From: Amir Goldstein <amir73il@gmail.com>
To: "Ted Ts'o" <tytso@mit.edu>
Cc: Allison Henderson <achender@linux.vnet.ibm.com>,
Andreas Dilger <adilger@dilger.ca>,
linux-ext4@vger.kernel.org
Subject: Re: [PATCH 1/2 v3] EXT4: Secure Delete: Zero out file data
Date: Mon, 11 Jul 2011 13:01:49 +0300 [thread overview]
Message-ID: <CAOQ4uxix-F51=w9Det-Oh=06ZkK9XHUbnQcM79HcrKZyKrw=zA@mail.gmail.com> (raw)
In-Reply-To: <20110710231337.GD5615@thunk.org>
On Mon, Jul 11, 2011 at 2:13 AM, Ted Ts'o <tytso@mit.edu> wrote:
> On Fri, Jul 08, 2011 at 09:29:16AM +0300, Amir Goldstein wrote:
>>
>> Well, that really depends of the precise definition of "secure delete".
>> If you agree with the "100% secure" interpretation, then your current patch
>> is "almost" correct.
>> I can see 2 things that are missing:
>> 1. ext4_unlink() will have to invoke ext4_truncate(0) directly just
>> like truncate system call does.
>> This is to prevent an attacker from keeping the protected file open
>> and preventing freeing
>> of it's data when the file is removed from the name space.
>
> Um, no. This breaks Unix semantics, which is going to cause any kind
> of headaches, especially if someone sets the secure delete flag on a
> directory, and then a hapless application creates a file in said
> directory expecting standard Posix semantics.
>
> If the attacker has a handle on the file, he can just simply copy out
> the data to another file; if you're worried about someone who manages
> to open the file just 1 millisecond before you do the delete (as
> opposed 100 milliseconds, when he would have copy out the file), I
> don't think it's worth it.
Maybe it's an attacker and maybe the user just doesn't know if an application
has a loose handle for this file.
In both cases, "truncate -s 0 mysecret && rm mysecret" would be more
full proof than "rm mysecret".
I do agree it makes more sense to do it with userspace tools in the first place.
>
>> 2. ext4_truncate() currently changes i_disksize first (and adds inode
>> to orphan list)
>> and then frees the blocks. for 100% secure delete, you cannot change i_disksize
>> before zeroing the blocks, so it has to be:
>> - zeroout range
>> - change i_disksize and add to orphan list
>> - free blocks
>
> What are you worried about here?
I am worried (but it doesn't keep me up at night) from orphan cleanup
after crash in the
middle of secure truncate.
Sure, if you boot with the same kernel, orphan cleanup will securely
truncate the rest
of the file, but another kernel may also non-securely truncate the
file and the accountant
will not know what hit him on judgement day.
Anyway, I don't care much for security nor for accountants, so no need
to convince me
one way or the other.
Amir.
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2011-07-11 10:01 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-30 21:22 [PATCH 0/2 v3] EXT4: Secure Delete Allison Henderson
2011-06-30 21:22 ` [PATCH 1/2 v3] EXT4: Secure Delete: Zero out file data Allison Henderson
2011-06-30 22:15 ` Andreas Dilger
2011-07-01 0:54 ` Allison Henderson
2011-07-01 1:18 ` Martin K. Petersen
2011-07-01 1:41 ` Allison Henderson
2011-07-01 10:26 ` Lukas Czerner
2011-07-01 16:21 ` Allison Henderson
2011-07-02 9:33 ` Amir Goldstein
2011-07-03 7:00 ` Andreas Dilger
2011-07-03 7:37 ` Amir Goldstein
2011-07-04 17:19 ` Allison Henderson
2011-07-04 17:44 ` Amir Goldstein
2011-07-04 18:19 ` Andreas Dilger
2011-07-04 19:09 ` Allison Henderson
2011-07-06 21:05 ` Allison Henderson
2011-07-07 7:05 ` Amir Goldstein
2011-07-07 19:52 ` Andreas Dilger
2011-07-07 20:19 ` Allison Henderson
2011-07-08 0:09 ` Amir Goldstein
2011-07-08 1:55 ` Allison Henderson
2011-07-08 6:29 ` Amir Goldstein
2011-07-08 20:43 ` Allison Henderson
2011-07-10 23:13 ` Ted Ts'o
2011-07-11 10:01 ` Amir Goldstein [this message]
2011-07-08 2:46 ` Andreas Dilger
2011-07-08 5:46 ` Ric Wheeler
2011-07-08 6:11 ` Amir Goldstein
2011-07-08 18:20 ` Mingming Cao
2011-07-08 23:49 ` Andreas Dilger
2011-07-10 8:19 ` Ric Wheeler
2011-07-10 23:33 ` Ted Ts'o
2011-07-11 6:42 ` Ric Wheeler
2011-07-11 8:20 ` Lukas Czerner
2011-07-11 14:24 ` Allison Henderson
2011-06-30 21:22 ` [PATCH 2/2 v3] EXT4: Secure Delete: Zero out files directory entry Allison Henderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAOQ4uxix-F51=w9Det-Oh=06ZkK9XHUbnQcM79HcrKZyKrw=zA@mail.gmail.com' \
--to=amir73il@gmail.com \
--cc=achender@linux.vnet.ibm.com \
--cc=adilger@dilger.ca \
--cc=linux-ext4@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.