Re: [PATCH 1/2] implement uid mount option for ext2

["John Stoffel" <john@stoffel.org>]

>>>>> "Andreas" == Andreas Dilger <adilger@sun.com> writes:

Andreas> On Jul 24, 2009  12:30 +0200, Ludwig Nussel wrote:
>> @@ -1353,7 +1356,13 @@ int ext2_write_inode(struct inode *inode, int do_sync)
>> 
>> ext2_get_inode_flags(ei);
raw_inode-> i_mode = cpu_to_le16(inode->i_mode);
>> +	if (EXT2_SB(sb)->s_uid &&
>> +	    inode->i_uid == EXT2_SB(sb)->s_uid) {
>> +		raw_inode->i_uid_high = 0;
>> +		raw_inode->i_uid_low  = 0;
>> +		raw_inode->i_gid_high = 0;
>> +		raw_inode->i_gid_low  = 0;

Andreas> I would suggest to also clear the SUID flag on this inode.
Andreas> Otherwise, it opens the risk of creating SUID root files that
Andreas> might be handled incorrectly.

Andreas> To be honest, rather than mapping the specified file to uid
Andreas> == 0/gid == 0 it would be more useful (and safe) to allow
Andreas> specifying a mapping from one UID to another, or have the
Andreas> on-disk UID always be set to/from the specified UID.  Given
Andreas> that your original problem is for the user having UIDX on
Andreas> system X and UIDY on system Y, you should just specify the
Andreas> X->Y mapping explicitly, instead of an implicit X->0 mapping.
Andreas> Otherwise, if the user is unable to access root-owned files
Andreas> on either one of system X or Y your current patch fails.

I didn't read the original email closely, but I have to say that both
of these plans don't sound good to me.  If you can mount a filesystem,
you're root already, so you can do any fixup you need.

If you're sharing the filesystem via a Network Filesystem, then you
have to have proper UIDs that match.

If you're moving a disks (USB, eSATA, whatever) between systems, then
I don't think *either* system should do anything automatically.  It's
too fraught with danger.  

Andreas> I would have the option be something like
Andreas> "uid={local_uid}={disk_uid}" (which hopefully the option
Andreas> parser can handle), or "uid=X:Y" if not.  That way, the
Andreas> on-disk filesystem will remain correct for at least one of
Andreas> the two systems.  If someone wants to specify disk_uid=0 that
Andreas> is fine, but it shouldn't be the only option.

So what happens when you have 1000 UIDs on a disk you want to re-map?
How does that happen?  Or if this option is just for a single UID
mapping, then it's seems to be just as easy to have a script you run
after mounting to fixup the disk.  

Or better yet, just match the UIDs, though I understand why this would
be a problem if you don't control one of the systems completely, or if
you're trying to move the disk between three or more systems and you
can't control two or more of them with conflicting UIDs.

But in that case, you're screwed anyway and it's going to become
un-manageable.  Push this to userspace, not the kernel since it's a
userspace issue when you come right down to it.

John