From owner-svn-src-projects@freebsd.org Tue May 7 17:28:08 2019 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C87B6158E451 for ; Tue, 7 May 2019 17:28:08 +0000 (UTC) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3ED216C0DA; Tue, 7 May 2019 17:28:07 +0000 (UTC) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (localhost [127.0.0.1]) by gndrsh.dnsmgr.net (8.13.3/8.13.3) with ESMTP id x47HS4nG012590; Tue, 7 May 2019 10:28:04 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.13.3/8.13.3/Submit) id x47HS4Bc012589; Tue, 7 May 2019 10:28:04 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <201905071728.x47HS4Bc012589@gndrsh.dnsmgr.net> Subject: Re: svn commit: r347217 - in projects/fuse2: sys/fs/fuse tests/sys/fs/fusefs In-Reply-To: To: Alan Somers Date: Tue, 7 May 2019 10:28:04 -0700 (PDT) CC: Bruce Evans , src-committers , svn-src-projects@freebsd.org Reply-To: rgrimes@freebsd.org X-Mailer: ELM [version 2.4ME+ PL121h (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-Rspamd-Queue-Id: 3ED216C0DA X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.96 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]; NEURAL_HAM_SHORT(-0.96)[-0.960,0] X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 May 2019 17:28:09 -0000 > On Tue, May 7, 2019 at 8:18 AM Bruce Evans wrote: > > > > On Tue, 7 May 2019, Alan Somers wrote: > > > > > Log: > > > fusefs: allow the null chown and null chgrp > > > > > > Even an unprivileged user should be able to chown a file to its current > > > owner, or chgrp it to its current group. Those are no-ops. > > > > ffs allows this too, but POSIX seems to require appropriate privilege > > even for null changes. Its DESCRIPTION section says "Changing the > > user ID is restricted to processes with appropriate privileges." It > > doesn't formally define "Changing", so this can be read as not > > restricting null changes. However, its ERRORS section says that chown() > > shall fail with errno [EPERM] if the euid doesn't match the owner of > > the file or the calling process doesn't have appropriate privilege > > (note: nothing about the null change where only the new and old owners > > of the file match). > > Yeah, I was trying to satisfy pjdfstest, which expects the behavior of > UFS. Do you think we should disallow the null change? If so we > should do it for all file systems, not just fusefs. That was my first reaction when I read the commit, this seems to complicate the code just to satisfy a test, and that is usually not a tangible improvment. > > Most other attribute-setting syscalls don't allow null changes without > > appropriate privilege. E.g., in ffs: > > - chflags() requires VADMIN privilege > > - truncate() requires write privilege (this seems to be only checked for > > at the vfs level, where the nullness of a truncation is not easy to > > determine) > > - utimes() and friends require VDMIN privilege or write privilege to set > > the current time (with the same layering as for truncate(), so is hard > > to change) > > But utimensat allows the null change without privileges, because it > has an explicit way to specify the null change: UTIME_OMIT. > > > - chmod() requires VDMIN privilege according to the comment, but VWRITE_ACL > > privilege according to the code. > > > > Ownership and other attributes are also hard to handle for file systems > > that don't support them. I only care about this for msdosfs. msdosfs > > has fake file ids, but can have only 1 uid per file amd this often doesn't > > match the euid, and even root can't change it. File ids are also used > > for VADMIN checks, so tend to cause failures to set even unimportant > > attributes like file times when the setting is possible. But some > > impossible settings are silently ignored or silently adjusted to possible > > settings. E.g., for file times, most successful settings lose precision. > > > > Ownership and other attributes are even harder to handle for file systems > > that have more of them than vfs supports. Even for msdosfs, many attributes > > were not reflected in file flags until a few years ago, and file times for > > directories are still broken (by reading and writing the times to the wrong > > alias -- the "." entry -- in msdosfs. Only msdosfs finds times there, and > > msdosfs doesn't find times from the correct alias). ACLs are too complicated > > for me, even without the problem of translating them. > > > > fuse has the larger problem of having to implement identical mishandling > > of attributes for all file systems that it supports. > > > > Bruce > > -- Rod Grimes rgrimes@freebsd.org