[Cluster-devel] Re: [fuse-devel] [PATCH 01/25] VFS: move attr_kill logic from notify_change into helper function

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Trond Myklebust <trond.myklebust@fys.uio.no>
To: cluster-devel.redhat.com
Subject: [Cluster-devel] Re: [fuse-devel] [PATCH 01/25] VFS: move attr_kill logic from notify_change into helper function
Date: Mon, 06 Aug 2007 17:23:39 -0400	[thread overview]
Message-ID: <1186435419.6616.136.camel@localhost> (raw)
In-Reply-To: <E1II8Nw-0005XH-00@dorka.pomaz.szeredi.hu>

On Mon, 2007-08-06 at 21:37 +0200, Miklos Szeredi wrote:
> > > Your patch is changing the API in a very unsafe way, since there will
> > > be no error or warning on an unconverted fs.  And that could lead to
> > > security holes.
> > > 
> > > If we would rename the setattr method to setattr_new as well as
> > > changing it's behavior, that would be fine.  But I guess we do not
> > > want to do that.
> > 
> > Which "unconverted fses"? If we're talking out of tree stuff, then too
> > bad: it is _their_ responsibility to keep up with kernel changes.
> 
> It is usually a good idea to not change the semantics of an API in a
> backward incompatible way without changing the syntax as well.

We're taking two setattr flags ATTR_KILL_SGID, and ATTR_KILL_SUID which
have existed for several years in the VFS, and making them visible to
the filesystems. Out-of-tree filesystems that care can check for them in
a completely backward compatible way: you don't even need to add a
#define.

> This is true regardless of whether we care about out-of-tree code or
> not (and we should care to some degree).  And especially true if the
> change in question is security sensitive.

It is not true "regardless": the in-tree code is being converted.
Out-of-tree code is the only "problem" here, and their only problem is
that they may have to add support for the new flags if they also support
suid/sgid mode bits.

Are you advocating reserving a new filesystem bit every time we need to
add an attribute flag?

Trond

WARNING: multiple messages have this Message-ID (diff)

From: Trond Myklebust <trond.myklebust@fys.uio.no>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: jlayton@redhat.com, linux-kernel@vger.kernel.org,
	linux-fsdevel@vger.kernel.org, codalist@telemann.coda.cs.cmu.edu,
	cluster-devel@redhat.com, jfs-discussion@lists.sourceforge.net,
	mikulas@artax.karlin.mff.cuni.cz, zippel@linux-m68k.org,
	xfs@oss.sgi.com, joel.becker@oracle.com, wli@holomorphy.com,
	reiserfs-devel@vger.kernel.org, dhowells@redhat.com,
	fuse-devel@lists.sourceforge.net, jffs-dev@axis.com,
	user-mode-linux-user@lists.sourceforge.net,
	v9fs-developer@lists.sourceforge.net, linux-ext4@vger.kernel.org,
	linux-cifs-client@lists.samba.org, ocfs2-devel@oss.oracle.com,
	bfennema@falcon.csc.calpoly.edu
Subject: Re: [fuse-devel] [PATCH 01/25] VFS: move attr_kill logic from notify_change into helper function
Date: Mon, 06 Aug 2007 17:23:39 -0400	[thread overview]
Message-ID: <1186435419.6616.136.camel@localhost> (raw)
In-Reply-To: <E1II8Nw-0005XH-00@dorka.pomaz.szeredi.hu>

On Mon, 2007-08-06 at 21:37 +0200, Miklos Szeredi wrote:
> > > Your patch is changing the API in a very unsafe way, since there will
> > > be no error or warning on an unconverted fs.  And that could lead to
> > > security holes.
> > > 
> > > If we would rename the setattr method to setattr_new as well as
> > > changing it's behavior, that would be fine.  But I guess we do not
> > > want to do that.
> > 
> > Which "unconverted fses"? If we're talking out of tree stuff, then too
> > bad: it is _their_ responsibility to keep up with kernel changes.
> 
> It is usually a good idea to not change the semantics of an API in a
> backward incompatible way without changing the syntax as well.

We're taking two setattr flags ATTR_KILL_SGID, and ATTR_KILL_SUID which
have existed for several years in the VFS, and making them visible to
the filesystems. Out-of-tree filesystems that care can check for them in
a completely backward compatible way: you don't even need to add a
#define.

> This is true regardless of whether we care about out-of-tree code or
> not (and we should care to some degree).  And especially true if the
> change in question is security sensitive.

It is not true "regardless": the in-tree code is being converted.
Out-of-tree code is the only "problem" here, and their only problem is
that they may have to add support for the new flags if they also support
suid/sgid mode bits.

Are you advocating reserving a new filesystem bit every time we need to
add an attribute flag?

Trond

next prev parent reply	other threads:[~2007-08-06 21:23 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-08-06 13:54 [Cluster-devel] [PATCH 01/25] VFS: move attr_kill logic from notify_change into helper function Jeff Layton
2007-08-06 13:54 ` Jeff Layton
2007-08-06 13:54 ` Jeff Layton
     [not found] ` <200708061354.l76Ds6sq002260-f+VxlG6Paaj0UfVguI6niVaTQe2KTcn/@public.gmane.org>
2007-08-06 17:43   ` Miklos Szeredi
2007-08-06 17:43     ` [fuse-devel] " Miklos Szeredi
2007-08-06 18:13     ` [Cluster-devel] " Jeff Layton
2007-08-06 18:13       ` Jeff Layton
2007-08-06 18:13       ` Jeff Layton
     [not found]       ` <20070806141333.0f54ab17.jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2007-08-06 18:28         ` Miklos Szeredi
2007-08-06 18:28           ` [fuse-devel] " Miklos Szeredi
2007-08-06 19:04           ` [Cluster-devel] " Trond Myklebust
2007-08-06 19:04             ` Trond Myklebust
2007-08-06 19:37             ` Miklos Szeredi
2007-08-06 21:23               ` Trond Myklebust [this message]
2007-08-06 21:23                 ` Trond Myklebust
2007-08-07  6:00                 ` Miklos Szeredi
2007-08-07 10:05                   ` Miklos Szeredi
2007-08-07 10:21                     ` Miklos Szeredi
2007-08-07 11:27                   ` Jeff Layton
2007-08-07 11:53                     ` Miklos Szeredi
2007-08-07 20:51 ` [Cluster-devel] " Christoph Hellwig
2007-08-07 20:51   ` Christoph Hellwig
2007-08-07 20:51   ` Christoph Hellwig
2007-08-07 22:20   ` [Cluster-devel] " Jeff Layton
2007-08-07 22:20     ` Jeff Layton
2007-08-07 22:20     ` Jeff Layton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1186435419.6616.136.camel@localhost \
    --to=trond.myklebust@fys.uio.no \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.