Re: Panic on mount with write-locked USB media (umass)

From: Charles Swiger <cswiger_at_mac.com>
Date: Tue, 5 Apr 2005 19:48:42 -0400
On Apr 5, 2005, at 6:55 PM, Robert Watson wrote:
>> There are two ways that a filesystem correctly could handle a R/O 
>> media:
>>
>> 1.	Fail with EROFS unless asked [to be?] mounted read-only
>>
>> 2.	Silently downgrade the mount to read-only.
>>
>> I personally prefer the first because that way a script does not have 
>> to check if it got the mount it wanted or not.
>
> In general, I agree, but this will de-POLA the following command:
>
>     mount -t cd9660 /dev/acd0 /cdrom
>
> I wonder if a useful middle ground is to adopt (1) above except in the 
> case of perenially read-only file systems (cd9660), in which case (2) 
> is adopted?

If a process tries to mount a read-only media read/write, the attempt 
should fail with EROFS.

However, what would happen if the mount command (or mount command 
family) opened filesystems read-only by default, unless otherwise 
specified?  /etc/fstab contains "rw", so people trying to mount / and 
any other filesystems seen there would retain the previous behavior, 
regardless.

Perhaps the system could try to upgrade a mount from read-only to 
read-write if and when a process wants to write to that filesystem-- 
IFF read-write access is possible and permitted, AND the mount was not 
explicitly mounted read-only.

I won't claim this change helps POLA, although there do seem to be some 
cases where it might (ie, the example above), however, it follows the 
"principle of least privilege"....

-- 
-Chuck
Received on Tue Apr 05 2005 - 21:48:45 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:31 UTC