Message-Id: <200406142158.i5ELwmQN029768@turing-police.cc.vt.edu>
To: Alexandre Oliva <aoliva@redhat.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: [PATCH] O_NOATIME support 
In-Reply-To: Your message of "Mon, 14 Jun 2004 18:12:59 -0300."
             <orpt81sv1g.fsf@free.redhat.lsd.ic.unicamp.br> 
From: Valdis.Kletnieks@vt.edu
References: <20040612011129.GD1967@flower.home.cesarb.net>
            <orpt81sv1g.fsf@free.redhat.lsd.ic.unicamp.br>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_1413467893P";
	 micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Mon, 14 Jun 2004 17:58:48 -0400
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 2537
Lines: 57

--==_Exmh_1413467893P
Content-Type: text/plain; charset=us-ascii

On Mon, 14 Jun 2004 18:12:59 -0300, Alexandre Oliva said:

> IMHO it's a bad idea to enable the owner of the file to avoid changing
> the atime of their files.  I've heard more than once about the atime
> bit being used to as proof that a user had actually seen the contents
> of a file although s/he claimed s/he hadn't.  If it was root-only,
> atime could still be used for the same purpose, and would enable
> backups with tools that accessed the filesystem through the FS layer,
> as opposed to though the block layer, to keep such proof unchanged.

Of course, such "proof" is broken.  Consider that something so simple as a
'find . | xargs wc -l' will break that "proof" - as will any file manager that
looks at magic (anything from 'nautilus' to 'file' - if it uses /etc/magic or /
usr/share/file/magic or wherever your distro keeps it, you have a problem).

If you don't have O_NOATIME, it doesn't strengthen the "proof" any, because any
tool can look at the file and then call utime() to clean up behind itself.  Of
course, at that point the kernel still has to write that dirty inode back.....

If you want *proof* a given userid did/didn't open a file, do up a proper
set of audit trail hooks (keep in mind it will likely be even more intrusive
than the LSM hooks).

And trying to prove a connection from "file opened" to "contents displayed to
user" is challenging enough without a *proper* audit trail (one that can cross-correlate
open/read/write on the input and output file descriptors).  Figuring out
how to get from there to "user saw it" will likely require major work
(and, in fact, absent an auditable event generated by the user that proves
they read the information, almost impossible).

cd /usr/src/linux-2.6.6; find . -name '*.[ch]' | xargs cat

Let me know if you actually *see* anything. My laptop makes it through the first 200
*files* (comprising some 3168K) in 3.45 seconds or so. 


--==_Exmh_1413467893P
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFAzh+XcC3lWbTT17ARApUhAKCSykf9/x9pGAb7YS5BS3eqVder0wCfbXNg
jznA5+ihfxbJ6y6ogk+mkmI=
=eNed
-----END PGP SIGNATURE-----

--==_Exmh_1413467893P--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/