From: Theodore Ts'o <tytso@mit.edu>
To: Colin Walters <walters@verbum.org>
Cc: Linux-Fsdevel <linux-fsdevel@vger.kernel.org>
Subject: Re: immutable files via O_OBJECT
Date: Fri, 9 May 2014 10:32:45 -0400 [thread overview]
Message-ID: <20140509143245.GA15523@thunk.org> (raw)
In-Reply-To: <1399630462.17314.3@mail.messagingengine.com>
On Fri, May 09, 2014 at 10:10:22AM +0000, Colin Walters wrote:
>
> And the more I thought about it, the more I realized what would be neat is a
> new open flag "O_OBJECT". What this would do is disallow any further changes
> to content after the file has been close()d or so.
What's the security properties that this would buy you over simply
doing something like this?
fchmod(fd, 0444);
Sure, root (or the owner) could change the always change the
permissions on the file --- but root can always modify the file by
opening the block device directly using a tool like debugfs. So if
you need to guarantee that the object hasn't changed, you're going to
have to you a cryptographic checksum, or such as what git does.
I suppose the one benefit is that you could have a file which is owned
by some uid other than root, and still have some form of immutability
guarantees, which might be useful if you need the uid for (a) quota
purposes, (b) setuid/setgid purposes, and (c) so that a non-root user
can create one of these objects.
But in order to do this, we would have to plumb through glibc, VFS,
and low-level file system changes for a non-portable feature that
would only be useful in Linux systems. Is it really worth it?
- Ted
next prev parent reply other threads:[~2014-05-09 14:32 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-09 10:10 immutable files via O_OBJECT Colin Walters
2014-05-09 14:32 ` Theodore Ts'o [this message]
2014-05-09 15:12 ` Colin Walters
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140509143245.GA15523@thunk.org \
--to=tytso@mit.edu \
--cc=linux-fsdevel@vger.kernel.org \
--cc=walters@verbum.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).