Re: PATCH - ext2fs privacy (i.e. secure deletion) patch

From: Theodore Ts'o
Date: Wed Feb 04 2004 - 22:37:27 EST


On Wed, Feb 04, 2004 at 12:14:18PM -0500, Valdis.Kletnieks@xxxxxx wrote:
> > It would be useful to have this as a directory option, so that all files
> > in directory would be protected. I think wherever you do it you have to
> > prevent hard links, so that unlink really removes the data.
>
> This of course implies that 'chattr +s' (or whatever it was) has to fail
> if the link count isn't exactly one. Also makes for lots of uglyiness
> if it's a directory option - you then have to walk all the entries in the
> directory and check *their* link counts. Bad Juju doing it in the kernel
> if you have a directory with a million entries - and racy as hell if you
> do it in userspace.

Disagree. Unless you also want to make it illegal to establish a hard
link if the +s option is set.

A easier set of semantics is that when the inode count drops to zero,
the inode is securely deleted, but that if there are hard links, there
are hard links. Basically the flag applies to inodes, and that in
some cases, where you create a file in a parent directory, the inode
may inherit the secure deletion flag. But a creating a hard link
doesn't count as creating a new inode.

- Ted



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/