From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1NLGDp-0005wh-9E
	for qemu-devel@nongnu.org; Thu, 17 Dec 2009 08:16:49 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1NLGDj-0005mY-So
	for qemu-devel@nongnu.org; Thu, 17 Dec 2009 08:16:47 -0500
Received: from [199.232.76.173] (port=40117 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1NLGDj-0005mO-Iu
	for qemu-devel@nongnu.org; Thu, 17 Dec 2009 08:16:43 -0500
Received: from mail2.shareable.org ([80.68.89.115]:36868)
	by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.60) (envelope-from <jamie@shareable.org>) id 1NLGDi-000407-4y
	for qemu-devel@nongnu.org; Thu, 17 Dec 2009 08:16:43 -0500
Date: Thu, 17 Dec 2009 13:16:35 +0000
From: Jamie Lokier <jamie@shareable.org>
Subject: Re: [Qemu-devel] [PATCH] A different way to ask for readonly drive
Message-ID: <20091217131635.GA24967@shareable.org>
References: <4B263F0B.90408@redhat.com> <4B265F7D.1010109@mail.berlios.de>
	<20091215184501.GB21298@shareable.org>
	<20091217105004.GA17205@lst.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20091217105004.GA17205@lst.de>
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Christoph Hellwig <hch@lst.de>
Cc: Naphtali Sprei <nsprei@redhat.com>, qemu-devel@nongnu.org

Christoph Hellwig wrote:
> On Tue, Dec 15, 2009 at 06:45:01PM +0000, Jamie Lokier wrote:
> > access=rw
> > access=ro
> > access=auto  (default)
> 
> Yes, that sounds like the least clumsy one.  I still think the current
> implementation is a very bad default, though.

Without agreeing or disagreeing over whether it's a bad default :), a
usability problem occurs with the current implementation when you
deliberately "chmod 444" an image to have high confidence that it's
opened read only: When running as root, file permissions are ignored
(except sometimes on NFS).

For that reason I use "chattr +i" on all my read-only image files, to
really make sure that no qemu invocation mistake could accidentally
corrupt valuable images.  That works, but it's not very convenient.

If the "auto" method is kept, I think it would be an improvement if it
checks the file permission itself, and does not even try to open a
file O_RDWR if there are no writable permission bits - so that "chmod
444" has the same "open as read only" effect when qemu is invoked as root.

-- Jamie