Re: open()ing a directory without O_DIRECTORY

[Greg Troxel <gdt%lexort.com@localhost>]

Christos Zoulas <christos%zoulas.com@localhost> writes:

> You are worried then about data disclosure, and instead of fixing it at
> the place where it happens (the filesystem code should zero the
> dirent data when it removes the last link to one), you just want to hide it.

I think this is really the key point.  Right now Aymeric is concerned
that the old entries are present in the directory in bits but not
logically.  Once that's fixed, then there's a concern about reading the
raw device, or someone getting access to the disk outside of the OS.

I recently had another experience - a machine was writing some files and
lost power (Monday, for those following northeast US weather).  The
files that were being written ended up having bits from a file that was
written and deleted earlier.  The earlier file was from the same uid but
it could have been from somebody else.  I'm not surprised, but there's
the same point about zeroizing disk blocks on deletion.  Yes, I know
about rm -P.

I think what makes sense is to have some sort of sysctl that causes
filesystems to write zeros over data that is removed.  That's obviously
a performance issue, and I don't mean to argue that it be default.
But I think it would address Aymeric's concerns.