Re: [Vserver] Immutable files and chattr:
 vserver development mailing list 
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
About this list Date view Thread view Subject view Author view Attachment view

From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Sat 15 May 2004 - 00:11:52 BST

On Fri, May 14, 2004 at 07:03:04PM -0400, Gregory (Grisha) Trubetskoy wrote:
>
> Sorry - this was vs1.26.
>
> I changed my fs/ext3/ioctl.c like this:
>
> --- fs/ext3/ioctl.c.orig 2004-05-14 18:56:21.000000000 -0400
> +++ fs/ext3/ioctl.c 2004-05-14 18:44:22.000000000 -0400
> @@ -47,6 +47,10 @@
> /* The JOURNAL_DATA flag is modifiable only by root */
> jflag = flags & EXT3_JOURNAL_DATA_FL;
>
> + /* Immutable files cannot be changed */
> + if (oldflags & flags & EXT3_IMMUTABLE_FILE_FL)
> + return -EPERM;
> +
> /*
> * The IMMUTABLE_* and APPEND_ONLY flags can only be changed
> * by the relevant capability.
>
> This seems to give the "expected" behaviour. I think the fix for ext2 is
> identical, and I didn't look at reiserfs or any other filesystem.

hum, interesting approach, but maybe it would be
better to do the following:

 - check for IMMUTABLE + IUNLINK (unified file)
   and disallow changes on such files unless
 - CAP_IMMUTABLE is given

this would keep existing behaviour for host and
vserver without issues from unified files ...

> Anyway, hopefully this is at list a little bit helpful :-)

sure, any patches or improvements are appreciated

best,
Herbert
   
> Grisha
>
>
> On Fri, 14 May 2004, Herbert Poetzl wrote:
>
> > On Fri, May 14, 2004 at 05:12:34PM -0400, Gregory (Grisha) Trubetskoy wrote:
> > >
> > > It looks like the attributes that do not require CAP_LINUX_IMMUTABLE (i.e.
> > > anything except IMMUTABLE_[FILE|LINK]FL and APPEND_FL) can by modified by
> > > root from within a vserver:
> > >
> > > ]# vserver grisha enter
> > > ipv4root is now 192.168.1.33
> > > New security context is 10033
> > > [root_at_vserver:grisha /]lsattr /bin/ls
> > > ----i------t- /bin/ls
> > > [root_at_vserver:grisha /]chattr +d /bin/ls
> > > [root_at_vserver:grisha /]lsattr /bin/ls
> > > ----i-d----t- /bin/ls
> > >
> > > I'm not sure this is workng "as expected". It seems that an immutable file
> > > should be immutable including attribute changes. This doesn't seem like a
> >
> > yep, should not be allowed ...
> > at least not on 'unified' files (i.e. with immutable set)
> >
> > please, always include some basic system information
> > like kernel version, patch version, etc ...
> >
> > TIA,
> > Herbert
> >
> > > VServer, but rather a general Linux problem, but I wonder if the VServer
> > > patches should insist that immutability includes flag changing.
> > >
> > > Grisha
> > > _______________________________________________
> > > Vserver mailing list
> > > Vserver_at_list.linux-vserver.org
> > > http://list.linux-vserver.org/mailman/listinfo/vserver
> >
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Sat 15 May 2004 - 00:11:43 BST by hypermail 2.1.3