Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3998034pxf; Mon, 29 Mar 2021 18:11:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwHqTeN41klfZlsi01NqYJM5mdbwdhViKeBEzXhiFXnEfRrjacjxf+EcRwBrRF08EdsK+ys X-Received: by 2002:a17:906:8043:: with SMTP id x3mr30555369ejw.149.1617066663567; Mon, 29 Mar 2021 18:11:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617066663; cv=none; d=google.com; s=arc-20160816; b=d8n5lr/TugcU751FTkX4sM6TBiIr2c6UBR2mg7yfWUFVrEJWynN0a9sNZKqIfBRx4d V3wd/VXyqJ9H1M6IeNFs8GPhRM+8jrHpN4zlwW3ZwbEYCfi7+AxnvmBzMl7bLhpqwr4s GqLKhPsMGrfVXsJUF0oR0hM41hQYqrKoKpXcomNLRiog4qgDW8OfmlKnSlDVVSRPMlx4 9y4THcCtqLHnArnyDinCqMptUrOFOOJpLCIlG2DhRHrUHthzqYdThOCRT8hdadvIuYuN mVCBO6gpiNG0txL6EalcUr/Tf5t/3KpXSK8JIkmyIBidaDIKMDw5qrYKsIdhGNwGhdJa UTWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=kSIncnUIR+uz2J6LLJjwUQMfH5dJo++Fsv23KJW0EII=; b=A9k45AWChEqR/A2agoQps3GQrxPQ4A77kMtHV09GrYaW774wYAQVp2Q6NcESUQQn6C hQjurA6PYtv+5B6B7c+B8OBJ0NSdW705SZiRd0ETQr7IRBKv0R0LwZ7ZXa6EzCg1GPib 9jSO9dI+TubUSTpzpSZoP+dK81rb1CRmGRqW1spp21XvER2vkAJXn6jQXzrNaSorH6J5 nh8pH9QigRUudHWctJnRLZzcGvmc+2ek5voAzubEwGkyczCQb+y9oD/Uznl1c6InKJly ZfQ3Z7crJOE+i+Des+vKqm528vk/f06ntF/IRv8XiSUK6YKPZKWq+/cHZPxDef00+10Q p2LQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bx3si14537886edb.594.2021.03.29.18.10.28; Mon, 29 Mar 2021 18:11:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230305AbhC3BHV (ORCPT + 99 others); Mon, 29 Mar 2021 21:07:21 -0400 Received: from outgoing-auth-1.mit.edu ([18.9.28.11]:51397 "EHLO outgoing.mit.edu" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S230298AbhC3BHR (ORCPT ); Mon, 29 Mar 2021 21:07:17 -0400 Received: from cwcc.thunk.org (pool-72-74-133-215.bstnma.fios.verizon.net [72.74.133.215]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 12U17Boq023364 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 29 Mar 2021 21:07:12 -0400 Received: by cwcc.thunk.org (Postfix, from userid 15806) id B942815C39CD; Mon, 29 Mar 2021 21:07:11 -0400 (EDT) Date: Mon, 29 Mar 2021 21:07:11 -0400 From: "Theodore Ts'o" To: Andreas Dilger Cc: Leah Rumancik , "Darrick J. Wong" , harshad shirwadkar , Ext4 Developers List Subject: Re: [PATCH 1/2] ext4: wipe filename upon file deletion Message-ID: References: <20210325181220.1118705-1-leah.rumancik@gmail.com> <20210327020823.GC22091@magnolia> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Mon, Mar 29, 2021 at 01:05:55PM -0600, Andreas Dilger wrote: > >> I bet it wasn't done by design -- afaict all the recovery tools are > >> totally opportunistic in that /if/ they find something that looks like a > >> directory entry, /then/ it will pick that up. The names will eventually > >> get overwritten, so that's the best they can do. > >> > >> (I would also wager that people don't like opt-out for new behaviors > >> unless you're adding it as part of a new feature...) It certainly wasn't deliberate, and I'll note that we've already compromised recovery tools because of how deleted inodes were changed when we added journalling to ext3. Previously, we just zeroed i_links_count and then updated all of the block allocation bitmaps and block group descriptors' free block counts. But there's the possibility, especially for very big files, that all of the blocks that might need to be touched for a truncate might not fit in a single transaction. So we now handle the final iput of a deleted files by doing a journalled truncate, which means that all of the logical to physical mapping gets wiped after the delete is commited. You can see this if you execute the following series of commands: % mke2fs -F -q -t ext2 /tmp/foo.img 1G % sudo mount -o loop -t ext4 /tmp/foo.img /mnt % sudo cp /etc/motd /mnt/motd % sync % debugfs /tmp/foo.img -R 'stat <12>' % sudo rm /mnt/motd % sudo umount /mnt % debugfs /tmp/foo.img -R 'stat <12>' ... and compare the debugfs output before and after the file is deleted. Then try the same thing mounting with ext2 instead of ext4, with a kernel that has ext2 compiled in (as opposed to using ext4 in compatibility mode). This has been true ever since ext3 was released in 2001, and people have largely not noticed or complained. It would be possible to do better, if we wanted to better support the "Root Oops"[1] recovery case; we could do a two-pass scan over the file, determine how many block groups would need to be updated, and then try to open a handle with the requisite number of credits. If that succeeds, then we can skip zapping the extent tree or indirect blocks. Otherwise, we fall back to the current truncate code path. But it would slow down our performance of unlinks, and over the last two decades, as far as I know, no one has complained. I was the person who suggested using a mount option, but on reflection, given that we *already* pretty much make it impossible to recover the contents of a deleted file, do we really care about whether the file name can be recovered? Hence, I'm beginning to think that perhaps we shouldn't make it be a tunable at all. After all, zeroing the directory entry is not going to cause any kind of performance penalty, and if we add a mount option, it's one more thing mount option we need to support forever. If we really must make it be a tunable, a lighter weight to do this would be to assign a new EXT2_FLAGS_xxx bit in es->s_flags, and allow tune2fs to be able to adjust the field. But I think a strong case could be made that even that is overkill. Cheers, - Ted [1] A friend of mine back in my undergraduate days once took a scanned image of a Kellogs Froot Loops cereal box, and did some creative image editing to make it read "root oops", and replaced the text "Sweetened Multigrain Cereal" with "rm is forever". I should really ask her if she still has a copy of the image. :-)