t_fischer: (Default)
Thomas Fischer ([personal profile] t_fischer) wrote in [community profile] linux4all2014-07-23 11:01 pm
Entry tags:

Revisited: Filesystem for large USB storage devices?

It has been more than a year since my original posting (‘Filesystem for large USB storage devices?’), but the issue still exists. I did some research on this topic and found the following relevant links:

  • There has been a patch for ext[234] floating around since 2012 that would introduce mount options to enforce UID and GID similar how it already exists for vfat mounts. LWN has an article on this topic: http://lwn.net/Articles/497106/
    Here is the discussion LWN is referring to: http://thread.gmane.org/gmane.comp.file-systems.ext4/32276/
    I wonder why nothing more happened here. There were some nay-sayers which seem to discourage the original patch author and eventually choked the discussion. Great job, guys :-P

Apart from the discussion referred to by LWN, the usual tips go towards "fix you UID/GID on every machine", "chmod/chown as root before usage", "set full access rights when creating new files through umask or chmod" ... :-(

In reference to Ludwig Nussel's patch (the one referred to by LWN), maybe a patch with the following features would have more success:

  • Instead of being a mount option (either command line or fstab option), it should be a flag in the filesystem if the permissions for newly created files and directories should be "anonymous" or traditional. The flag would be set at filesystem creation or through tune2fs similarly how you can enable/disable journaling on ext4 filesystems.
  • Being an "anonymous" filesystem, uid/gid is enforced to be nobody/nogroup for newly created files. I am quite sure that is defaults to uid=65534 and gid=65534 on all Linux systems. Permissions for new files are enforced to be 0666, for new directories 0777. As a consequence (and to give some security), set uid on execution or executable files are not possible.
  • If the flag will be set on existing filesystems, it will of course affect only newly created files. If the flag gets disabled, you can still read the files created as nobody/nogroup, but newly created files will honor the traditional rules (i.e. belong to your account).
  • There may be corner cases I have not yet thought of. Special devices (block, char, ...) may or may not be forbidden (open for discussion). Symbolic links should not be a problem.

I guess the "flag" approach would be more acceptable to the critics as it would be a concious decision at filesystem creation (when I format the USB thumb drive the first time), not a mount-time decision by a misconfigured automounter.

I would assume that a patch implementing above proposal should not be larger than Ludwig Nussel's patch. If size or maintenance is a problem, the patch shall be restricted to ext4 (who uses ext[23] anyway?).