On Mon, Aug 04, 2003 at 09:00:53PM +0400, Hans Reiser wrote:
> If you want hard linked directories, send us a patch for v4. Should be
> VERY easy to write. If there is some reason it is not simple, let me
> know. Discuss it with Vitaly though, it might affect fsck.
I don't recommend it but if you do make sure those links can
only be made by root.
SVR3 and earlier allowed manual hardlinking of directories
by root only. They were a real source of problems. It
also confused the dickens out of fsck so it would have to be
restricted or allowed by the filesystem code, not the VFS
layer. I remember playing with it and it was a guarantee
that fsck would have to be run manually.
$mkdir A
$mkdir B
$mkdir C
$mkdir A/A1
$ln A/A1 B/B1
$ln A/A1 C/C1
$rmdir A/A1
Assuming we can do this. A1 is an empty directory after all.
Now B1 has a link count of 1, but i'll assume that is OK
$rmdir A
It is after all empty even though the link count is 3.
$cd B/B1
$/bin/pwd
cannot stat .
Remember B/B1/.. is it A with a nlinks==1
$cd ..
Now where are you? It used to be called A but now it has no
normal path but can be reached through B/B1/.. It still has
.. so what directory is it linked to that doesn't have an
entry pointing back to it.
Lets some fun with it.
$mkdir A2
Ah, now we have a directory the path to which is B/B1/../A2
We can hide all sorts of stuff here and find will never see
it. It won't get backed up but maybe that doesn't matter.
What a lovely way to hide a rootkit.
If on the other hand you removed A/A1/.. when removing A/A1
you have a B/B1 and C/C1 without ..
Now umount the filesystem and run fsck. B/B1 and C/C1 each
refer to the same directory with no .. or a .. that points
to a third directory with nlinks==1 and no directory entries
except a ..
You can put in a slew of logic to reduce the risks somewhat.
Things like only allowing rmdir somedir when
somedir->nlinks <= 2 || somedir/.. != .
but that still leaves the issue of where .. is linked and
the potential to bypass parent directory based access
controls such as Linus likes in a way that the admin will
have a hard time identifying.
The issues on a filesystem where .. is simulated would i
imagine be different.
-- ________________________________________________________________ J.W. Schultz Pegasystems Technologies email address: jw@pegasys.wsRemember Cernan and Schmitt - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Aug 07 2003 - 22:00:27 EST