Re: [PATCH v2 resend] vfs: new O_NODE open flag

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Jamie Lokier <jamie@shareable.org>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>,
	akpm@linux-foundation.org, viro@ZenIV.linux.org.uk,
	dhowells@redhat.com, hch@infradead.org, adilger@sun.com,
	mtk.manpages@gmail.com, torvalds@linux-foundation.org,
	drepper@gmail.com, linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 resend] vfs: new O_NODE open flag
Date: Fri, 6 Nov 2009 01:40:20 +0000	[thread overview]
Message-ID: <20091106014020.GE21630@shareable.org> (raw)
In-Reply-To: <E1N64Ch-0003C6-Rn@pomaz-ex.szeredi.hu>

Miklos Szeredi wrote:
>   "A file descriptor opened with O_NODE | O_NOACCESS may be used to
>    re-open the same file later with increased permissions
>    (e.g. O_RDWR) if the access mode allows.  This is true even if the
>    permissions on the path leading up to the file would prevent it"

It isn't just "the path".

The same issues apply to a file which has been deleted.  Having been
passed a file handle from some other process, you are granted greater
access to a file which has no path at all and no other handles open to
it, which it's reasonable unix security tradition to assume can't be
done.

It's not quite the same issue as /proc/PID/fd.  Someone must have
explicitly used O_NODE, which means they intend for access to be
upgradable later; they won't be surprised by it happening.

But I still think the re-open access should be limited to whatever was
the original access mode, in the same way as has been discussed for
/proc/PID/fd.

So you'd use O_NODE|O_RDWR if you want someone to be able to re-open
the file itself later with O_RDWR acces.  Use O_NODE|O_RDONLY if you
want them to be only able to re-open the file itself with O_RDONLY
access.  That would limit O_NODE|O_NOACCESS to only being able to
re-open with O_NODE|O_NOACCESS again (because O_NOACCESS by itself
isn't allowed).

Is there any reason why O_NODE|O_RDWR cannot be used for that purpose?

> Why would the server need to know anything about that?  O_NODE is
> similar to a chdir() in this respect, and chdir doesn't have a handler
> either.

chdir() needs execute access.

Note we're a bit broken w.r.t. current POSIX regarding fchdir() and
execute-only directories.  It would be good to fix that.

However, it might be possible to craft a "non-pinning inode reference"
in a similar way to inotify.  Either by not referencing the inode
directly (like inotify), or by creating a weak reference method, which
would be more reliable on filesystems without stable inode numbers.

Actually a non-pinning inode reference would be handy for other things
too.  *Must resist temptation to implement O_NOPIN option for open
files generally ;-)*

> However, there's not all that much difference between the above and
> doing "stat()" on the mountpoint in a tight loop, except the former is
> a more reliable way to prevent unmounting.

Are you sure that stops unmounting?  Doesn't unmounting just sit in a
lock waitqueue somewhere like a regular rwlock writer, until it's time
comes?

-- Jamie

next prev parent reply	other threads:[~2009-11-06  1:40 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-11-05 11:23 [PATCH v2 resend] vfs: new O_NODE open flag Miklos Szeredi
2009-11-05 13:15 ` Alan Cox
2009-11-05 14:27   ` Miklos Szeredi
2009-11-05 14:50     ` Alan Cox
2009-11-05 15:24       ` Miklos Szeredi
2009-11-05 15:56         ` Alan Cox
2009-11-05 16:52           ` Miklos Szeredi
2009-11-05 18:25             ` Alan Cox
2009-11-06 11:10               ` Miklos Szeredi
2009-11-06  1:40         ` Jamie Lokier [this message]
2009-11-06 11:31           ` Miklos Szeredi
2009-11-06 14:17     ` Pavel Machek
2009-11-06 20:55       ` Eric W. Biederman
2009-11-07  7:49         ` Miklos Szeredi
2009-11-07 11:09           ` Eric W. Biederman
2009-11-07 11:31             ` Miklos Szeredi
2009-11-07 11:48               ` Eric W. Biederman
2009-11-08 17:01                 ` Pavel Machek
2009-11-16 11:50                   ` Miklos Szeredi
2009-11-07 17:58               ` Pavel Machek
2009-11-09  8:58         ` Pavel Machek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20091106014020.GE21630@shareable.org \
    --to=jamie@shareable.org \
    --cc=adilger@sun.com \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=dhowells@redhat.com \
    --cc=drepper@gmail.com \
    --cc=hch@infradead.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=miklos@szeredi.hu \
    --cc=mtk.manpages@gmail.com \
    --cc=torvalds@linux-foundation.org \
    --cc=viro@ZenIV.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).