From: Nikolay Borisov <nborisov@suse.com>
To: kreijack@inwind.it, "Misono,
Tomohiro" <misono.tomohiro@jp.fujitsu.com>,
linux-btrfs <linux-btrfs@vger.kernel.org>
Subject: Re: [PATCH] btrfs: Allow non-privileged user to delete empty subvolume by default
Date: Wed, 21 Mar 2018 09:46:51 +0200 [thread overview]
Message-ID: <c4fc8c1f-32cf-06e5-f8fa-ca5574aca347@suse.com> (raw)
In-Reply-To: <f00fe679-5c18-27db-a921-b303405968bc@libero.it>
On 20.03.2018 22:06, Goffredo Baroncelli wrote:
> On 03/20/2018 07:45 AM, Misono, Tomohiro wrote:
>> Deletion of subvolume by non-privileged user is completely restricted
>> by default because we can delete a subvolume even if it is not empty
>> and may cause data loss. In other words, when user_subvol_rm_allowed
>> mount option is used, a user can delete a subvolume containing the
>> directory which cannot be deleted directly by the user.
>>
>> However, there should be no harm to allow users to delete empty subvolumes
>> when rmdir(2) would have been allowed if they were normal directories.
>> This patch allows deletion of empty subvolume by default.
>
> Instead of modifying the ioctl, what about allowing rmdir(2) to work for an _empty_ subvolume (and all the permission check are satisfied) ?
I'm inclined to agree with Goffredo. user_subvol_rm_allowed flag really
looks like a hack ontop of the ioctl. I'd rather we modify the generic
behavior.
>
>
>
>>
>> Note that user_subvol_rm_allowed option requires write+exec permission
>> of the subvolume to be deleted, but they are not required for empty
>> subvolume.
>>
>> The comment in the code is also updated accordingly.
>>
>> Signed-off-by: Tomohiro Misono <misono.tomohiro@jp.fujitsu.com>
>> ---
>> fs/btrfs/ioctl.c | 55 +++++++++++++++++++++++++++++++------------------------
>> 1 file changed, 31 insertions(+), 24 deletions(-)
>>
>> diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
>> index 111ee282b777..838406a7a7f5 100644
>> --- a/fs/btrfs/ioctl.c
>> +++ b/fs/btrfs/ioctl.c
>> @@ -2366,36 +2366,43 @@ static noinline int btrfs_ioctl_snap_destroy(struct file *file,
>> dest = BTRFS_I(inode)->root;
>> if (!capable(CAP_SYS_ADMIN)) {
>> /*
>> - * Regular user. Only allow this with a special mount
>> - * option, when the user has write+exec access to the
>> - * subvol root, and when rmdir(2) would have been
>> - * allowed.
>> + * By default, regular user is only allowed to delete
>> + * empty subvols when rmdir(2) would have been allowed
>> + * if they were normal directories.
>> *
>> - * Note that this is _not_ check that the subvol is
>> - * empty or doesn't contain data that we wouldn't
>> + * If the mount option 'user_subvol_rm_allowed' is set,
>> + * it allows users to delete non-empty subvols when the
>> + * user has write+exec access to the subvol root and when
>> + * rmdir(2) would have been allowed (except the emptiness
>> + * check).
>> + *
>> + * Note that this option does _not_ check that if the subvol
>> + * is empty or doesn't contain data that the user wouldn't
>> * otherwise be able to delete.
>> *
>> - * Users who want to delete empty subvols should try
>> - * rmdir(2).
>> + * Users who want to delete empty subvols created by
>> + * snapshot (ino number == 2) can use rmdir(2).
>> */
>> - err = -EPERM;
>> - if (!btrfs_test_opt(fs_info, USER_SUBVOL_RM_ALLOWED))
>> - goto out_dput;
>> + err = -ENOTEMPTY;
>> + if (inode->i_size != BTRFS_EMPTY_DIR_SIZE) {
>> + if (!btrfs_test_opt(fs_info, USER_SUBVOL_RM_ALLOWED))
>> + goto out_dput;
>>
>> - /*
>> - * Do not allow deletion if the parent dir is the same
>> - * as the dir to be deleted. That means the ioctl
>> - * must be called on the dentry referencing the root
>> - * of the subvol, not a random directory contained
>> - * within it.
>> - */
>> - err = -EINVAL;
>> - if (root == dest)
>> - goto out_dput;
>> + /*
>> + * Do not allow deletion if the parent dir is the same
>> + * as the dir to be deleted. That means the ioctl
>> + * must be called on the dentry referencing the root
>> + * of the subvol, not a random directory contained
>> + * within it.
>> + */
>> + err = -EINVAL;
>> + if (root == dest)
>> + goto out_dput;
>>
>> - err = inode_permission(inode, MAY_WRITE | MAY_EXEC);
>> - if (err)
>> - goto out_dput;
>> + err = inode_permission(inode, MAY_WRITE | MAY_EXEC);
>> + if (err)
>> + goto out_dput;
>> + }
>> }
>>
>> /* check if subvolume may be deleted by a user */
>>
>
>
next prev parent reply other threads:[~2018-03-21 7:46 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-20 6:45 [PATCH] btrfs: Allow non-privileged user to delete empty subvolume by default Misono, Tomohiro
2018-03-20 20:06 ` Goffredo Baroncelli
2018-03-21 7:46 ` Nikolay Borisov [this message]
2018-03-21 11:47 ` Austin S. Hemmelgarn
2018-03-21 20:38 ` Goffredo Baroncelli
2018-03-22 12:15 ` Austin S. Hemmelgarn
2018-03-22 17:38 ` Goffredo Baroncelli
2018-03-23 6:29 ` Misono Tomohiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c4fc8c1f-32cf-06e5-f8fa-ca5574aca347@suse.com \
--to=nborisov@suse.com \
--cc=kreijack@inwind.it \
--cc=linux-btrfs@vger.kernel.org \
--cc=misono.tomohiro@jp.fujitsu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.