Subject: Re: Patch to disallow mounts of unclean FFS unless forced
To: Bill Studenmund <wrstuden@netbsd.org>
From: Robert Elz <kre@munnari.OZ.AU>
List: tech-kern
Date: 10/16/2003 15:04:32
    Date:        Wed, 15 Oct 2003 09:31:03 -0700
    From:        Bill Studenmund <wrstuden@netbsd.org>
    Message-ID:  <20031015163103.GB27769@vespasia.home-net.icnt.net>

  | The thing is that our code at present assumes fsck has fixed the file
  | system, and it blindly moves forward. And so it panics if it gets to bad
  | places.

Yes, I know - which is why I said that the "refuse mount if not clean"
is the expedient fix, rather than the correct one - it is a quick way to
slightly alleviate a possible problem, but what we should really be doing
is preventing the system from panicing.    I haven't had a system crash
due to file system problems in a long time - but if it happens to me, so
I actually have an filesystem that will cause the problem, I will certainly
go and fix the kernel to avoid the panic.
 
  | If '-f' isn't root-only, then a user can make an unclean file
  | system, mount it, and panic the box.

Jason already realised the invalidity of that argument, and removed the
root check (or so I surmise from the checkin log message, I didn't look
at the diff yet).

If the user wants to do this, he can trivially create the same unclean
file system, and set the clean bit, after which -f is no longer needed,
but it is the same messed up file system.

  | If a user wants to mount a dirty file system, I think having to contact
  | the administrator is a fine thing to do.

But a 10 line program which just sets the clean bit is a much easier
solution - everywhere except on read only media.   The administrator
is likely to get p-o'd pretty quickly if some user keeps coming to ask
for his CD with a slightly damaged (most likely, perfect except the clean
bit isn't set) FFS format CD that he wants to mount and unmount every
20 minutes (or more frequently, because of swapping CDs in the drive).

kre