Re: Secure rsync setup, bind-mount ro
> Debian packages... But let me qualify my statement. "Bind mounts are > just an aliasing mechanism in default kernels as distributed with any > major distribution I looked at." Satisfied? Nope, they are not an aliasing mechanism, otherwise it would be impossible to do the thing you've just seen. > > because "noone would use that", and "that was linux behaviour for years > > and noone complained yet". > The curse of backwards compatibility. Coming from somebody who routinely > breaks ABIs... AFAIK noone ever mentioned any problem with backwards compatibility (ie, noone mounts stuff with ,ro and then uses it as rw). > ... and you filed a bug to have them included in the Debian kernel It IS included in debian kernels, talk to debian-kernel, they maintain it: Linux abc 2.6.18-3-vserver-686 #1 SMP Thu Nov 23 23:10:59 UTC 2006 i686 GNU/Linux Package: linux-image-2.6.18-3-vserver-686 Priority: optional Section: admin Installed-Size: 49716 Maintainer: Debian Kernel Team Architecture: i386 > builds? After first packaging them as a Debian kernel patch package? I are you attacking me for not being annoying enough? I'm so sorry. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Secure rsync setup, bind-mount ro
On Tuesday, 2006-12-19 at 08:47:32 +0100, Dariush Pietrzak wrote: > On Mon, Dec 18, 2006 at 04:50:51PM +0100, Lupe Christoph wrote: > > when I mean bind mounts. No, they are just an aliasing mechanism. > Nope, they're not: Well, we are on a Debian mailing list, so I'd assume we talk about Debian packages... But let me qualify my statement. "Bind mounts are just an aliasing mechanism in default kernels as distributed with any major distribution I looked at." Satisfied? > it's just that sometime in the past, someone took a shortcut and made > bind-mounts ignore the options, and now it seems that noone can explain to > Linus that that was an ommision, and patches fixing that get thrown out > because "noone would use that", and "that was linux behaviour for years > and noone complained yet". The curse of backwards compatibility. Coming from somebody who routinely breaks ABIs... > The patches were maintained as seperate 'bind mount extensions/bme' > project here: http://www.13thfloor.at/patches/ > and now they're part of vserver project, http://linux-vserver.org/ ... and you filed a bug to have them included in the Debian kernel builds? After first packaging them as a Debian kernel patch package? I mean, VServer is too heavy to include in the default kernels. Lupe Christoph -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Secure rsync setup, bind-mount ro
On Mon, Dec 18, 2006 at 04:50:51PM +0100, Lupe Christoph wrote: > when I mean bind mounts. No, they are just an aliasing mechanism. Nope, they're not: ghost:/fs# mkdir testro ghost:/fs# mount -o bind,ro /tmp/ /fs/testro/ ghost:/fs# touch testro/q touch: cannot touch `testro/q': Read-only file system ghost:/fs# touch /tmp/q ghost:/fs# ls -l testro/q -rw-r--r-- 1 root root 0 2006-12-19 08:36 testro/q ghost:/fs# touch testro/q touch: cannot touch `testro/q': Read-only file system it's just that sometime in the past, someone took a shortcut and made bind-mounts ignore the options, and now it seems that noone can explain to Linus that that was an ommision, and patches fixing that get thrown out because "noone would use that", and "that was linux behaviour for years and noone complained yet". The patches were maintained as seperate 'bind mount extensions/bme' project here: http://www.13thfloor.at/patches/ and now they're part of vserver project, http://linux-vserver.org/ -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Secure rsync setup, bind-mount ro
On Monday, 2006-12-18 at 13:48:54 +0100, Dariush Pietrzak wrote: > > filesystems into the chroot you want to rsync. Since Linux does not > > support read-only loopback mounts, this leaves them open not only for > > reading but also for writing... > It does support read-only bind mounts though. Sorry, coming from a Solaris background, I tend to say loopback mounts when I mean bind mounts. No, they are just an aliasing mechanism. debian:~# uname -r 2.6.17-2-k7 debian:~# mount -o bind,ro /tmp /mnt debian:~# touch /mnt/foo debian:~# ls -l /mnt/foo -rw-r--r-- 1 root root 0 2006-12-18 16:44 /mnt/foo [EMAIL PROTECTED]::~$ touch /mnt/bar [EMAIL PROTECTED]::~$ ls -l /mnt/bar -rw-r--r-- 1 lupe lupe 0 2006-12-18 16:45 /mnt/bar No cigar... Lupe Christoph PS: Linux loopback mounts *can* be ro. PPS: It might be possible to mount the same device multiple times with different options (rw vs. ro). I never tried it, and I don't want to crash my machine now ;-) -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Secure rsync setup, bind-mount ro
> filesystems into the chroot you want to rsync. Since Linux does not > support read-only loopback mounts, this leaves them open not only for > reading but also for writing... It does support read-only bind mounts though. -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]