Re: e2fsprogs: Richacl support

[Theodore Ts'o <tytso@mit.edu>]

On Sat, Oct 17, 2015 at 02:22:25AM +0200, Andreas Gruenbacher wrote:
> > Suppose we mounted a file system with richacl's on a kernel that
> > didn't understand it, and we write to from that non-richacl kernel.
> > What's the worse that could happen?
> 
> Two things are likely to happen. First, richacls will not be enforced;
> this can cause fewer or more permissions to be granted. Second, when
> files are created, permission inheritance will not take place, so when
> the filesystem is later used by a richacl aware kernel, permissions
> will be inconsistent.
> 
> > So why would this result in incompatible file systems?
> 
> The filesystems will not become incompatible in an e2fsck sense, but
> it will generally become unsafe to expose in a multi-user environment.
> So the question is what the different kinds of feature flags are
> supposed to protect from exactly.

Hmm.  So my original conception of the ext2/3/4 feature flags was more
about incompatibility from a e2fsck sense --- what I would call in a
metadata self-consistency sense.  I don't think we ever thought about
the failure of the inheritance to be an "inconsistency".  Perhaps it
would be considered such from a semantic point of view, but it's not
something we could ever check using e2fsck, since it's possible that
the user had intentionally removed the richacl from a file, even
though all of the other files in the directory have a richacl which
matches the default directory inheritance acl.

So the downside of using a feature flag (and it doesn't matter whether
it's an incompat or a read-only flag) is that it requires new versions
of e2fsprogs in order to be able to support the file system --- when
it really doesn't matter from an e2fsprogs support perspective.

One way of dealing with this is would be use a new mount option to
enable richacls (e.g., "richacl"), which older kernels would fail to
recognize and would thus fail the mount.  This works since the most
likely failure case is if the user boots into an older kernel.

This doesn't protect against the case where someone is using richacls
on a USB stick, and moves it over to another system --- but that seems
like a use case that's not very likely.  It also doesn't help against
someone using an old rescue cd-rom, but in that case, it's not clear
that it's hugely problematic, either -- someone using rescue media has
physical access to the machine, so access controls are generally not a
major concern, and they are also not likely to be making wholesale
changes to the file system where acl inheritance is going to be a
primary concern, either.

This is basically how we handled the POSIX acl situation for ext4 ---
we just required a mount option to enable it, originally and
eventually we defaulted the option to always on once it was highly
unlikely someone was going to be trying to install, say, a 2.6 kernel
on an enterprise userspace --- which was not likely to work at all.

What do you think?  If we really want to burn a feature flag, I'd
probably use a RO_INCOMPAT flag rather than an INCOMPAT flag, on the
theory that read-only mounts are much more often used for system
administration.  But it might be using a mount option is a better way
to go here.

Cheers,

							- Ted

P.S.  I can imagine adding new KERNEL_INCOMPAT and KERNEL_ROCOMPAT
feature set flags in the superblock which are ignored by e2fsprogs,
but only used by the kernel.  This might be helpful in the future, but
it won't help us now, since old kernels won't be checking them.

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs