Re: PATCH - ext2fs privacy (i.e. secure deletion) patch

[Bill Davidsen <davidsen@tmr.com>]

Valdis.Kletnieks@vt.edu wrote:
> On Wed, 04 Feb 2004 12:05:07 EST, Bill Davidsen said:
> 
> 
>>It would be useful to have this as a directory option, so that all files 
>>in directory would be protected. I think wherever you do it you have to 
>>prevent hard links, so that unlink really removes the data.
> 
> 
> This of course implies that 'chattr +s' (or whatever it was) has to fail
> if the link count isn't exactly one.

Do you disagree that the count does need to be one?

>                                       Also makes for lots of uglyiness
> if it's a directory option - you then have to walk all the entries in the
> directory and check *their* link counts.  Bad Juju doing it in the kernel
> if you have a directory with a million entries - and racy as hell if you
> do it in userspace.

I agree with everything you said, "useful" doesn't always map to "easy." 
But if you agree that the count needs to be one on files, then you could 
also fail if you tried to add it to a directory which was not empty.

In case I didn't make it clear, the use I was considering was to create 
a single directory in which created files would really go away when 
deleted. I hadn't considered doing it after files were present, what you 
say about overhead is clearly an issue. I think I could even envision 
some bizarre race conditions if the kernel had to do marking of each 
file, so perhaps it's impractical.

But what happens when the 'setgid' bit is put on a directory? At least 
in 2.4 existing files do NOT get the group set, only files newly 
created. So unless someone feels that's a bug which needs immediate 
fixing, I can point to it as a model by which the feature could be 
practically implemented.

Comment?


-- 
bill davidsen <davidsen@tmr.com>
   CTO TMR Associates, Inc
   Doing interesting things with small computers since 1979