chmod of active swap file blocks

chmod of active swap file blocks

[Paul Jakma]

Hi,

Trying to chmod a file being used for swap causes chmod() to block,
with permissions change /not/ having taken effect, until the swap
file is swapoff'd, at which point chmod() carries on and chmod (the
command) finishes.

# swapon /.swapfile 
# cat /proc/swaps 
Filename				Type		Size	Used	Priority
/dev/ide/host0/bus0/target0/lun0/part1   partition	200772	51748	-1
/.swapfile                               file		131064	0	-5
# strace chmod g-w /.swapfile 2> /tmp/strace-chmod &
[3] 29208
# tail /tmp/strace-chmod 
[ snip ]
stat64("/.swapfile", {st_mode=S_IFREG|0600, st_size=134217728, ...}) = 0
chmod("/.swapfile", 0600
# swapoff /.swapfile 
# 
[3]   Done                    strace chmod g-w /.swapfile 2>/tmp/strace-chmod

NB: no, i dont use devfs :) (just same namespace.)

regards,
-- 
Paul Jakma	paul@clubi.ie	paul@jakma.org	Key ID: 64A2FF6A
	warning: do not ever send email to spam@dishone.st
Fortune:
Save energy:  Drive a smaller shell.

Re: chmod of active swap file blocks

[Paul Jakma]

On Mon, 29 Dec 2003, Paul Jakma wrote:

> Hi,
> 
> Trying to chmod a file being used for swap causes chmod() to block,
> with permissions change /not/ having taken effect, until the swap
> file is swapoff'd, at which point chmod() carries on and chmod (the
> command) finishes.

err.. forgot kernel version: this occurs with Arjan's 
2.6.0-0.test11.1.100 and .102 RPM packages of the 2.6.0 kernel. I 
have not tried on a generic 2.6.0 kernel, though I am about to try 
Arjan's 2.6.0-1.104 package.

regards,
-- 
Paul Jakma	paul@clubi.ie	paul@jakma.org	Key ID: 64A2FF6A
	warning: do not ever send email to spam@dishone.st
Fortune:
Bell Labs Unix -- Reach out and grep someone.

Re: chmod of active swap file blocks

[Andrew Morton]

Paul Jakma <paul@clubi.ie> wrote:
>
> Hi,
> 
> Trying to chmod a file being used for swap causes chmod() to block,
> with permissions change /not/ having taken effect, until the swap
> file is swapoff'd, at which point chmod() carries on and chmod (the
> command) finishes.

The kernel holds the swapfile's i_sem while it is in use.  This is to
prevent the filesystem destruction which would result if some silly person
were to truncate a swapfile while it was in active use.

It is not a particularly important safety feature ("don't do that") and it
can be taken out if it is causing serious side-effects.

Is chmod of an in-use swapfile an important thing to be able to do?

Re: chmod of active swap file blocks

[Paul Jakma]

On Mon, 29 Dec 2003, Andrew Morton wrote:

> The kernel holds the swapfile's i_sem while it is in use.  This is
> to prevent the filesystem destruction which would result if some
> silly person were to truncate a swapfile while it was in active
> use.

Ah, ok. /sort/ of makes sense..

> It is not a particularly important safety feature ("don't do that")
> and it can be taken out if it is causing serious side-effects.

though i'd err more on the side of "dont do that" :)

> Is chmod of an in-use swapfile an important thing to be able to do?

Had a box under memory pressure and had to add a swapfile to relieve
said pressure. Noticed afterwards that it had been created under
umask 0022 - not good, and the chmod to remove read rights for all 
blocked. Thankfully, it was my desktop, not a multiple user server :)

I dont know, I think I'd prefer ability to change attributes of the
swap file while its still swapped - there are many other, and far
more catastrophic, ways for root to kill the box, does it make sense
to guard against this one if it interferes with normal operations?

regards,
-- 
Paul Jakma	paul@clubi.ie	paul@jakma.org	Key ID: 64A2FF6A
	warning: do not ever send email to spam@dishone.st
Fortune:
"...and scantily clad females, of course.  Who cares if it's below zero
outside"
(By Linus Torvalds)

Re: chmod of active swap file blocks

[Neale Banks]

On Mon, 29 Dec 2003, Paul Jakma wrote:

[...]
> > Is chmod of an in-use swapfile an important thing to be able to do?
> 
> Had a box under memory pressure and had to add a swapfile to relieve
> said pressure. Noticed afterwards that it had been created under
> umask 0022 - not good, and the chmod to remove read rights for all 
> blocked. Thankfully, it was my desktop, not a multiple user server :)
[...]

How much of the original problem goes away if swapon(8) were to refuse to
activate a file/device which has ownership/mode which it doesn't like?

Of course such a change to swapon(8) should be accompanied by a flag to
force swapping on a file/device with non-sane ownership/mode.

Regards,
Neale.

Re: chmod of active swap file blocks

[Andrew Morton]

Neale Banks <neale@lowendale.com.au> wrote:
>
> How much of the original problem goes away if swapon(8) were to refuse to
>  activate a file/device which has ownership/mode which it doesn't like?

I think swapon(8) should at least warn when the swapfile has inappropriate
permissions.  It's an obvious and outright security hole.

Re: chmod of active swap file blocks

[Andries Brouwer]

On Thu, Jan 01, 2004 at 02:12:41AM -0800, Andrew Morton wrote:
> Neale Banks <neale@lowendale.com.au> wrote:
> >
> > How much of the original problem goes away if swapon(8) were to refuse to
> >  activate a file/device which has ownership/mode which it doesn't like?
> 
> I think swapon(8) should at least warn when the swapfile has inappropriate
> permissions.  It's an obvious and outright security hole.

swapon had this warning for a while, but that generated lots of complaints.
Now this message is printed only when the -v (verbose) flag is given.

Re: chmod of active swap file blocks

[Erik Andersen]

On Thu Jan 01, 2004 at 03:10:27PM +0100, Andries Brouwer wrote:
> On Thu, Jan 01, 2004 at 02:12:41AM -0800, Andrew Morton wrote:
> > Neale Banks <neale@lowendale.com.au> wrote:
> > >
> > > How much of the original problem goes away if swapon(8) were to refuse to
> > >  activate a file/device which has ownership/mode which it doesn't like?
> > 
> > I think swapon(8) should at least warn when the swapfile has inappropriate
> > permissions.  It's an obvious and outright security hole.
> 
> swapon had this warning for a while, but that generated lots of complaints.
> Now this message is printed only when the -v (verbose) flag is given.

Perhaps swapon should automagically do a chmod and chown on all
swapfiles, unless specifically asked to be wildly insecure
(perhaps with a -W option -- wildly insecure swapfile permissions
are considered acceptable)....

 -Erik

--
Erik B. Andersen             http://codepoet-consulting.com/
--This message was written using 73% post-consumer electrons--

Re: chmod of active swap file blocks

[Paul Jakma]

On Thu, 1 Jan 2004, Erik Andersen wrote:

> Perhaps swapon should automagically do a chmod and chown on all
> swapfiles, unless specifically asked to be wildly insecure (perhaps
> with a -W option -- wildly insecure swapfile permissions are
> considered acceptable)....

There's no sane reason to have open swap files, so yes, above 
behaviour would be good.

>  -Erik

regards,
-- 
Paul Jakma	paul@clubi.ie	paul@jakma.org	Key ID: 64A2FF6A
	warning: do not ever send email to spam@dishone.st
Fortune:
A prisoner of war is a man who tries to kill you and fails, and then
asks you not to kill him.
		-- Sir Winston Churchill, 1952