Re: IMMUTABLE and APPEND-ONLY rationales

From: Derek Martin (derek@cerberus.ne.mediaone.net)
Date: Sun Jun 25 2000 - 06:58:50 EST

Next message: Alexander Viro: "Re: owner field in `struct fs'"
Previous message: Andi Kleen: "Re: how to recovery my NTFS partition"
In reply to: David Ford: "Re: IMMUTABLE and APPEND-ONLY rationales"
Next in thread: Simon Richter: "Re: IMMUTABLE and APPEND-ONLY rationales"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Today, David Ford gleaned this insight:

> Igmar Palsenberg wrote:
>
> > On Sat, 24 Jun 2000, Linda Walsh wrote:
> >
> > > I could see a reason to deny IMMUTABLE to a user -- root might want to
> > > freeze a user file as 'evidence' of something, but that is a stretch.

This doesn't really hold water... if the admin wanted to do that, the
solution is make a copy of it owned by root and writable by noone.

> > Immutable means NOBODY can do anything bad with it, not even root. The
> > last thing I want is users setting immutable flags on my system.
>
> As root you are free to remove flags with chattr regardless of who set them.

Right.

> > > Other than that, why was setting IMMUTABLE and APPEND-ONLY made to be a
> > > privileged operation? I could see end users wanting to protect certain
> > > files with those modes.
> >
> > I don't. Use permissions.

I do... maybe your sysadmin team is particularly unresponsive when you
need a restore done... chattr-ing the file immutable affords a regular
user extra protection from himself (and in this case, the sysadmins too).

Generally speaking, if you're a user, you can't necessarily just get new
sysadmins that are more responsive... This usually takes MUCH more effort
than chattr-ing a file.

> Permissions don't stop root from deleting a file in one step slip-ups.
> Permissions don't stop dhcpcd from screwing with your /etc/resolv.conf
> (client that doesn't support the option for NOT messing with it) or similar
> situations.

These are also valid reasons.

> Linux doesn't support a wide enough ACL list to rely completely on UGO
> permissions.

This I DON'T agree with. I hear this argument a lot, in support of adding
extended ACLs to Linux. Generally I find Unix ACLs more than sufficient
for providing appropriate permissions to files. You may need to get
creative sometimes, but I haven't yet come across an access problem that
couldn't be solved by appropriate user/group ownership and permisssions. I
don't think attributes should be used to augment ACLs, other than to
safeguard particularly important files, in the way we've mentioned here.

-- PGP/GPG Public key at http://cerberus.ne.mediaone.net/~derek/pubkey.txt ------------------------------------------------------ Derek D. Martin | Unix/Linux Geek derekm@mediaone.net | derek@cerberus.ne.mediaone.net ------------------------------------------------------

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: Alexander Viro: "Re: owner field in `struct fs'"
Previous message: Andi Kleen: "Re: how to recovery my NTFS partition"
In reply to: David Ford: "Re: IMMUTABLE and APPEND-ONLY rationales"
Next in thread: Simon Richter: "Re: IMMUTABLE and APPEND-ONLY rationales"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Mon Jun 26 2000 - 21:00:06 EST