On Wed, Dec 03, 2014 at 07:48:43PM +0100, David Sterba wrote: > On Tue, Dec 02, 2014 at 10:25:55AM -0500, Zygo Blaxell wrote: > > On Tue, Dec 02, 2014 at 01:52:52PM +0100, David Sterba wrote: > > > > On a side note...only root can delete subvolumes, but non-root users > > > > can create them, which results in...this: > > > > > > > > $ /sbin/btrfs sub create foo > > > > Create subvolume './foo' > > > > $ date > foo/bar > > > > $ /sbin/btrfs sub delete foo > > > > Transaction commit: none (default) > > > > Delete subvolume '/home/testuser/foo' > > > > ERROR: cannot delete '/home/testuser/foo' - Operation not > > > > permitted > > > > $ rm -rf foo > > > > rm: cannot remove `foo': Operation not permitted > > > > $ cat /proc/version > > > > Linux version 3.17.1-zb64+ (root@buildbot) (gcc version 4.7.2 > > > > (Debian 4.7.2-5) ) #1 SMP PREEMPT Tue Oct 21 00:17:49 EDT 2014 > > > > > > > > ...uh oh? > > > > > > That's how it works now. I'd like to enable the user to delete their > > > subvolumes even without the user_subvol_rm_allowed option someday. > > > > That seems...odd. It should be symmetrical, i.e. if you can create a > > subvol you should be able to delete it, and if can't delete a subvol > > then you shouldn't be able to create them either. > > It should and I don't know the exact reasons why it's been restricted. > AFAICS it should be safe to enable the user_subvol_rm_allowed mode by > default. > > > I can imagine > > quite a bit of havoc could be wrought by an unprivileged user creating > > subvols indiscriminately (or in various specific, targeted locations). > > Is this different from creating directories the same way?
'rmdir' doesn't know how to delete an empty subvolume, so neither does
'rm -rf', 'rsync --delete', or probably a thousand other independently
developed file-handling admin tools.
buildbot:~# btrfs sub create /tmp/foo
Create subvolume '/tmp/foo'
buildbot:~# rmdir /tmp/foo
rmdir: failed to remove `/tmp/foo': Operation not permitted
It seems unreasonable to require all the existing admin tools to learn
a new way to delete something that a non-root user can create, when we
could just teach btrfs rmdir to delete subvols instead.
> There is a difference in metadata consumption between subvolume and
> directory, but this would lead to "just" ENOSPC.
There's another subtle havoc-wreaking semantic difference between a
directory and a subvolume: if a user has an open file on a subvolume,
the file can be deleted, but the subvolume can't:
buildbot:~# cd /tmp/foo
buildbot:/tmp/foo# ls -l
total 0
buildbot:/tmp/foo# exec 9>file
buildbot:/tmp/foo# date >&9
buildbot:/tmp/foo# cat file
Wed Dec 3 14:40:24 EST 2014
buildbot:/tmp/foo# rm file
buildbot:/tmp/foo# cd ..
buildbot:/tmp# ls foo/
buildbot:/tmp# btrfs sub del foo
Transaction commit: none (default)
Delete subvolume '/tmp/foo'
ERROR: cannot delete '/tmp/foo' - Device or resource busy
Close the file and subvol del works again:
buildbot:/tmp# exec 9>&-
buildbot:/tmp# btrfs sub del foo
Transaction commit: none (default)
Delete subvolume '/tmp/foo'
buildbot:/tmp# ls foo/
ls: cannot access foo/: No such file or directory
buildbot:/tmp# cat /proc/version
Linux version 3.17.2-zb64+ (root@buildbot) (gcc version 4.7.2 (Debian
4.7.2-5) ) #1 SMP PREEMPT Thu Nov 13 21:57:39 EST 2014
signature.asc
Description: Digital signature
