From: "Theodore Tso" <tytso@mit.edu>
To: Christoph Hellwig <hch@infradead.org>
Cc: Cyber_black <Cyberblackk@proton.me>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
Mark Fasheh <mark@fasheh.com>,
linux-api@vger.kernel.org
Subject: Re: [RFC] fs/ioctl.c: FIBMAP requires CAP_SYS_RAWIO while FIEMAP exposes identical data unprivileged
Date: Mon, 18 May 2026 22:23:27 -0400 [thread overview]
Message-ID: <20260519022327.GA11894@macsyma-wired.lan> (raw)
In-Reply-To: <agqevS--YYBVW2Oz@infradead.org>
On Sun, May 17, 2026 at 10:08:13PM -0700, Christoph Hellwig wrote:
> On Fri, May 15, 2026 at 05:36:45PM +0000, Cyber_black wrote:
> > Option B) Add a capability check to ioctl_fiemap() to match FIBMAP.
> > This restores the intended restriction, at the cost of breaking
> > unprivileged use of FIEMAP (e.g. filefrag, btrfs tools, e2freefrag).
> > This option is a larger ABI impact and likely undesirable.
> >
> > The preferred fix is Option A, since FIEMAP has been available
> > unprivileged since 2008 with no reported security issues, and read
> > access to physical block layout is already implicitly available
> > through open() permission on the file.
>
> No, FIEMAP really should not be available unprivileged. So I think B is
> the right thing. Can you send a proper patch with a proper signoff?
>
I disagree. As I recall, we discussed whether or not FIEMAP needed to
be unprivileged many years ago, and it was a conscious choice not to
require root privs. I don't believe it is a security issue to allow
users to see the logical -> physical block mappings for inodes.
Users might misuse it, and we did have that issue many years ago when
cp attempted to use FIEMAP in a way way that it wasn't intended to be
used[1]. However, that was over 15 years ago.
[1] https://lwn.net/Articles/429345/
But just because an interface could be misued doesn't mean that we
should restrict it, IMHO.
- Ted
next prev parent reply other threads:[~2026-05-19 2:24 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <_fcorj7Aa0YnzUmrPnqdEbTjLqS6S7t84HKrzsswvKm71LC0uVmTD2cthCwpgeI-296unEpzPZYBNdFFDXjsQvZRtGfTaQlKmcRkiSI4wiQ=@proton.me>
2026-05-18 5:08 ` [RFC] fs/ioctl.c: FIBMAP requires CAP_SYS_RAWIO while FIEMAP exposes identical data unprivileged Christoph Hellwig
2026-05-18 16:20 ` Darrick J. Wong
2026-05-18 16:22 ` Andy Lutomirski
2026-05-19 3:31 ` Darrick J. Wong
2026-05-19 7:53 ` Andreas Dilger
2026-05-19 11:45 ` Christoph Hellwig
2026-05-19 20:51 ` Andy Lutomirski
2026-05-19 2:23 ` Theodore Tso [this message]
2026-05-19 11:42 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260519022327.GA11894@macsyma-wired.lan \
--to=tytso@mit.edu \
--cc=Cyberblackk@proton.me \
--cc=hch@infradead.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=mark@fasheh.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox