On Apr 5, 2005, at 6:55 PM, Robert Watson wrote: >> There are two ways that a filesystem correctly could handle a R/O >> media: >> >> 1. Fail with EROFS unless asked [to be?] mounted read-only >> >> 2. Silently downgrade the mount to read-only. >> >> I personally prefer the first because that way a script does not have >> to check if it got the mount it wanted or not. > > In general, I agree, but this will de-POLA the following command: > > mount -t cd9660 /dev/acd0 /cdrom > > I wonder if a useful middle ground is to adopt (1) above except in the > case of perenially read-only file systems (cd9660), in which case (2) > is adopted? If a process tries to mount a read-only media read/write, the attempt should fail with EROFS. However, what would happen if the mount command (or mount command family) opened filesystems read-only by default, unless otherwise specified? /etc/fstab contains "rw", so people trying to mount / and any other filesystems seen there would retain the previous behavior, regardless. Perhaps the system could try to upgrade a mount from read-only to read-write if and when a process wants to write to that filesystem-- IFF read-write access is possible and permitted, AND the mount was not explicitly mounted read-only. I won't claim this change helps POLA, although there do seem to be some cases where it might (ie, the example above), however, it follows the "principle of least privilege".... -- -ChuckReceived on Tue Apr 05 2005 - 21:48:45 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:31 UTC