Panic on mount with write-locked USB media (umass)
Charles Swiger
cswiger at mac.com
Tue Apr 5 16:48:45 PDT 2005
On Apr 5, 2005, at 6:55 PM, Robert Watson wrote:
>> There are two ways that a filesystem correctly could handle a R/O
>> media:
>>
>> 1. Fail with EROFS unless asked [to be?] mounted read-only
>>
>> 2. Silently downgrade the mount to read-only.
>>
>> I personally prefer the first because that way a script does not have
>> to check if it got the mount it wanted or not.
>
> In general, I agree, but this will de-POLA the following command:
>
> mount -t cd9660 /dev/acd0 /cdrom
>
> I wonder if a useful middle ground is to adopt (1) above except in the
> case of perenially read-only file systems (cd9660), in which case (2)
> is adopted?
If a process tries to mount a read-only media read/write, the attempt
should fail with EROFS.
However, what would happen if the mount command (or mount command
family) opened filesystems read-only by default, unless otherwise
specified? /etc/fstab contains "rw", so people trying to mount / and
any other filesystems seen there would retain the previous behavior,
regardless.
Perhaps the system could try to upgrade a mount from read-only to
read-write if and when a process wants to write to that filesystem--
IFF read-write access is possible and permitted, AND the mount was not
explicitly mounted read-only.
I won't claim this change helps POLA, although there do seem to be some
cases where it might (ie, the example above), however, it follows the
"principle of least privilege"....
--
-Chuck
More information about the freebsd-current
mailing list