On Wed, Dec 03, 2014 at 07:48:43PM +0100, David Sterba wrote: > On Tue, Dec 02, 2014 at 10:25:55AM -0500, Zygo Blaxell wrote: > > On Tue, Dec 02, 2014 at 01:52:52PM +0100, David Sterba wrote: > > > > On a side note...only root can delete subvolumes, but non-root users > > > > can create them, which results in...this: > > > > > > > > $ /sbin/btrfs sub create foo > > > > Create subvolume './foo' > > > > $ date > foo/bar > > > > $ /sbin/btrfs sub delete foo > > > > Transaction commit: none (default) > > > > Delete subvolume '/home/testuser/foo' > > > > ERROR: cannot delete '/home/testuser/foo' - Operation not > > > > permitted > > > > $ rm -rf foo > > > > rm: cannot remove `foo': Operation not permitted > > > > $ cat /proc/version > > > > Linux version 3.17.1-zb64+ (root@buildbot) (gcc version 4.7.2 > > > > (Debian 4.7.2-5) ) #1 SMP PREEMPT Tue Oct 21 00:17:49 EDT 2014 > > > > > > > > ...uh oh? > > > > > > That's how it works now. I'd like to enable the user to delete their > > > subvolumes even without the user_subvol_rm_allowed option someday. > > > > That seems...odd. It should be symmetrical, i.e. if you can create a > > subvol you should be able to delete it, and if can't delete a subvol > > then you shouldn't be able to create them either. > > It should and I don't know the exact reasons why it's been restricted. > AFAICS it should be safe to enable the user_subvol_rm_allowed mode by > default. > > > I can imagine > > quite a bit of havoc could be wrought by an unprivileged user creating > > subvols indiscriminately (or in various specific, targeted locations). > > Is this different from creating directories the same way?
'rmdir' doesn't know how to delete an empty subvolume, so neither does 'rm -rf', 'rsync --delete', or probably a thousand other independently developed file-handling admin tools. buildbot:~# btrfs sub create /tmp/foo Create subvolume '/tmp/foo' buildbot:~# rmdir /tmp/foo rmdir: failed to remove `/tmp/foo': Operation not permitted It seems unreasonable to require all the existing admin tools to learn a new way to delete something that a non-root user can create, when we could just teach btrfs rmdir to delete subvols instead. > There is a difference in metadata consumption between subvolume and > directory, but this would lead to "just" ENOSPC. There's another subtle havoc-wreaking semantic difference between a directory and a subvolume: if a user has an open file on a subvolume, the file can be deleted, but the subvolume can't: buildbot:~# cd /tmp/foo buildbot:/tmp/foo# ls -l total 0 buildbot:/tmp/foo# exec 9>file buildbot:/tmp/foo# date >&9 buildbot:/tmp/foo# cat file Wed Dec 3 14:40:24 EST 2014 buildbot:/tmp/foo# rm file buildbot:/tmp/foo# cd .. buildbot:/tmp# ls foo/ buildbot:/tmp# btrfs sub del foo Transaction commit: none (default) Delete subvolume '/tmp/foo' ERROR: cannot delete '/tmp/foo' - Device or resource busy Close the file and subvol del works again: buildbot:/tmp# exec 9>&- buildbot:/tmp# btrfs sub del foo Transaction commit: none (default) Delete subvolume '/tmp/foo' buildbot:/tmp# ls foo/ ls: cannot access foo/: No such file or directory buildbot:/tmp# cat /proc/version Linux version 3.17.2-zb64+ (root@buildbot) (gcc version 4.7.2 (Debian 4.7.2-5) ) #1 SMP PREEMPT Thu Nov 13 21:57:39 EST 2014
signature.asc
Description: Digital signature