From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1NLHOS-0005EK-TW
	for qemu-devel@nongnu.org; Thu, 17 Dec 2009 09:31:52 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1NLHOL-00059t-Sb
	for qemu-devel@nongnu.org; Thu, 17 Dec 2009 09:31:49 -0500
Received: from [199.232.76.173] (port=49853 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1NLHOL-00059q-NV
	for qemu-devel@nongnu.org; Thu, 17 Dec 2009 09:31:45 -0500
Received: from mx1.redhat.com ([209.132.183.28]:12774)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <armbru@redhat.com>) id 1NLHOL-0003tU-AF
	for qemu-devel@nongnu.org; Thu, 17 Dec 2009 09:31:45 -0500
From: Markus Armbruster <armbru@redhat.com>
Subject: Re: [Qemu-devel] [PATCH] A different way to ask for readonly drive
References: <4B263F0B.90408@redhat.com> <4B265F7D.1010109@mail.berlios.de>
	<20091215184501.GB21298@shareable.org> <20091217105004.GA17205@lst.de>
	<20091217131635.GA24967@shareable.org>
Date: Thu, 17 Dec 2009 15:31:39 +0100
In-Reply-To: <20091217131635.GA24967@shareable.org> (Jamie Lokier's message of
	"Thu, 17 Dec 2009 13:16:35 +0000")
Message-ID: <m3tyvppt84.fsf@crossbow.pond.sub.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Jamie Lokier <jamie@shareable.org>
Cc: Naphtali Sprei <nsprei@redhat.com>, Christoph Hellwig <hch@lst.de>, qemu-devel@nongnu.org

Jamie Lokier <jamie@shareable.org> writes:

> Christoph Hellwig wrote:
>> On Tue, Dec 15, 2009 at 06:45:01PM +0000, Jamie Lokier wrote:
>> > access=rw
>> > access=ro
>> > access=auto  (default)
>> 
>> Yes, that sounds like the least clumsy one.  I still think the current
>> implementation is a very bad default, though.
>
> Without agreeing or disagreeing over whether it's a bad default :), a
> usability problem occurs with the current implementation when you
> deliberately "chmod 444" an image to have high confidence that it's
> opened read only: When running as root, file permissions are ignored
> (except sometimes on NFS).
>
> For that reason I use "chattr +i" on all my read-only image files, to
> really make sure that no qemu invocation mistake could accidentally
> corrupt valuable images.  That works, but it's not very convenient.
>
> If the "auto" method is kept, I think it would be an improvement if it
> checks the file permission itself, and does not even try to open a
> file O_RDWR if there are no writable permission bits - so that "chmod
> 444" has the same "open as read only" effect when qemu is invoked as root.

"Improving" on the kernel's permission checking easily ends in tears.

And if we change the the current "auto" behavior in incompatible ways
anyway, then my preferred change would be to just drop it.