"secure" file flag?

[Dag-ErlingSmørgrav]

Pawel Jakub Dawidek <nick at garage.freebsd.pl> writes:
> I'm aware of this, but what we want to think over here is something like
> in-kernel 'rm -P'. So file will be overwriten even if it is opened
> and/or link count is grater than 0.

That is not acceptable.  First of all, it breaks a lot of assumptions
in the filesystem code.  Second, it is incompatible with the common
technique of unlinking a temporary file immediately after opening it
to avoid having it stick around if the process that created it dies
prematurely.  Your proposed change would thus reduce security rather
than enhance it.

Besides, overwriting the contents of a file when it is removed from
the file system is not enough.  You also need to overwrite every block
or fragment which is released any time the file shrinks.

Fortunately, ufs always truncates a file to length 0 when it is
removed, so you only need to modify ffs_truncate() to implement both
aspects (truncation and removal).  You should also take care to
overwrite the file's extended attributes if it has any.

Finally, I think a filesystem flag is much better for this purpose
than a file flag; and in either case, file removal and truncation
performance will be awful.

DES
-- 
Dag-Erling Smørgrav - des at des.no