From: Chris Murphy <lists@colorremedies.com>
To: "misono.tomohiro@fujitsu.com" <misono.tomohiro@fujitsu.com>
Cc: Chris Murphy <lists@colorremedies.com>,
Btrfs BTRFS <linux-btrfs@vger.kernel.org>
Subject: Re: user_subvol_rm_allowed vs rmdir_subvol
Date: Tue, 10 Sep 2019 10:32:45 -0600 [thread overview]
Message-ID: <CAJCQCtQZBdXcLdgF9yShz=7iT9E2krC=U8MrcPYkW7g=CeB2Hg@mail.gmail.com> (raw)
In-Reply-To: <OSBPR01MB3367B6E4521888148EB778BFE5B60@OSBPR01MB3367.jpnprd01.prod.outlook.com>
Super. Thanks for the reply!
On Tue, Sep 10, 2019 at 3:29 AM misono.tomohiro@fujitsu.com
<misono.tomohiro@fujitsu.com> wrote:
>
> Hello,
>
> (It seems that you already have answers but anyway...)
>
> > Came across this podman issue yesterday
> > https://github.com/containers/libpod/issues/3963
> >
> >
> > Question 1: For unprivileged use case, is it intentional that the user creates a subvolume/snapshot using 'btrfs sub
> > create' and that the user delete it with 'rm -rf' ?
>
> Yes. The problem with "btrfs sub delete" is that the permission check is only performed to the top directory(subvolume).
> Terefore unless user_subvol_rm_allowed mount option is used, "bttrfs sub delete" command is restricted for unprivileged user.
>
> >
> > And is the consequence of this performance? Because I see rm -rf must individually remove all files and dirs from the
> > subvolume first, before rmdir() is called to remove the subvolume. Where as 'btrfs sub del' calls BTRFS_IOC_SNAP_DESTROY
> > ioctl which is pretty much immediate, with cleanup happening in the background.
>
> Yes.
>
> >
> >
> > Question 2:
> >
> > As it relates to the podman issue, what do Btrfs developers recommend?
> > If kernel > 4.18, and if unprivileged, then use 'rm -rf' to delete subvolumes? Otherwise use 'btrfs sub del' with root
> > privilege?
>
> - "btrfs sub delete" if mounted with subvol_rm_allowed
> - "rm -r" if not mounted with subvol_rm_allowed
>
> > Question 3:
> > man 5 btrfs has a confusing note for user_subvol_rm_allowed mount option:
> >
> > Note
> > historically, any user could create a snapshot even if he was not owner of the source subvolume, the
> > subvolume deletion has been restricted
> > for that reason. The subvolume creation has been restricted but this mount option is still required.
> > This is a usability issue.
> >
> > 2nd sentence "subvolume creation has been restricted" I can't parse that. Is it an error, or can it be worded differently?
>
> You cannot create a snapshot of a subvolume which is owned by other user now (apparently old btrfs allowed this).
>
> In summary, subvolume deletion by unprivileged user is restricted by default because:
> 1. a user could create a snapshot which was not owned by the user in old btrfs.
> 2. BTRFS_IOC_SNAP_DESTROY ioctl only performs permission check to the top directory.
>
> I think 1 is not a problem anymore, byt 2 still remains.
>
> Thanks.
--
Chris Murphy
prev parent reply other threads:[~2019-09-10 16:33 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-08 17:58 user_subvol_rm_allowed vs rmdir_subvol Chris Murphy
2019-09-10 9:28 ` misono.tomohiro
2019-09-10 16:32 ` Chris Murphy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJCQCtQZBdXcLdgF9yShz=7iT9E2krC=U8MrcPYkW7g=CeB2Hg@mail.gmail.com' \
--to=lists@colorremedies.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=misono.tomohiro@fujitsu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).