From owner-freebsd-current Tue May 27 18:20:26 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id SAA14032 for current-outgoing; Tue, 27 May 1997 18:20:26 -0700 (PDT) Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA14027; Tue, 27 May 1997 18:20:19 -0700 (PDT) Received: (from daemon@localhost) by alpo.whistle.com (8.8.5/8.8.5) id SAA26315; Tue, 27 May 1997 18:13:04 -0700 (PDT) Received: from current1.whistle.com(207.76.205.22) via SMTP by alpo.whistle.com, id smtpd026311; Wed May 28 01:13:00 1997 Message-ID: <338B8674.794BDF32@whistle.com> Date: Tue, 27 May 1997 18:12:20 -0700 From: Julian Elischer Organization: Whistle Communications X-Mailer: Mozilla 3.0Gold (X11; I; FreeBSD 2.2-CURRENT i386) MIME-Version: 1.0 To: Brian Beattie CC: Julian Elischer , current@FreeBSD.ORG, mckusick@vangogh.cs.berkeley.edu Subject: Re: NEW FEATURE. BSD file NOUNLINK flag. RFC.. will commit unless.... References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-current@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Brian Beattie wrote: > > On Sun, 25 May 1997, Julian Elischer wrote: > > > > > I would like feedback on a new feature I want to add to the > > filesystem code. > > > > In addition to the immutible and append flags, we at whistle are > > using a flag NOUNLINK > > > > The action of this flag is to allow the file or dir in question > > to be modified in any way but never deleted. > > I would be opposed to this as, unlike the immutible flag, I can not see > how is adds to the robustness or security of the system. It adds yet > another hidden control and contributes to bloat and feeping creaturisim. > If this must be added it should be an kernel config option, normally off. > > I can see "Unremovable file ... even when I log into the system as root I > can not remove this file ... !$%*^)^$# FreeBSD sucks". immutible already gives you this.. > > Matbe if somebody could explain how this fixes some major problem I might > feel differently. well its'a MAJOR problem for US as we a re trying to turn freeBSD into an embedded OS in a 'appliance'.. see www.whistle.com once again.... OK here is the picture we have several users. all untrusted. some must be in a group 'admin' that allows them to write to and delete anything in a certain subtree.. EXCEPT a skeleton hierarchy of directories. When the system is in administration mode, the REAL admin (root in single-user) can add to and change that skeleton hierarchy. All users must be able to write to their own directories in the hierarchy (and delete). So far, if we have a group 'admin', then users in that group can do things an admin should be able to do if the whole hierarchy has a group of admin. HOWEVER these are UNTRUSTED admins, and must not be able to delete parts of the essential skeleton hierarchy. With a NOUNLINK bit we can nail down the hierarchy when in 'real' admin mode, and the 'untrusted' admins can't smash it. As a side note, they are running through the netatalk, samba and ftp interfaces and don't see 'unix' as such. The trouble with IMMUTIBLE and APPEND is that they don't allow the users to create and delete their own files freely within the established hierarchy. The sticky bit is CLOSE, but we run into trouble with more than one user with admin privs because they can't un-do each other's damage. To your comment.. This is no more 'annoying' than the 'IMMUTIBLE' flag that presently does even more.. personally I think it complements the other flags quite well. comments? julian