From: Neil Brown Subject: Re: Atomic non-durable file write API Date: Wed, 29 Dec 2010 09:35:38 +1100 Message-ID: <20101229093538.5a082e02@notabene.brown> References: <20101224095105.GG12763@thunk.org> <20101226221016.GF2595@thunk.org> <4D18B106.4010308@ontolinux.com> <4D18E94C.3080908@ontolinux.com> <20101229075928.6bdafb08@notabene.brown> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Cc: Olaf van der Spek , Christian Stroetmann , linux-fsdevel , linux-ext4@vger.kernel.org, "Ted Ts'o" , Nick Piggin To: Greg Freemyer Return-path: Received: from cantor.suse.de ([195.135.220.2]:59621 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751788Ab0L1Wft convert rfc822-to-8bit (ORCPT ); Tue, 28 Dec 2010 17:35:49 -0500 In-Reply-To: Sender: linux-ext4-owner@vger.kernel.org List-ID: On Tue, 28 Dec 2010 17:15:57 -0500 Greg Freemyer wrote: > On Tue, Dec 28, 2010 at 5:06 PM, Olaf van der Spek wrote: > > On Tue, Dec 28, 2010 at 11:00 PM, Greg Freemyer wrote: > >> create temp file > >> write out new data > >> delete old file > >> rename temp file to primary name > >> =3D=3D=3D > >> > >> If so there is still a little window of vulnerability where the wh= ole > >> file can be lost. =A0(Or at least only the temp file is present). > > > > Delete isn't used, rename will overwrite the old file. So it's safe= =2E > > Meta-data is probably lost, file owner is certainly lost. > > > > Olaf >=20 > So ACLs are lost? >=20 > That seems like a potentially bigger issue than loosing the owner/gro= up info. >=20 > And I assume if the owner changes, then the new owner has privileges > to modify ACLs he didn't have previously. >=20 > So if I want to instigate a simple denial of service in a multi-user > environment, I edit a few key docs that I have privileges to edit. B= y > doing so I take ownership. As owner I change the permissions and > ACLs so that no one but me can access them. >=20 > Seems like a security hole to me. Giving someone you don't trust uncontrolled write access to something y= ou value has always been a security issue - long before ACLs or editors or computers. NeilBrown -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" i= n the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html