat, 12 Mar 2016 02:20:05 -0500 Date: Sat, 12 Mar 2016 02:19:45 -0500 From: "Theodore Ts'o" To: Linus Torvalds Cc: Dave Chinner , Andy Lutomirski , One Thousand Gnomes , Ric Wheeler , Gregory Farnum , "Martin K. Petersen" , Christoph Hellwig , "Darrick J. Wong" , Jens Axboe , Andrew Morton , Linux API , Linux Kernel Mailing List , shane.seymour@hpe.com, Bruce Fields , linux-fsdevel , Jeff Layton , Eric Sandeen Subject: Re: [PATCH 2/2] block: create ioctl to discard-or-zeroout a range of blocks Message-ID: <20160312071945.GA3419@thunk.org> Mail-Followup-To: Theodore Ts'o , Linus Torvalds , Dave Chinner , Andy Lutomirski , One Thousand Gnomes , Ric Wheeler , Gregory Farnum , "Martin K. Petersen" , Christoph Hellwig , "Darrick J. Wong" , Jens Axboe , Andrew Morton , Linux API , Linux Kernel Mailing List , shane.seymour@hpe.com, Bruce Fields , linux-fsdevel , Jeff Layton , Eric Sandeen References: <56E18B9B.5070503@gmail.com> <56E24CA5.3030702@redhat.com> <20160311135952.57a44931@lxorguk.ukuu.org.uk>

<20160311223047.GZ30721@dastard> <20160312003556.GF32214@thunk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1027 Lines: 27 On Fri, Mar 11, 2016 at 04:44:16PM -0800, Linus Torvalds wrote: > On Fri, Mar 11, 2016 at 4:35 PM, Theodore Ts'o wrote: > > > > At the end of the day it's about whether you trust the userspace > > program or not. > > There's a big difference between "give the user rope", and "tie the > rope in a noose and put a banana peel so that the user might stumble > into the rope and hang himself", though. So let's see. The user application has to explicitly request NO_HIDE_STALE via an fallocate flag --- so it requires changing the source code and recompiling the application. And then, the system administrator has to pass in a mount option specifying a group that the application has to run under. And then the application has to run setgid with that group's privileges. I hardly think that can be considered handing the user a pre-tied noose. Sure, the application can do something stupid --- but I'd arguing giving root to some junior sysadmin is far more likely to cause problems. Cheers, - Ted