Re: [PATCH v11 21/48] ext4: Add richacl feature flag

From: Austin S Hemmelgarn
Date: Fri Oct 16 2015 - 14:28:20 EST


On 2015-10-16 13:41, Andreas Gruenbacher wrote:
On Fri, Oct 16, 2015 at 7:31 PM, Austin S Hemmelgarn
<ahferroin7@xxxxxxxxx> wrote:
I would like to re-iterate, on both XFS and ext4, I _really_ think this
should be a ro_compat flag, and not an incompat one. If a person has the
ability to mount the FS (even if it's a read-only mount), then they by
definition have read access to the file or partition that the filesystem is
contained in, which means that any ACL's stored on the filesystem are
functionally irrelevant,

It is unfortunately not safe to make such a file system accessible to
other users, so the feature is not strictly read-only compatible.
If it's not safe WRT data integrity, then the design needs to be reworked, as that directly implies that isn't safe for even every day usage on a writable filesystem.

If it's not safe WRT the ACL's being honored, then that really isn't something we should be worrying about. POSIX ACL's have this issue, as does mounting a filesystem on any system with a different /etc/{passwd,shadow,group,gshadow} than the one that wrote the permissions to the FS in the first place, and as such this is the type of thing any sensible system administrator will already expect to be dangerous, which means in turn that they will only do it if there is no other choice.

Trying to rely on making this an incompat feature to 'enforce' the ACL's is inherently flawed for two very specific reasons:
1. If the person theoretically trying to attack the system has write access to the disk, they can flip the feature bit and get access anyway (seriously, this takes maybe ten minutes of looking at the source code, some simple math and a hex editor).
2. If the disk is read-only (or even if it's writable), they can just forgo mounting the filesystem entirely and use any of a number of existing tools to pull the data directly off of the disk.

As I said in a previous discussion about this, the three most likely reasons for someone mounting a filesystem with this feature on a kernel that doesn't support it are:
1. They've booted into a recovery environment (eg SystemRescueCD) to attempt to recover data from the system itself (this usage implies access to the hardware, and therefore the ACL's are inherently useless for protecting the data anyway).
2. They've pulled the disk and hooked it up to a different system to recover data from it (again, this implies access to the hardware, and ACL's are inherently useless for protecting from this).
3. They're trying to bisect a kernel bug introduced at around the same time that richacls went in (which means again they have hardware access and ACL's are useless).
All that making this an incompat feature will do is make things harder for these legitimate use cases, for any competent attacker it will only be a minor inconvenience.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature