Date: Mon, 12 Jan 2009 08:44:48 -0800 From: Tim Kientzle <kientzle@freebsd.org> To: Robert Watson <rwatson@freebsd.org> Cc: freebsd-hackers@freebsd.org, pluknet <pluknet@gmail.com> Subject: Re: extattr problems? Message-ID: <496B7380.10804@freebsd.org> In-Reply-To: <alpine.BSF.2.00.0901121543520.16794@fledge.watson.org> References: <49692659.2030306@freebsd.org> <a31046fc0901101836q1f43028awe4f7b0ba746248ac@mail.gmail.com> <49696C24.8010601@freebsd.org> <a31046fc0901110004m629f9aeegc4ac1cdfd1591c69@mail.gmail.com> <496AA714.1090904@freebsd.org> <496ABD9A.8080006@freebsd.org> <alpine.BSF.2.00.0901121543520.16794@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Watson wrote: > On Sun, 11 Jan 2009, Tim Kientzle wrote: > >> I think this one is a bug. It appears that extattr_set_fd() obeys the >> permissions on the file, not the permissions of the descriptor. > > Hmm. Not clear. EAs live in a slightly hazy world between data and > meta-data. Normally you can perform operations like fchmod(2), which > are strictly meta-data operations, regardless of the flags of the file > descriptor they are performed on, subject to ownership/permissions. You can always call fchmod() on a newly-created file. But you cannot currently always call extattr_set_fd() on a newly created file. So extattr_set_fd() does not currently behave like other metadata operations. > With NFSv4 ACLs, where the right to change ACLs can be delegated, this > only becomes more true. I've chosen to generally treat EAs as meta-data > in this regard, where the file descriptor simply names the object rather > than as an access method as occurs with write(), etc. Hmmmm.... Then what is the secure way to create a file with no write permissions and EAs? The policy you've adopted means that you must open write permissions on the file even if the final file should not have such permissions. I'm also unclear about your reasoning here. There are only two ways to get a writable FD: You have write permissions on an existing file (or rather, *had* write permissions at the time you opened it), or you've just created the file. The former case would seem to cover your concerns here; I see no justification for disallowing the latter. I'm especially unhappy about this in the case of tar because it means I would have to introduce another system call (an otherwise-redundant fchmod()) into the performance-critical file creation path, not to mention some rather ugly logic to modify modes on newly created files if that file has extattrs and you're on FreeBSD. > How do other > systems handle this -- for example, Linux, with its notion of user vs. > system namespaces? I need to do some more research here. I'll let you know what I find. Tim
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?496B7380.10804>