Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932425Ab2EKQqR (ORCPT ); Fri, 11 May 2012 12:46:17 -0400 Received: from li9-11.members.linode.com ([67.18.176.11]:34088 "EHLO test.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755115Ab2EKQqO (ORCPT ); Fri, 11 May 2012 12:46:14 -0400 Date: Fri, 11 May 2012 12:46:05 -0400 From: "Ted Ts'o" To: Rob Landley Cc: Ludwig Nussel , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Jan Kara , Andrew Morton , Andreas Dilger , "open list:EXT2 FILE SYSTEM" , "open list:DOCUMENTATION" Subject: Re: [PATCH RESEND] implement uid and gid mount options for ext2, ext3 and ext4 Message-ID: <20120511164605.GC6467@thunk.org> Mail-Followup-To: Ted Ts'o , Rob Landley , Ludwig Nussel , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Jan Kara , Andrew Morton , Andreas Dilger , "open list:EXT2 FILE SYSTEM" , "open list:DOCUMENTATION" References: <1336660924-9598-1-git-send-email-ludwig.nussel@suse.de> <20120511034945.GA15892@mobil.systemanalysen.net> <4FAD2161.3090108@landley.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4FAD2161.3090108@landley.net> User-Agent: Mutt/1.5.20 (2009-06-14) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on test.thunk.org); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1936 Lines: 37 On Fri, May 11, 2012 at 09:25:37AM -0500, Rob Landley wrote: > Well it's certainly a point of view. Luckily, FAT already _has_ the > workaround we're discussing. The objections were mainly "can't the VFS > do this for us?" and the answer, upon closer inspection, turned out to > be "not easily, no, the VFS takes option flags instead of parsing string > options so doesn't have some necessary infrastructure". The only reasonable use case I can imagine for this feature is one where someone wants to use a removable storage device (which could be a USB thumb drive to a USB HDD to a SSD in a USB 3.0 enclosure) as an interchange device between Unix systems which do not have compatible uid/gid spaces. So perhaps the right approach is that we should have an ext2/3/4 read-only feature flag which enforces a default of nosuid and all files to be read-only and world-readable. There would be mount options which could modify this default behaviour so that the files could be writeable by a particular uid or gid, and another mount option which would change the permission bits seen for that file system from 0755/0644 for directories/files to 0700/0600. Basically, the idea is we should mark the file system in an explicit way that it is intended for interchange across incompatible uid/gid spaces, with defaults which minimize security risk. The fact that all files become world-readable is potentially a risk, but if the user is willing to put their private files on a removeable media that could easily be dropped in a parking lot, or otherwise stolen or lost, that's a potential risk that they've implicitly accepted in any case; we might as well make it be explicit. - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/