Re: openg

y proposal. honestly that didn't occur to me as even remotely possible, especially given that in most cases the server will be verifying the exact same handle lots of times, rather than needing to verify a large number of different handles simultaneously (in which case there's no

Re: openg and path_to_handle

Matthew Wilcox wrote: On Thu, Dec 14, 2006 at 03:00:41PM -0600, Rob Ross wrote: I don't think that I understand what you're saying here. The openg() call does not perform file open (not that that is necessarily even a first-class FS operation), it simply does the lookup. When we w

Re: openg and path_to_handle

we could likewise survive a server reboot. But this issue of server reboots isn't that critical -- the use case has the handle being reused relatively quickly after the initial openg(), and clients have a clean fallback in the event that the handle is no longer valid -- just use op

Re: openg and path_to_handle

On Thu, Dec 14, 2006 at 03:00:41PM -0600, Rob Ross wrote: > I don't think that I understand what you're saying here. The openg() > call does not perform file open (not that that is necessarily even a > first-class FS operation), it simply does the lookup. > > When w

Re: openg and path_to_handle

This has been > around for years and it does _exactly_ what these proposed syscalls > are supposed to do (and more). > > See: > > http://techpubs.sgi.com/library/tpl/cgi-bin/getdoc.cgi?coll=linux&db=man&fname=/usr/share/catman/man3/open_by_handle.3.html&srch=open_by_handle

Re: openg and path_to_handle

On Wed, Dec 06, 2006 at 03:09:10PM -0700, Andreas Dilger wrote: > > While it could do that, I'd be interested to see how you'd construct > > the handle such that it's immune to a malicious user tampering with it, > > or saving it across a reboot, or constructing one from scratch. > > If the server

Re: openg

On Wed, Dec 06, 2006 at 09:42:47AM -0600, Rob Ross wrote: > The fh_t is indeed a type of capability. fh_t, properly protected, could > be passed into user space and validated by the file system when > presented back to the file system. Well, there's quite a lot of papers on how to implement prop

Re: openg and path_to_handle

y still be the case that that community is not important enough to >>> justify the addition of system calls; that's obviously not my call to make! >> I have the feeling that openg stuff is rushed without looking into all >> solutions, that don't require changes to the cu

Re: openg and path_to_handle

, unless it is in the disks themselves), the risk of passing a > > file handle around is pretty minimal. > > That's either disingenuous, or missing the point. OCFS/GFS allow the > kernel direct access to the block device. openg()&sutoc() are about > passing around file

Re: openg and path_to_handle

andle around is pretty minimal. That's either disingenuous, or missing the point. OCFS/GFS allow the kernel direct access to the block device. openg()&sutoc() are about passing around file handles to untrusted users. - To unsubscribe from this list: send the line "unsubscribe linux

Re: openg and path_to_handle

On Dec 06, 2006 13:50 -0700, Matthew Wilcox wrote: > On Thu, Dec 07, 2006 at 07:40:05AM +1100, David Chinner wrote: > > This is an implementation detail - it is possible that file handle, > > being opaque, could encode a UID/GID of the user that constructed > > the handle and then allow any proces

Re: openg and path_to_handle

On Wed, Dec 06, 2006 at 01:50:24PM -0700, Matthew Wilcox wrote: > On Thu, Dec 07, 2006 at 07:40:05AM +1100, David Chinner wrote: > > Permission checks are done on the path_to_handle(), so in reality > > only root or CAP_SYS_ADMIN users can currently use the > > open_by_handle interface because of t

Re: openg and path_to_handle

gt; >>>years and it does _exactly_ what these proposed syscalls are supposed to > >>>do > >>>(and more). > >>Thanks for pointing these out Dave. These are indeed along the same lines > >>as > >>the openg()/openfh() approach. > >&

Re: openg and path_to_handle

the addition of system calls; that's obviously not my call to make! I have the feeling that openg stuff is rushed without looking into all solutions, that don't require changes to the current interface. I also get the feeling that interfaces that already do this open-by-handle stuff haven

Re: openg and path_to_handle

for years and it does _exactly_ what these proposed syscalls > >>>are supposed to do (and more). > >>Thanks for pointing these out Dave. These are indeed along the same > >>lines as the openg()/openfh() approach. > >> > >>One difference is that they appea

Re: openg and path_to_handle

On Thu, Dec 07, 2006 at 07:40:05AM +1100, David Chinner wrote: > Permission checks are done on the path_to_handle(), so in reality > only root or CAP_SYS_ADMIN users can currently use the > open_by_handle interface because of this lack of checking. Given > that our current users of this interface n

Re: openg and path_to_handle

people. Of course it may still > >>>be the case that that community is not important enough to justify the > >>>addition of system calls; that's obviously not my call to make! > >>I have the feeling that openg stuff is rushed without looking into all >

Re: openg and path_to_handle

Dave. These are indeed along the same lines as the openg()/openfh() approach. One difference is that they appear to perform permission checking on the open_by_handle(), which means that the entire path needs to be encoded in the handle, and makes it difficult to eliminate the path traversal

Re: openg and path_to_handle

for pointing these out Dave. These are indeed along the same > lines as the openg()/openfh() approach. > > One difference is that they appear to perform permission checking on the > open_by_handle(), which means that the entire path needs to be encoded > in the handle, and makes it

openg and path_to_handle

er, in this case we're talking about an entire *community* of people (high-end computing), not just one or two people. Of course it may still be the case that that community is not important enough to justify the addition of system calls; that's obviously not my call to make! I have t

Re: openg

Christoph Hellwig wrote: On Tue, Dec 05, 2006 at 03:44:31PM -0600, Rob Ross wrote: The openg() really just does the lookup and permission checking). The openfh() creates the file descriptor and starts that context if the particular FS tracks that sort of thing. ... Well you've caught

Re: openg

On Wed, 2006-12-06 at 11:01 +, Christoph Hellwig wrote: > Say you want to lookup a path /foo/bar/baz, then the access permission > is based on the following things: > > - the credentials of the user. let's only take traditional uid/gid >for this example although credentials are much more

openg

On Tue, Dec 05, 2006 at 03:44:31PM -0600, Rob Ross wrote: > The openg() really just does the lookup and permission checking). The > openfh() creates the file descriptor and starts that context if the > particular FS tracks that sort of thing. ... > Well you've caught me. I do