Message ID | 1445008706-15115-22-git-send-email-agruenba@redhat.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
On 2015-10-16 11:17, Andreas Gruenbacher wrote: > From: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com> > > This feature flag selects richacl instead of posix acl support on the > file system. In addition, the "acl" mount option is needed for enabling > either of the two kinds of acls. > > Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> > Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> > --- > fs/ext4/ext4.h | 6 ++++-- > fs/ext4/super.c | 42 +++++++++++++++++++++++++++++++++--------- > 2 files changed, 37 insertions(+), 11 deletions(-) > > diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h > index fd1f28b..b97a3b1 100644 > --- a/fs/ext4/ext4.h > +++ b/fs/ext4/ext4.h > @@ -991,7 +991,7 @@ struct ext4_inode_info { > #define EXT4_MOUNT_UPDATE_JOURNAL 0x01000 /* Update the journal format */ > #define EXT4_MOUNT_NO_UID32 0x02000 /* Disable 32-bit UIDs */ > #define EXT4_MOUNT_XATTR_USER 0x04000 /* Extended user attributes */ > -#define EXT4_MOUNT_POSIX_ACL 0x08000 /* POSIX Access Control Lists */ > +#define EXT4_MOUNT_ACL 0x08000 /* Access Control Lists */ > #define EXT4_MOUNT_NO_AUTO_DA_ALLOC 0x10000 /* No auto delalloc mapping */ > #define EXT4_MOUNT_BARRIER 0x20000 /* Use block barriers */ > #define EXT4_MOUNT_QUOTA 0x80000 /* Some quota option set */ > @@ -1582,6 +1582,7 @@ static inline int ext4_encrypted_inode(struct inode *inode) > #define EXT4_FEATURE_INCOMPAT_LARGEDIR 0x4000 /* >2GB or 3-lvl htree */ > #define EXT4_FEATURE_INCOMPAT_INLINE_DATA 0x8000 /* data in inode */ > #define EXT4_FEATURE_INCOMPAT_ENCRYPT 0x10000 > +#define EXT4_FEATURE_INCOMPAT_RICHACL 0x20000 I would like to re-iterate, on both XFS and ext4, I _really_ think this should be a ro_compat flag, and not an incompat one. If a person has the ability to mount the FS (even if it's a read-only mount), then they by definition have read access to the file or partition that the filesystem is contained in, which means that any ACL's stored on the filesystem are functionally irrelevant, and making this an incompat feature will just complicate things further for people who have a legitimate need to recover data.
On Fri, Oct 16, 2015 at 7:31 PM, Austin S Hemmelgarn <ahferroin7@gmail.com> wrote: > I would like to re-iterate, on both XFS and ext4, I _really_ think this > should be a ro_compat flag, and not an incompat one. If a person has the > ability to mount the FS (even if it's a read-only mount), then they by > definition have read access to the file or partition that the filesystem is > contained in, which means that any ACL's stored on the filesystem are > functionally irrelevant, It is unfortunately not safe to make such a file system accessible to other users, so the feature is not strictly read-only compatible. Andreas -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 2015-10-16 13:41, Andreas Gruenbacher wrote: > On Fri, Oct 16, 2015 at 7:31 PM, Austin S Hemmelgarn > <ahferroin7@gmail.com> wrote: >> I would like to re-iterate, on both XFS and ext4, I _really_ think this >> should be a ro_compat flag, and not an incompat one. If a person has the >> ability to mount the FS (even if it's a read-only mount), then they by >> definition have read access to the file or partition that the filesystem is >> contained in, which means that any ACL's stored on the filesystem are >> functionally irrelevant, > > It is unfortunately not safe to make such a file system accessible to > other users, so the feature is not strictly read-only compatible. If it's not safe WRT data integrity, then the design needs to be reworked, as that directly implies that isn't safe for even every day usage on a writable filesystem. If it's not safe WRT the ACL's being honored, then that really isn't something we should be worrying about. POSIX ACL's have this issue, as does mounting a filesystem on any system with a different /etc/{passwd,shadow,group,gshadow} than the one that wrote the permissions to the FS in the first place, and as such this is the type of thing any sensible system administrator will already expect to be dangerous, which means in turn that they will only do it if there is no other choice. Trying to rely on making this an incompat feature to 'enforce' the ACL's is inherently flawed for two very specific reasons: 1. If the person theoretically trying to attack the system has write access to the disk, they can flip the feature bit and get access anyway (seriously, this takes maybe ten minutes of looking at the source code, some simple math and a hex editor). 2. If the disk is read-only (or even if it's writable), they can just forgo mounting the filesystem entirely and use any of a number of existing tools to pull the data directly off of the disk. As I said in a previous discussion about this, the three most likely reasons for someone mounting a filesystem with this feature on a kernel that doesn't support it are: 1. They've booted into a recovery environment (eg SystemRescueCD) to attempt to recover data from the system itself (this usage implies access to the hardware, and therefore the ACL's are inherently useless for protecting the data anyway). 2. They've pulled the disk and hooked it up to a different system to recover data from it (again, this implies access to the hardware, and ACL's are inherently useless for protecting from this). 3. They're trying to bisect a kernel bug introduced at around the same time that richacls went in (which means again they have hardware access and ACL's are useless). All that making this an incompat feature will do is make things harder for these legitimate use cases, for any competent attacker it will only be a minor inconvenience.
On Fri, Oct 16, 2015 at 02:27:57PM -0400, Austin S Hemmelgarn wrote: > On 2015-10-16 13:41, Andreas Gruenbacher wrote: > >On Fri, Oct 16, 2015 at 7:31 PM, Austin S Hemmelgarn > ><ahferroin7@gmail.com> wrote: > >>I would like to re-iterate, on both XFS and ext4, I _really_ think this > >>should be a ro_compat flag, and not an incompat one. If a person has the > >>ability to mount the FS (even if it's a read-only mount), then they by > >>definition have read access to the file or partition that the filesystem is > >>contained in, which means that any ACL's stored on the filesystem are > >>functionally irrelevant, > > > >It is unfortunately not safe to make such a file system accessible to > >other users, so the feature is not strictly read-only compatible. > If it's not safe WRT data integrity, then the design needs to be > reworked, as that directly implies that isn't safe for even every > day usage on a writable filesystem. This is exactly what we have *incompat feature flags for*: to protect old code that doesn't know about potentially dangerous new on-disk formats from trying to parse those formats and causing unpredictable bad things from happening. Austin, your arguments hold no weight because they are no different to the considerations for any new on-disk feature: the user needs to have both kernel and userspace support to recover filesystems that go bad. If you are using a brand new fs/kernel feature, then it is expected that you know that your DR processes take this into account. This is also why we XFS devs wait at least a year after new on-disk features are merged into XFS before we consider turning them on by default. i.e. to give distros and recovery utilities time to pick up kernels and userspace pacakges that support the new feature before the average user will encounter it.... Cheers, Dave.
On 2015-10-17 19:17, Dave Chinner wrote: > On Fri, Oct 16, 2015 at 02:27:57PM -0400, Austin S Hemmelgarn wrote: >> On 2015-10-16 13:41, Andreas Gruenbacher wrote: >>> On Fri, Oct 16, 2015 at 7:31 PM, Austin S Hemmelgarn >>> <ahferroin7@gmail.com> wrote: >>>> I would like to re-iterate, on both XFS and ext4, I _really_ think this >>>> should be a ro_compat flag, and not an incompat one. If a person has the >>>> ability to mount the FS (even if it's a read-only mount), then they by >>>> definition have read access to the file or partition that the filesystem is >>>> contained in, which means that any ACL's stored on the filesystem are >>>> functionally irrelevant, >>> >>> It is unfortunately not safe to make such a file system accessible to >>> other users, so the feature is not strictly read-only compatible. >> If it's not safe WRT data integrity, then the design needs to be >> reworked, as that directly implies that isn't safe for even every >> day usage on a writable filesystem. > > This is exactly what we have *incompat feature flags for*: to > protect old code that doesn't know about potentially dangerous new > on-disk formats from trying to parse those formats and causing > unpredictable bad things from happening. However, unless things have changed (I haven't had time to re-read the patch-set yet), then the only change will be a new set of xattrs, and that type of change _shouldn't_ break existing code that doesn't know about them. Andreas really needs to explain _exactly_ why it isn't safe to mount this on a kernel that doesn't support it and let other users access it, and if the answer is 'because the ACL's won't be honored' then that really isn't acceptable reason IMHO, because (as I outlined in the previous e-mail) being able to mount the filesystem implies that they have at least read access to the underlying storage, which means that the ACL's in the filesystem are irrelevant as far as any competent individual who is actively trying to illegitimately access the data is concerned. > Austin, your arguments hold no weight because they are no different > to the considerations for any new on-disk feature: the user needs to > have both kernel and userspace support to recover filesystems that > go bad. If you are using a brand new fs/kernel feature, then it is > expected that you know that your DR processes take this into > account. Except that the given argument from Andreas as to why it's an incompat feature does not clarify whether it's to prevent breaking the existing filesystem code (which I understand and agree is a proper usage for such a flag), or to try and provide some thin facade of security when there really is none (which is what the bit about 'and expose it to other users' really sounds like to me). Yes the argument that I made which you have replied to was admittedly shortsighted and didn't need to be made to get the point that I was actually trying to make across, and I sincerely apologize for that.
On 2015-10-16 13:41, Andreas Gruenbacher wrote: > On Fri, Oct 16, 2015 at 7:31 PM, Austin S Hemmelgarn > <ahferroin7@gmail.com> wrote: >> I would like to re-iterate, on both XFS and ext4, I _really_ think this >> should be a ro_compat flag, and not an incompat one. If a person has the >> ability to mount the FS (even if it's a read-only mount), then they by >> definition have read access to the file or partition that the filesystem is >> contained in, which means that any ACL's stored on the filesystem are >> functionally irrelevant, > > It is unfortunately not safe to make such a file system accessible to > other users, so the feature is not strictly read-only compatible. > OK, seeing as I wasn't particularly clear as to why I object to this in my other e-mail, let's try this again. Can you please explain exactly why it isn't safe to make such a filesystem accessible to other users? Because that _really_ sounds to me like you are trying to rely on this being un-mountable on a kernel that doesn't support richacls to try and provide the illusion of better security.
On Mon, Oct 19, 2015 at 3:16 PM, Austin S Hemmelgarn <ahferroin7@gmail.com> wrote: > On 2015-10-16 13:41, Andreas Gruenbacher wrote: >> >> On Fri, Oct 16, 2015 at 7:31 PM, Austin S Hemmelgarn >> <ahferroin7@gmail.com> wrote: >>> >>> I would like to re-iterate, on both XFS and ext4, I _really_ think this >>> should be a ro_compat flag, and not an incompat one. If a person has the >>> ability to mount the FS (even if it's a read-only mount), then they by >>> definition have read access to the file or partition that the filesystem >>> is contained in, which means that any ACL's stored on the filesystem are >>> functionally irrelevant, >> >> It is unfortunately not safe to make such a file system accessible to >> other users, so the feature is not strictly read-only compatible. >> > OK, seeing as I wasn't particularly clear as to why I object to this in my > other e-mail, let's try this again. > > Can you please explain exactly why it isn't safe to make such a filesystem > accessible to other users? See here: http://www.spinics.net/lists/linux-ext4/msg49541.html Andreas -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 2015-10-19 11:34, Andreas Gruenbacher wrote: > On Mon, Oct 19, 2015 at 3:16 PM, Austin S Hemmelgarn > <ahferroin7@gmail.com> wrote: >> On 2015-10-16 13:41, Andreas Gruenbacher wrote: >>> >>> On Fri, Oct 16, 2015 at 7:31 PM, Austin S Hemmelgarn >>> <ahferroin7@gmail.com> wrote: >>>> >>>> I would like to re-iterate, on both XFS and ext4, I _really_ think this >>>> should be a ro_compat flag, and not an incompat one. If a person has the >>>> ability to mount the FS (even if it's a read-only mount), then they by >>>> definition have read access to the file or partition that the filesystem >>>> is contained in, which means that any ACL's stored on the filesystem are >>>> functionally irrelevant, >>> >>> It is unfortunately not safe to make such a file system accessible to >>> other users, so the feature is not strictly read-only compatible. >>> >> OK, seeing as I wasn't particularly clear as to why I object to this in my >> other e-mail, let's try this again. >> >> Can you please explain exactly why it isn't safe to make such a filesystem >> accessible to other users? > > See here: http://www.spinics.net/lists/linux-ext4/msg49541.html OK, so to clarify, this isn't 'safe' because: 1. The richacls that exist on the filesystem won't be enforced. 2. Newly created files will have no ACL's set. It is worth noting that these are also issues with any kind of access control mechanism. Using your logic, all LSM's need to set separate incompat feature flags in filesystems they are being used on, as should POSIX ACLs, and for that matter so should Samba in many circumstances, and any NFS system not using idmapping or synchronized/centralized user databases. Now, if the SELinux (or SMACK, or TOMOYO) people had taken this approach, then I might be inclined to not complain (at least not to you, I'd be complaining to them about this rather poor design choice), but that is not the case, because (I assume) they realized that all this provides is a false sense of security. Issue 1, as I have said before, is functionally irrelevant for anyone who actually knows what they are doing; all you need for ext* is one of the myriad of programs for un-deleting files on such a filesystem (such as ext4magic or extundelete, and good luck convincing them to not allow being used when this flag is set), for BTRFS you just need the regular filesystem administration utilities ('btrfs restore' works wonders, and that one will _never_ honor any kind of permissions, because it's for disaster recovery), and while I don't know of any way to do this with XFS, that is only because I don't use XFS myself and have not had the need to provide tech support for anyone who does. If somebody absolutely _needs_ a guarantee that the acls will be enforced, they need to be using whole disk encryption, not just acls, and even that can't provide such a guarantee. As for issue 2, that can be solved by making it a read-only compatible flag, which is what I was suggesting be done in the first place. The only situation I can think of that this would cause an issue for is if the filesystem was not cleanly unmounted, and the log-replay doesn't set the ACL's, but mounting an uncleanly unmounted filesystem that has richacls on a kernel without support should fall into one of the following 2 cases more than 99% of the time: 1. The system crashed hard, and the regular kernel is un-bootable for some reason, in this case you're at the point of disaster recovery, should not be exposing _anything_ to a multi-user environment, and probably care a lot more about being able to get the system running again than about not accidentally creating a file with a missing ACL. 2. The filesystem was maliciously stolen in some way (either the hardware was acquired, or more likely, someone got an image of a still mounted filesystem), in which case all of my statements above regarding issue 1 apply.
On Oct 19, 2015, at 10:19 AM, Austin S Hemmelgarn <ahferroin7@gmail.com> wrote: > > On 2015-10-19 11:34, Andreas Gruenbacher wrote: >> On Mon, Oct 19, 2015 at 3:16 PM, Austin S Hemmelgarn >> <ahferroin7@gmail.com> wrote: >>> On 2015-10-16 13:41, Andreas Gruenbacher wrote: >>>> >>>> On Fri, Oct 16, 2015 at 7:31 PM, Austin S Hemmelgarn >>>> <ahferroin7@gmail.com> wrote: >>>>> >>>>> I would like to re-iterate, on both XFS and ext4, I _really_ think this >>>>> should be a ro_compat flag, and not an incompat one. If a person has the >>>>> ability to mount the FS (even if it's a read-only mount), then they by >>>>> definition have read access to the file or partition that the filesystem >>>>> is contained in, which means that any ACL's stored on the filesystem are >>>>> functionally irrelevant, >>>> >>>> It is unfortunately not safe to make such a file system accessible to >>>> other users, so the feature is not strictly read-only compatible. >>>> >>> OK, seeing as I wasn't particularly clear as to why I object to this in my >>> other e-mail, let's try this again. >>> >>> Can you please explain exactly why it isn't safe to make such a filesystem >>> accessible to other users? >> >> See here: http://www.spinics.net/lists/linux-ext4/msg49541.html > OK, so to clarify, this isn't 'safe' because: > 1. The richacls that exist on the filesystem won't be enforced. > 2. Newly created files will have no ACL's set. > > It is worth noting that these are also issues with any kind of access control mechanism. Using your logic, all LSM's need to set separate incompat feature flags in filesystems they are being used on, as should POSIX ACLs, and for that matter so should Samba in many circumstances, and any NFS system not using idmapping or synchronized/centralized user databases. Now, if the SELinux (or SMACK, or TOMOYO) people had taken this approach, then I might be inclined to not complain (at least not to you, I'd be complaining to them about this rather poor design choice), but that is not the case, because (I assume) they realized that all this provides is a false sense of security. I would tend to agree here. Anyone who can mount the filesystem on a kernel without RichACL support can do whatever they want, so at most having a RO_COMPAT flag would serve as a reminder for accidental problems by a sysadmin not in the know. Using an INCOMPAT flag is just asking for major headaches when someone needs to recover their filesystem on an old kernel but doesn't provide any added safety. Cheers, Andreas > Issue 1, as I have said before, is functionally irrelevant for anyone who actually knows what they are doing; all you need for ext* is one of the myriad of programs for un-deleting files on such a filesystem (such as ext4magic or extundelete, and good luck convincing them to not allow being used when this flag is set), for BTRFS you just need the regular filesystem administration utilities ('btrfs restore' works wonders, and that one will _never_ honor any kind of permissions, because it's for disaster recovery), and while I don't know of any way to do this with XFS, that is only because I don't use XFS myself and have not had the need to provide tech support for anyone who does. If somebody absolutely _needs_ a guarantee that the acls will be enforced, they need to be using whole disk encryption, not just acls, and even that can't provide such a guarantee. > > As for issue 2, that can be solved by making it a read-only compatible flag, which is what I was suggesting be done in the first place. The only situation I can think of that this would cause an issue for is if the filesystem was not cleanly unmounted, and the log-replay doesn't set the ACL's, but mounting an uncleanly unmounted filesystem that has richacls on a kernel without support should fall into one of the following 2 cases more than 99% of the time: > 1. The system crashed hard, and the regular kernel is un-bootable for some reason, in this case you're at the point of disaster recovery, should not be exposing _anything_ to a multi-user environment, and probably care a lot more about being able to get the system running again than about not accidentally creating a file with a missing ACL. > 2. The filesystem was maliciously stolen in some way (either the hardware was acquired, or more likely, someone got an image of a still mounted filesystem), in which case all of my statements above regarding issue 1 apply. > Cheers, Andreas
On Mon, Oct 19, 2015 at 6:19 PM, Austin S Hemmelgarn <ahferroin7@gmail.com> wrote: > On 2015-10-19 11:34, Andreas Gruenbacher wrote: >> >> On Mon, Oct 19, 2015 at 3:16 PM, Austin S Hemmelgarn >> <ahferroin7@gmail.com> wrote: >>> >>> On 2015-10-16 13:41, Andreas Gruenbacher wrote: >>>> >>>> >>>> On Fri, Oct 16, 2015 at 7:31 PM, Austin S Hemmelgarn >>>> <ahferroin7@gmail.com> wrote: >>>>> >>>>> >>>>> I would like to re-iterate, on both XFS and ext4, I _really_ think this >>>>> should be a ro_compat flag, and not an incompat one. If a person has >>>>> the >>>>> ability to mount the FS (even if it's a read-only mount), then they by >>>>> definition have read access to the file or partition that the >>>>> filesystem >>>>> is contained in, which means that any ACL's stored on the filesystem >>>>> are >>>>> functionally irrelevant, >>>> >>>> >>>> It is unfortunately not safe to make such a file system accessible to >>>> other users, so the feature is not strictly read-only compatible. >>>> >>> OK, seeing as I wasn't particularly clear as to why I object to this in >>> my >>> other e-mail, let's try this again. >>> >>> Can you please explain exactly why it isn't safe to make such a >>> filesystem >>> accessible to other users? >> >> >> See here: http://www.spinics.net/lists/linux-ext4/msg49541.html > > OK, so to clarify, this isn't 'safe' because: > 1. The richacls that exist on the filesystem won't be enforced. > 2. Newly created files will have no ACL's set. > > It is worth noting that these are also issues with any kind of access > control mechanism. Using your logic, all LSM's need to set separate > incompat feature flags in filesystems they are being used on, as should > POSIX ACLs, and for that matter so should Samba in many circumstances, and > any NFS system not using idmapping or synchronized/centralized user > databases. Now, if the SELinux (or SMACK, or TOMOYO) people had taken this > approach, then I might be inclined to not complain (at least not to you, I'd > be complaining to them about this rather poor design choice), but that is > not the case, because (I assume) they realized that all this provides is a > false sense of security. LSMs reside above the filesystem level. Let's take SELinux as an example. It has its own consistency check mechanism (relabeling). Fsck could check the syntax of SELinux labels, but it couldn't do anything sensible about corrupted labels, and syntactically correct labels also don't mean much. A relabeling run to verify or restory the appropriate policy would still be necessary to verify that labels are semantically correct, and for that, the filesystem needs to be mounted in the right place in the filesystem hierarchy. TOMOYO and AppArmor are not based on inode labels at all. LSMs usually also just provide an extra layer of security; when turned off, the basic security mechanisms still in effect will make sure that the system works just like before. (There are configurations like MLS where that is not the case, but those are uncommon.) ACLs are quite different from that. They can be checked statically by fsck. They are a basic security concept, and when turned off, there is no guarantee that the system will still be safe. > Issue 1, as I have said before, is functionally irrelevant for anyone who > actually knows what they are doing; all you need for ext* is one of the > myriad of programs for un-deleting files on such a filesystem (such as > ext4magic or extundelete, and good luck convincing them to not allow being > used when this flag is set), for BTRFS you just need the regular filesystem > administration utilities ('btrfs restore' works wonders, and that one will > _never_ honor any kind of permissions, because it's for disaster recovery), > and while I don't know of any way to do this with XFS, that is only because > I don't use XFS myself and have not had the need to provide tech support for > anyone who does. If somebody absolutely _needs_ a guarantee that the acls > will be enforced, they need to be using whole disk encryption, not just > acls, and even that can't provide such a guarantee. > > As for issue 2, that can be solved by making it a read-only compatible flag, > which is what I was suggesting be done in the first place. The only > situation I can think of that this would cause an issue for is if the > filesystem was not cleanly unmounted, and the log-replay doesn't set the > ACL's, but mounting an uncleanly unmounted filesystem that has richacls on a > kernel without support should fall into one of the following 2 cases more > than 99% of the time: > 1. The system crashed hard, and the regular kernel is un-bootable for some > reason, in this case you're at the point of disaster recovery, should not be > exposing _anything_ to a multi-user environment, and probably care a lot > more about being able to get the system running again than about not > accidentally creating a file with a missing ACL. > 2. The filesystem was maliciously stolen in some way (either the hardware > was acquired, or more likely, someone got an image of a still mounted > filesystem), in which case all of my statements above regarding issue 1 > apply. Please spare me with all that nonsense. Compared to mount options, filesystem feature flags in this case simplify things (you don't have to specify whether a filesystem contains POSIX ACLs or richacls), and they prevent administrator errors: when a filesystem mounts, it is safe to use; when it doesn't, it is not. That's all there is to it. Andreas -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 2015-10-19 13:33, Andreas Gruenbacher wrote: > On Mon, Oct 19, 2015 at 6:19 PM, Austin S Hemmelgarn > <ahferroin7@gmail.com> wrote: >> On 2015-10-19 11:34, Andreas Gruenbacher wrote: >>> On Mon, Oct 19, 2015 at 3:16 PM, Austin S Hemmelgarn >>> <ahferroin7@gmail.com> wrote: >>>> On 2015-10-16 13:41, Andreas Gruenbacher wrote: >>>>> On Fri, Oct 16, 2015 at 7:31 PM, Austin S Hemmelgarn >>>>> <ahferroin7@gmail.com> wrote: >>>>>> I would like to re-iterate, on both XFS and ext4, I _really_ think this >>>>>> should be a ro_compat flag, and not an incompat one. If a person has >>>>>> the >>>>>> ability to mount the FS (even if it's a read-only mount), then they by >>>>>> definition have read access to the file or partition that the >>>>>> filesystem >>>>>> is contained in, which means that any ACL's stored on the filesystem >>>>>> are >>>>>> functionally irrelevant, >>>>> It is unfortunately not safe to make such a file system accessible to >>>>> other users, so the feature is not strictly read-only compatible. >>>> OK, seeing as I wasn't particularly clear as to why I object to this in >>>> my >>>> other e-mail, let's try this again. >>>> Can you please explain exactly why it isn't safe to make such a >>>> filesystem >>>> accessible to other users? >>> See here: http://www.spinics.net/lists/linux-ext4/msg49541.html >> OK, so to clarify, this isn't 'safe' because: >> 1. The richacls that exist on the filesystem won't be enforced. >> 2. Newly created files will have no ACL's set. >> >> It is worth noting that these are also issues with any kind of access >> control mechanism. Using your logic, all LSM's need to set separate >> incompat feature flags in filesystems they are being used on, as should >> POSIX ACLs, and for that matter so should Samba in many circumstances, and >> any NFS system not using idmapping or synchronized/centralized user >> databases. Now, if the SELinux (or SMACK, or TOMOYO) people had taken this >> approach, then I might be inclined to not complain (at least not to you, I'd >> be complaining to them about this rather poor design choice), but that is >> not the case, because (I assume) they realized that all this provides is a >> false sense of security. > > LSMs reside above the filesystem level. Let's take SELinux as an > example. It has its own consistency check mechanism (relabeling). Fsck > could check the syntax of SELinux labels, but it couldn't do anything > sensible about corrupted labels, and syntactically correct labels also > don't mean much. A relabeling run to verify or restory the appropriate > policy would still be necessary to verify that labels are semantically > correct, and for that, the filesystem needs to be mounted in the right > place in the filesystem hierarchy. > > TOMOYO and AppArmor are not based on inode labels at all. Apologies for being unintentionally over-inclusive WRT LSM's, and also for forgetting that TOMOYO doesn't use inode labels. > LSMs usually also just provide an extra layer of security; when turned > off, the basic security mechanisms still in effect will make sure that > the system works just like before. (There are configurations like MLS > where that is not the case, but those are uncommon.) Um, actually no, even without MLS (or MCS), there is no guarantee whatsoever that the system will work 'just' like before (I've actually seen systems break on any (or even in one case all) of the transitions between enforcing/permissive/off for SELinux, even assuming that relabeling is done properly). > ACLs are quite different from that. They can be checked statically by > fsck. They are a basic security concept, and when turned off, there is > no guarantee that the system will still be safe. LSM's hook into the VFS code right alongside the regular permissions checks. They are intended to supplement the regular UNIX DAC based permissions. Richacls (and POSIX ACLs) also hook into the regular permissions checks, and also are intended to supplement the regular UNIX DAC based permissions. Fsck only checks the syntax of regular UNIX DAC based permissions (it doesn't verify that the listed UID/GID are actually valid in userspace, nor does it check for semantically nonsensical permissions modes like 007 or 000), and it really can't properly check anything more than that on ACL's either. Based on all of this, richacls and LSM's which mediate filesystem accesses are on exactly the same level with the exception that LSM's usually have way more functionality beyond just using ACL's to control file access, LSM's are usually MAC based while ACL's are DAC based, and the fact that ACL's are (usually) not dependent on where in the filesystem hierarchy they are found. On top of that, there is no guarantee that a system will still be safe when you turn SELinux (or other LSM's) off either (in fact, for some configurations, it can be mathematically proven that the system will not be safe if you turn off SELinux). >> Issue 1, as I have said before, is functionally irrelevant for anyone who >> actually knows what they are doing; all you need for ext* is one of the >> myriad of programs for un-deleting files on such a filesystem (such as >> ext4magic or extundelete, and good luck convincing them to not allow being >> used when this flag is set), for BTRFS you just need the regular filesystem >> administration utilities ('btrfs restore' works wonders, and that one will >> _never_ honor any kind of permissions, because it's for disaster recovery), >> and while I don't know of any way to do this with XFS, that is only because >> I don't use XFS myself and have not had the need to provide tech support for >> anyone who does. If somebody absolutely _needs_ a guarantee that the acls >> will be enforced, they need to be using whole disk encryption, not just >> acls, and even that can't provide such a guarantee. >> >> As for issue 2, that can be solved by making it a read-only compatible flag, >> which is what I was suggesting be done in the first place. The only >> situation I can think of that this would cause an issue for is if the >> filesystem was not cleanly unmounted, and the log-replay doesn't set the >> ACL's, but mounting an uncleanly unmounted filesystem that has richacls on a >> kernel without support should fall into one of the following 2 cases more >> than 99% of the time: >> 1. The system crashed hard, and the regular kernel is un-bootable for some >> reason, in this case you're at the point of disaster recovery, should not be >> exposing _anything_ to a multi-user environment, and probably care a lot >> more about being able to get the system running again than about not >> accidentally creating a file with a missing ACL. >> 2. The filesystem was maliciously stolen in some way (either the hardware >> was acquired, or more likely, someone got an image of a still mounted >> filesystem), in which case all of my statements above regarding issue 1 >> apply. > Please spare me with all that nonsense. Compared to mount options, > filesystem feature flags in this case simplify things (you don't have > to specify whether a filesystem contains POSIX ACLs or richacls), and > they prevent administrator errors: when a filesystem mounts, it is > safe to use; when it doesn't, it is not. That's all there is to it. You're ignoring what I'm actually saying. I've said absolutely nothing about needing to use mount options at all, and I'm not arguing against using filesystem feature flags, I'm arguing for using them sensibly in a way that does not present a false sense of security. Making the comparability flag read-only will exactly solve the second issue that you outlined for more than 99% of all use cases (and the remaining cases are provably irrelevant), still indicate clearly to the FS code which type of ACL is in use on the FS, and remove the entirely false sense of security WRT the first issue you outlined. Making it an incompatible flag will likely cause headaches for some legitimate users, and at most delay competent hackers by a few seconds to a few minutes, and script kiddies by a few hours, and is really no better than security by obscurity (and from a purely logistical standpoint, that's _all_ it is) in that it actively tries to hide the fact that someone having read access to the storage the filesystem is on can bypass the ACL's. To reiterate, if someone can call mount() on a filesystem, and mount() does not return -EPERM, then even if mount() returns a different error, they still have the ability to completely bypass all permissions and ACL's in that filesystem, because they have the ability to read the entire filesystem directly. The _only_ way to properly protect against people bypassing the ACL's is to use full disk encryption and lock down root access on the system, and even that can't completely prevent it from happening.
On Mon, Oct 19, 2015 at 8:45 PM, Austin S Hemmelgarn <ahferroin7@gmail.com> wrote: > On 2015-10-19 13:33, Andreas Gruenbacher wrote: >> Please spare me with all that nonsense. Compared to mount options, >> filesystem feature flags in this case simplify things (you don't have >> to specify whether a filesystem contains POSIX ACLs or richacls), and >> they prevent administrator errors: when a filesystem mounts, it is >> safe to use; when it doesn't, it is not. That's all there is to it. > > You're ignoring what I'm actually saying. I've said absolutely nothing > about needing to use mount options at all, and I'm not arguing against using > filesystem feature flags, I'm arguing for using them sensibly in a way that > does not present a false sense of security. We could be on a multi-user system, and the user mounting the filesystem may not be the only user on the system. When a filesystem can be mounted read-only, it should be safe to use read-only. It is not safe in general to use such a filesystem read-only, so an incompatible feature flag which prevents such unsafe mounting is more approporiate than a read-only incompatible feature flag. Mounting a filesystem read-only doesn't mean that the filesystem is being recovered, it is perfectly legal to mount a filesystem read-only for other reasons. I don't want to give people using read-only filesystems the false sense that everything is okay. > Making it an incompatible flag will likely cause headaches for some > legitimate users, Indeed. It will also make it less likely for users to accidentally shoot themselves in the foot. If someone knows better, they can clear the feature flag. When recovering a broken system that contains richacl filesystems, you really want to have richacl support in the rescue system as well. Otherwise, you won't be able to fsck those filesystems. > and at most delay competent hackers by a few seconds to a > few minutes, and script kiddies by a few hours, and is really no better than > security by obscurity (and from a purely logistical standpoint, that's _all_ > it is) in that it actively tries to hide the fact that someone having read > access to the storage the filesystem is on can bypass the ACL's. > > To reiterate, if someone can call mount() on a filesystem, and mount() does > not return -EPERM, then even if mount() returns a different error, they > still have the ability to completely bypass all permissions and ACL's in > that filesystem, because they have the ability to read the entire filesystem > directly. > > The _only_ way to properly protect against people bypassing the ACL's is to > use full disk encryption and lock down root access on the system, and even > that can't completely prevent it from happening. That's all completely beside the point. I'm not talking about preventing attacks at all, just basic administrative workflows. Andreas -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 2015-10-19 16:20, Andreas Gruenbacher wrote: > On Mon, Oct 19, 2015 at 8:45 PM, Austin S Hemmelgarn > <ahferroin7@gmail.com> wrote: >> On 2015-10-19 13:33, Andreas Gruenbacher wrote: >>> Please spare me with all that nonsense. Compared to mount options, >>> filesystem feature flags in this case simplify things (you don't have >>> to specify whether a filesystem contains POSIX ACLs or richacls), and >>> they prevent administrator errors: when a filesystem mounts, it is >>> safe to use; when it doesn't, it is not. That's all there is to it. >> >> You're ignoring what I'm actually saying. I've said absolutely nothing >> about needing to use mount options at all, and I'm not arguing against using >> filesystem feature flags, I'm arguing for using them sensibly in a way that >> does not present a false sense of security. > > We could be on a multi-user system, and the user mounting the > filesystem may not be the only user on the system. When a filesystem > can be mounted read-only, it should be safe to use read-only. It is > not safe in general to use such a filesystem read-only, so an > incompatible feature flag which prevents such unsafe mounting is more > approporiate than a read-only incompatible feature flag. Except that mounting a filesystem that wasn't created on the system mounting it always has that exact same risk, because (AFAIK) all Linux/BSD/Other UNIX filesystems store GID's and UID's as numbers, not names. Perfect example of this, take a minimal install of some Linux distribution, install a couple of packages that add new UID's, and mount the root filesystem on a completely different distribution (say mount a Debian root filesystem on a Gentoo box), any of the new UID's from the first system will almost certainly not map to the same user on the second system (in fact, you can also do this with two Gentoo systems where the packages were installed in different orders). This is a really basic security risk that any seasoned sysadmin should know, and most new ones find out about rather quickly. Also, based on established context of _every_ other feature with an incompat feature flag in both ext4 and XFS, 'safe' means that you can get the correct file contents off of the filesystem,and don't run the risk of crashing the system, not that you have no risk of compromising security. > Mounting a filesystem read-only doesn't mean that the filesystem is > being recovered, it is perfectly legal to mount a filesystem read-only > for other reasons. I don't want to give people using read-only > filesystems the false sense that everything is okay. Yes, and this is why any sane filesystem will spit a warning out through dmesg when a mount is forced read-only because of incompatible features. If someone is actively mounting such a filesystem read-only (that is, they've specified 'ro' in the mount options), then it's relatively safe for the kernel to assume they are doing so for some very specific reason and/or already know about the data safety implications. > >> Making it an incompatible flag will likely cause headaches for some >> legitimate users, > > Indeed. It will also make it less likely for users to accidentally > shoot themselves in the foot. If someone knows better, they can clear > the feature flag. Except there will be a lot of people who think they know better but really don't. Such people will do this anyway, and by modifying the filesystem run a bigger risk of shooting themselves in the foot (because they'll almost certainly mount the filesystem read-write, and then end up turning on richacls again). You're not removing the gun, you're just hiding a potentially bigger one somewhere else. It's a separate issue entirely however whether or not you absolutely need to know that the richacls have the correct syntax in a recovery situation. Fsck doesn't parse SELinux labels, (AFAIK) doesn't parse filecaps attributes (bad filecaps syntax will only make things have fewer privileges, but it will cause user visible brokenness), (again, AFAIK) doesn't validate POSIX ACL's, and absolutely doesn't check IMA or EVM hashes. IMA and EVM hashes being wrong _will_ cause almost any system actually using them they way they are intended to fail to boot, and incorrect SELinux labeling will make many systems not boot correctly, and both situations are much worse for a significant majority of users than a (security leak due to a bad ACL. > > When recovering a broken system that contains richacl filesystems, you > really want to have richacl support in the rescue system as well. > Otherwise, you won't be able to fsck those filesystems. While it's something that 'should' be the case, there are probably quite a few people who will not realize this until they're already in a situation that they need to recover data. On top of that some people will likely assume that they just need richacl support in userspace for their recovery environment. > >> and at most delay competent hackers by a few seconds to a >> few minutes, and script kiddies by a few hours, and is really no better than >> security by obscurity (and from a purely logistical standpoint, that's _all_ >> it is) in that it actively tries to hide the fact that someone having read >> access to the storage the filesystem is on can bypass the ACL's. >> >> To reiterate, if someone can call mount() on a filesystem, and mount() does >> not return -EPERM, then even if mount() returns a different error, they >> still have the ability to completely bypass all permissions and ACL's in >> that filesystem, because they have the ability to read the entire filesystem >> directly. >> >> The _only_ way to properly protect against people bypassing the ACL's is to >> use full disk encryption and lock down root access on the system, and even >> that can't completely prevent it from happening. > > That's all completely beside the point. I'm not talking about > preventing attacks at all, just basic administrative workflows. While that may be the case, there will be people who assume that because it's an incompat feature, their ACL's will _always_ be enforced. Such people should admittedly not be allowed to run systems with any real world security requirements, but that mentality is something that still needs to be considered, and this is arguably making it easier for them to shoot themselves in the foot.
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h index fd1f28b..b97a3b1 100644 --- a/fs/ext4/ext4.h +++ b/fs/ext4/ext4.h @@ -991,7 +991,7 @@ struct ext4_inode_info { #define EXT4_MOUNT_UPDATE_JOURNAL 0x01000 /* Update the journal format */ #define EXT4_MOUNT_NO_UID32 0x02000 /* Disable 32-bit UIDs */ #define EXT4_MOUNT_XATTR_USER 0x04000 /* Extended user attributes */ -#define EXT4_MOUNT_POSIX_ACL 0x08000 /* POSIX Access Control Lists */ +#define EXT4_MOUNT_ACL 0x08000 /* Access Control Lists */ #define EXT4_MOUNT_NO_AUTO_DA_ALLOC 0x10000 /* No auto delalloc mapping */ #define EXT4_MOUNT_BARRIER 0x20000 /* Use block barriers */ #define EXT4_MOUNT_QUOTA 0x80000 /* Some quota option set */ @@ -1582,6 +1582,7 @@ static inline int ext4_encrypted_inode(struct inode *inode) #define EXT4_FEATURE_INCOMPAT_LARGEDIR 0x4000 /* >2GB or 3-lvl htree */ #define EXT4_FEATURE_INCOMPAT_INLINE_DATA 0x8000 /* data in inode */ #define EXT4_FEATURE_INCOMPAT_ENCRYPT 0x10000 +#define EXT4_FEATURE_INCOMPAT_RICHACL 0x20000 #define EXT2_FEATURE_COMPAT_SUPP EXT4_FEATURE_COMPAT_EXT_ATTR #define EXT2_FEATURE_INCOMPAT_SUPP (EXT4_FEATURE_INCOMPAT_FILETYPE| \ @@ -1607,7 +1608,8 @@ static inline int ext4_encrypted_inode(struct inode *inode) EXT4_FEATURE_INCOMPAT_FLEX_BG| \ EXT4_FEATURE_INCOMPAT_MMP | \ EXT4_FEATURE_INCOMPAT_INLINE_DATA | \ - EXT4_FEATURE_INCOMPAT_ENCRYPT) + EXT4_FEATURE_INCOMPAT_ENCRYPT | \ + EXT4_FEATURE_INCOMPAT_RICHACL) #define EXT4_FEATURE_RO_COMPAT_SUPP (EXT4_FEATURE_RO_COMPAT_SPARSE_SUPER| \ EXT4_FEATURE_RO_COMPAT_LARGE_FILE| \ EXT4_FEATURE_RO_COMPAT_GDT_CSUM| \ diff --git a/fs/ext4/super.c b/fs/ext4/super.c index a63c7b0..84d1a5d 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -1270,6 +1270,28 @@ static ext4_fsblk_t get_sb_block(void **data) return sb_block; } +static int enable_acl(struct super_block *sb) +{ + sb->s_flags &= ~(MS_POSIXACL | MS_RICHACL); + if (test_opt(sb, ACL)) { + if (EXT4_HAS_INCOMPAT_FEATURE(sb, + EXT4_FEATURE_INCOMPAT_RICHACL)) { +#ifdef CONFIG_EXT4_FS_RICHACL + sb->s_flags |= MS_RICHACL; +#else + return -EOPNOTSUPP; +#endif + } else { +#ifdef CONFIG_EXT4_FS_POSIX_ACL + sb->s_flags |= MS_POSIXACL; +#else + return -EOPNOTSUPP; +#endif + } + } + return 0; +} + #define DEFAULT_JOURNAL_IOPRIO (IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 3)) static char deprecated_msg[] = "Mount option \"%s\" will be removed by %s\n" "Contact linux-ext4@vger.kernel.org if you think we should keep it.\n"; @@ -1416,9 +1438,9 @@ static const struct mount_opts { MOPT_NO_EXT2 | MOPT_DATAJ}, {Opt_user_xattr, EXT4_MOUNT_XATTR_USER, MOPT_SET}, {Opt_nouser_xattr, EXT4_MOUNT_XATTR_USER, MOPT_CLEAR}, -#ifdef CONFIG_EXT4_FS_POSIX_ACL - {Opt_acl, EXT4_MOUNT_POSIX_ACL, MOPT_SET}, - {Opt_noacl, EXT4_MOUNT_POSIX_ACL, MOPT_CLEAR}, +#if defined(CONFIG_EXT4_FS_POSIX_ACL) || defined(CONFIG_EXT4_FS_RICHACL) + {Opt_acl, EXT4_MOUNT_ACL, MOPT_SET}, + {Opt_noacl, EXT4_MOUNT_ACL, MOPT_CLEAR}, #else {Opt_acl, 0, MOPT_NOSUPPORT}, {Opt_noacl, 0, MOPT_NOSUPPORT}, @@ -3576,8 +3598,8 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) set_opt(sb, NO_UID32); /* xattr user namespace & acls are now defaulted on */ set_opt(sb, XATTR_USER); -#ifdef CONFIG_EXT4_FS_POSIX_ACL - set_opt(sb, POSIX_ACL); +#if defined(CONFIG_EXT4_FS_POSIX_ACL) || defined(CONFIG_EXT4_FS_RICHACL) + set_opt(sb, ACL); #endif /* don't forget to enable journal_csum when metadata_csum is enabled. */ if (ext4_has_metadata_csum(sb)) @@ -3660,8 +3682,9 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent) sb->s_iflags |= SB_I_CGROUPWB; } - sb->s_flags = (sb->s_flags & ~MS_POSIXACL) | - (test_opt(sb, POSIX_ACL) ? MS_POSIXACL : 0); + err = enable_acl(sb); + if (err) + goto failed_mount; if (le32_to_cpu(es->s_rev_level) == EXT4_GOOD_OLD_REV && (EXT4_HAS_COMPAT_FEATURE(sb, ~0U) || @@ -4981,8 +5004,9 @@ static int ext4_remount(struct super_block *sb, int *flags, char *data) if (sbi->s_mount_flags & EXT4_MF_FS_ABORTED) ext4_abort(sb, "Abort forced by user"); - sb->s_flags = (sb->s_flags & ~MS_POSIXACL) | - (test_opt(sb, POSIX_ACL) ? MS_POSIXACL : 0); + err = enable_acl(sb); + if (err) + goto restore_opts; es = sbi->s_es;