Linux kernel 中的檔案權限設計

LWN – File permissions in the kernel [August 3, 2016 by corbet]

permission bits in linux

在 8/2 號的時候，Baole Ni 為了把 kernel 中有關 file permission 的 code 從八進位修改成 macro 的樣式，送了高達 1285 個 patch。David Miller 直接說這是「patch 史上最糟的一個 submit」。更猛的是，他的 patch 信還送給了不只一位的 developer…

會有這樣的改動是因為，kernel 中有關權限的部份，其實已經在 linux/stat.h 已經有 macro 可以使用，像是 S_IRWXUGO 或是 S_IRUGO 這種表示方式，但大多數在 kernel code 的實作，還是使用 0444 這樣的八進位表示方式。

一場大戰就此開打，首先大家在看到這個 patch 之後，先不論他直接送上 1285 個 patch 這樣的神績，Steven Rostedt 在 patch mail 就回應：

I find 0444 more readable than S_IRUSR | S_IRGRP | S_IROTH.

大家發現，轉換成 macro 的方式沒有比較好閱讀啊！而且還要在 1285 個地方看到S_IRUSR | S_IRGRP 這樣的表示方式，崩潰啦。

最後是 Linus 發出正式的公告，說這種 symbolic name 用在 sticky bit 或是 inode mode type number 上還不錯，但是對於 permission bits，糟，糟糕透頂，沒有人應該在 kernel 或是 user space 中使用他們。

還沒結束，八進位表示也是個很糟的方式，Al Viro 指出，這種表示方式還是有可能造成難以發現的錯誤 (lovely potential for typos)。

真正的問題是，POSIX 定義的這些 S_* macros 就是難以閱讀，讓開發者難以使用。最後由 Ingo Molnar 提出一個新的變通方法，用一套新的 macro 來表示 permission bits.

<div style=”box-sizing: border-box; display: inline-flex;”><br /><div style=”-webkit-user-select: none; border-right: 3px solid rgb(108, 226, 108) !important; box-sizing: content-box; color: rgb(175, 175, 175) !important; cursor: default; display: inline-block; float: left; min-width: 20px; overflow: hidden; padding: 0px 8px 0px 0px; position: relative; text-align: right; z-index: 4;”><br /><span data-linenumber=”1″ style=”box-sizing: border-box;”></span><br /><span data-linenumber=”2″ style=”box-sizing: border-box;”></span><br /><span data-linenumber=”3″ style=”box-sizing: border-box;”></span><br /><span data-linenumber=”4″ style=”box-sizing: border-box;”></span><br /><span data-linenumber=”5″ style=”box-sizing: border-box;”></span></div><br /><div style=”box-sizing: border-box; float: left; margin: 0px 0px 0px 16px;”><br /><span style=”box-sizing: border-box; color: #969896;”>#<span style=”box-sizing: border-box;”>define</span> PERM_rw_______ 0600</span><br /><span style=”box-sizing: border-box; color: #969896;”>#<span style=”box-sizing: border-box;”>define</span> PERM_rw_r_____ 0640</span><br /><span style=”box-sizing: border-box; color: #969896;”>#<span style=”box-sizing: border-box;”>define</span> PERM_rw_r__r__ 0644</span><br /><span style=”box-sizing: border-box; color: #969896;”>#<span style=”box-sizing: border-box;”>define</span> PERM_rw_rw_r__ 0664</span><br /><span style=”box-sizing: border-box; color: #969896;”>#<span style=”box-sizing: border-box;”>define</span> PERM_rw_rw_rw_ 0666</span><br /></div><br /></div><br />

<div style=“box-sizing: border-box; display: inline-flex;”> <div style=“-webkit-user-select: none; border-right: 3px solid rgb(108, 226, 108) !important; box-sizing: content-box; color: rgb(175, 175, 175) !important; cursor: default; display: inline-block; float: left; min-width: 20px; overflow: hidden; padding: 0px 8px 0px 0px; position: relative; text-align: right; z-index: 4;”> </div> <div style=“box-sizing: border-box; float: left; margin: 0px 0px 0px 16px;”> #define PERM_rw_______ 0600 #define PERM_rw_r_____ 0640 #define PERM_rw_r__r__ 0644 #define PERM_rw_rw_r__ 0664 #define PERM_rw_rw_rw_ 0666 </div> </div>

Ingo 在信裡面給出一個例子，可以看出用八進位表示的時候，你很難去 code review 找出問題。你能在這個 code 看到兩個資安漏洞嗎？

<div style=”box-sizing: border-box; display: inline-flex;”><br /><div style=”-webkit-user-select: none; border-right: 3px solid rgb(108, 226, 108) !important; box-sizing: content-box; color: rgb(175, 175, 175) !important; cursor: default; display: inline-block; float: left; min-width: 20px; overflow: hidden; padding: 0px 8px 0px 0px; position: relative; text-align: right; z-index: 4;”><br /><span data-linenumber=”1″ style=”box-sizing: border-box;”></span><br /><span data-linenumber=”2″ style=”box-sizing: border-box;”></span><br /><span data-linenumber=”3″ style=”box-sizing: border-box;”></span><br /><span data-linenumber=”4″ style=”box-sizing: border-box;”></span></div><br /><div style=”box-sizing: border-box; float: left; margin: 0px 0px 0px 16px;”><br />+ __ATTR(<span style=”box-sizing: border-box; color: #63a35c;”>l1</span>, <span style=”box-sizing: border-box;”>0444</span>, driver_show_l4, NULL)<span style=”box-sizing: border-box; color: #969896;”>;</span><br />+ __ATTR(<span style=”box-sizing: border-box; color: #63a35c;”>l3</span>, <span style=”box-sizing: border-box;”>0446</span>, driver_show_l4, NULL)<span style=”box-sizing: border-box; color: #969896;”>;</span><br />+ __ATTR(<span style=”box-sizing: border-box; color: #63a35c;”>l2</span>, <span style=”box-sizing: border-box;”>04444</span>, driver_show_l4, NULL)<span style=”box-sizing: border-box; color: #969896;”>;</span><br />+ __ATTR(<span style=”box-sizing: border-box; color: #63a35c;”>l4</span>, <span style=”box-sizing: border-box;”>0444</span>, driver_show_l4, NULL)<span style=”box-sizing: border-box; color: #969896;”>;</span><br /></div><br /></div><br />

<div style=“box-sizing: border-box; display: inline-flex;”> <div style=“-webkit-user-select: none; border-right: 3px solid rgb(108, 226, 108) !important; box-sizing: content-box; color: rgb(175, 175, 175) !important; cursor: default; display: inline-block; float: left; min-width: 20px; overflow: hidden; padding: 0px 8px 0px 0px; position: relative; text-align: right; z-index: 4;”> </div> <div style=“box-sizing: border-box; float: left; margin: 0px 0px 0px 16px;”> + __ATTR(l1, 0444, driver_show_l4, NULL); + __ATTR(l3, 0446, driver_show_l4, NULL); + __ATTR(l2, 04444, driver_show_l4, NULL); + __ATTR(l4, 0444, driver_show_l4, NULL); </div> </div>

轉換成新的方式，可以看到 PERM_r__r__rw_ 跟 PERM_sr__r__r__ 這兩個部份是很危險的。

<div style=”box-sizing: border-box; display: inline-flex;”><br /><div style=”-webkit-user-select: none; border-right: 3px solid rgb(108, 226, 108) !important; box-sizing: content-box; color: rgb(175, 175, 175) !important; cursor: default; display: inline-block; float: left; min-width: 20px; overflow: hidden; padding: 0px 8px 0px 0px; position: relative; text-align: right; z-index: 4;”><br /><span data-linenumber=”1″ style=”box-sizing: border-box;”></span><br /><span data-linenumber=”2″ style=”box-sizing: border-box;”></span><br /><span data-linenumber=”3″ style=”box-sizing: border-box;”></span><br /><span data-linenumber=”4″ style=”box-sizing: border-box;”></span></div><br /><div style=”box-sizing: border-box; float: left; margin: 0px 0px 0px 16px;”><br /><span style=”box-sizing: border-box; color: #0086b3;”>+ </span><span style=”box-sizing: border-box; color: #df5000;”>__ATTR(l1, PERM_r__</span>r<span style=”box-sizing: border-box; color: #df5000;”>__r__</span>,  driver<span style=”box-sizing: border-box; color: #df5000;”>_show_</span>l4, NULL);<br /><span style=”box-sizing: border-box; color: #0086b3;”>+ </span><span style=”box-sizing: border-box; color: #df5000;”>__ATTR(l3, PERM_r__</span>r<span style=”box-sizing: border-box; color: #df5000;”>__rw_</span>,  driver<span style=”box-sizing: border-box; color: #df5000;”>_show_</span>l4, NULL);<br /><span style=”box-sizing: border-box; color: #0086b3;”>+ </span><span style=”box-sizing: border-box; color: #df5000;”>__ATTR(l2, PERM_sr__</span>r<span style=”box-sizing: border-box; color: #df5000;”>__r__</span>, driver<span style=”box-sizing: border-box; color: #df5000;”>_show_</span>l4, NULL);<br /><span style=”box-sizing: border-box; color: #0086b3;”>+ </span><span style=”box-sizing: border-box; color: #df5000;”>__ATTR(l4, PERM_r__</span>r<span style=”box-sizing: border-box; color: #df5000;”>__r__</span>,  driver<span style=”box-sizing: border-box; color: #df5000;”>_show_</span>l4, NULL);<br /></div><br /></div><br />

<div style=“box-sizing: border-box; display: inline-flex;”> <div style=“-webkit-user-select: none; border-right: 3px solid rgb(108, 226, 108) !important; box-sizing: content-box; color: rgb(175, 175, 175) !important; cursor: default; display: inline-block; float: left; min-width: 20px; overflow: hidden; padding: 0px 8px 0px 0px; position: relative; text-align: right; z-index: 4;”> </div> <div style=“box-sizing: border-box; float: left; margin: 0px 0px 0px 16px;”> + __ATTR(l1, PERM_r__r__r__, driver_show_l4, NULL); + __ATTR(l3, PERM_r__r__rw_, driver_show_l4, NULL); + __ATTR(l2, PERM_sr__r__r__, driver_show_l4, NULL); + __ATTR(l4, PERM_r__r__r__, driver_show_l4, NULL); </div> </div>

Comments

Q1. epa:為什麼不用 const int 而要用 #define？

LWN – File permissions in the kernel [August 3, 2016 by corbet]

Linux kernel 中的檔案權限設計

Comments

Comments

Leave a Reply Cancel reply