Re: [Project Quota]file owner could change its project ID?

From: Andreas Dilger <adilger@dilger.ca>
To: "Theodore Y. Ts'o" <tytso@mit.edu>
Cc: "Darrick J. Wong" <darrick.wong@oracle.com>,
	Wang Shilong <wangshilong1991@gmail.com>,
	linux-xfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
	Ext4 Developers List <linux-ext4@vger.kernel.org>,
	Li Xi <lixi@ddn.com>, Wang Shilong <wshilong@ddn.com>
Subject: Re: [Project Quota]file owner could change its project ID?
Date: Sun, 20 Oct 2019 14:19:19 -0600	[thread overview]
Message-ID: <6F46FB6C-D1E3-4BB8-B150-B229801EE13B@dilger.ca> (raw)
In-Reply-To: <20191017121251.GB25548@mit.edu>

[-- Attachment #1: Type: text/plain, Size: 2457 bytes --]

On Oct 17, 2019, at 6:12 AM, Theodore Y. Ts'o <tytso@mit.edu> wrote:
> 
> On Wed, Oct 16, 2019 at 06:28:08PM -0600, Andreas Dilger wrote:
>> I don't think that this is really "directory quotas" in the end, since it
>> isn't changing the semantics that the same projid could exist in multiple
>> directory trees.  The real difference is the ability to enforce existing
>> project quota limits for regular users outside of a container.  Basically,
>> it is the same as regular users not being able to change the UID of their
>> files to dump quota to some other user.
>> 
>> So rather than rename this "dirquota", it would be better to have a
>> an option like "projid_enforce" or "projid_restrict", or maybe some
>> more flexibility to allow only users in specific groups to change the
>> projid like "projid_admin=<gid>" so that e.g. "staff" or "admin" groups
>> can still change it (in addition to root) but not regular users.  To
>> restrict it to root only, leave "projid_admin=0" and the default (to
>> keep the same "everyone can change projid" behavior) would be -1?
> 
> I'm not sure how common the need for restsrictive quota enforcement is
> really going to be.  Can someone convince me this is actually going to
> be a common use case?

Project quota (i.e. quota tracking that doesn't automatically also convey
permission to access a file or directory) is one of the most requested
features from our users.  This is useful for e.g. university or industry
research groups with multiple grad students/researchers under a single
principal professor/project that controls the funding.

> We could also solve the problem by adding an LSM hook called when
> there is an attempt to set the project ID, and for people who really
> want this, they can create a stackable LSM which enforces whatever
> behavior they want.

So, rather than add a few-line change that decides whether the user
is allowed to change the projid for a file, we would instead add *more*
lines to add a hook, then have to write and load an LSM that is called
each time?  That seems backward to me.

> If we think this going to be an speciality request, this might be the
> better way to go.

I don't see how this is more "speciality" than regular quota enforcement?
Just like we impose limits on users and groups, it makes sense to impose
a limit on a project, instead of just tracking it and then having to add
extra machinery to impose the limit externally.

Cheers, Andreas

[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 873 bytes --]