MSDOS Filesystem question related to "read-only" files

[Bruce Evans]

On Mon, 20 Nov 2017, Karl Denninger wrote:

> I'm running into an interesting issue here and wondering if there's a
> way to do this under FreeBSD.
>
> MSDOS filesystems have a "primitive" permission capability;
> specifically, they can have a "Read-only" attribute on a file.  It looks
> like OpenBSD supports this from reading their man pages.

FreeBSD used to support this as a permissions bit, but was changed to support
it as only an attribute (except for a buggy write-only affect on permissions)
See r254627 and my reply to the commit mail for r326031.

> FreeBSD doesn't appear to.  When you mount a msdos filesystem (e.g. a
> USB stick) whoever owns the parent directory where you mount it gives
> you the permissions and "ownership" of files on said filesystem.  All
> good so far. 

r254627 changed it to do this.  This is too simple.

> But attempting to chmod a file to remove write permission
> "succeeds" (returns success) but does nothing.

It actually changes the attribute to ATTR_READONLY, but this is write only
in current versions of FreeBSD.  The change becomes active on reboot to some
other OS's (including FreeBSD before r254627).

r326031 unimproves this by reporting in struct stat that the file is
read-only although it is still writeable.

> Is this capability simply not present on FreeBSD?  I'm interested in
> using it as a means of "flagging" files on a USB stick in an application
> that I do not want to remove if the stick fills (basically, to "protect"
> them from being aged off) and it appears there's no way to do it, other
> than to use something unique in the filename that I would then have to
> pay attention to.

Immutable or nounlink flags would work better for this, but are unavailable
for msdosfs.

To prevent removal by rm -rf, there is nothing better than making the
readonly attribute affect the permissions again, but a special application
can handle this better by checking the attributes directly (the available
ones depend on the file systems).

Note that ordinary permissions don't affect root, so you have to be careful
with rm -rf anyway.  Perhaps the readonly attribute should be handled as
an immutable flag.  msdosfs also has a SYSTEM attribute which is even
closer to immutability.  MSDOS and Windows use HIDDEN | READONLY | SYSTEM
for files that it doesn't want anyone to know about -- these are sort of
immutable.  But the SYSTEM attribute is currently treated even more simply
than READONLY.  It is purely write-only in the kernel, except applications
can read it to use it for anything.  It is used mainly by cp(1) to preserve
it.

You could put ffs on the USB stick and use its UF_READONLY as a hint.  It
doesn't affect permissions in ffs, so it doesn't prevent rm -rf, just like
in msdosfs, but a application with special handling of it would work the
same for both.  ffs just doesn't need this because it has immutable flags
that work better.

Bruce