"secure" file flag?

Wes Peters wes at softweyr.com
Fri Nov 21 14:09:32 PST 2003 

On Friday 21 November 2003 05:30, Dag-Erling Smørgrav wrote:
> Pawel Jakub Dawidek <nick at garage.freebsd.pl> writes:
> > I'm aware of this, but what we want to think over here is something
> > like in-kernel 'rm -P'. So file will be overwriten even if it is
> > opened and/or link count is grater than 0.
>
> That is not acceptable.  First of all, it breaks a lot of assumptions
> in the filesystem code.  Second, it is incompatible with the common
> technique of unlinking a temporary file immediately after opening it
> to avoid having it stick around if the process that created it dies
> prematurely.  Your proposed change would thus reduce security rather
> than enhance it.

Right.  The idea of restricting a file marked "secure" to not be able to 
link to it, and refusing to set the flag if the file has a link count 
greater than 1, is easy to do.  I'm not sure it makes sense, though.

> Besides, overwriting the contents of a file when it is removed from
> the file system is not enough.  You also need to overwrite every
> block or fragment which is released any time the file shrinks.
>
> Fortunately, ufs always truncates a file to length 0 when it is
> removed, so you only need to modify ffs_truncate() to implement both
> aspects (truncation and removal).  You should also take care to
> overwrite the file's extended attributes if it has any.

For ffs, I believe it would be as simple as providing this behavior in 
ffs_blkfree.  Both the vnode and fs are passed to ffs_blkfree, so the 
code should be able to check filesystem flags and/or file flags to 
determine if the block should be erased before freed.  This simplistic 
approach would forgo some potentially very helpful optimizations, 
though.

> Finally, I think a filesystem flag is much better for this purpose
> than a file flag; and in either case, file removal and truncation
> performance will be awful.

The filesystem flag is no more or less difficult to do; I can see doing 
both for completeness sake.

As for performance, you really need to flush the on-device cache on each 
pass to make sure the bit patterns get written to the platter in proper 
order.  I don't see any clever way to coalesce the writing of the 
various patterns to multiple blocks short of a kernel thread, either, 
so performance would be abysmal.  Imagine removing a large file, 
overwriting each block in 37 (IIRC) passes, syncing all the way through 
the on-disk cache after *every block.*

Disk encryption suddenly doesn't look so bad, does it?

-- 
         "Where am I, and what am I doing in this handbasket?"

Wes Peters                                              wes at softweyr.com

More information about the freebsd-hackers mailing list