Jamie Lokier <ja...@shareable.org> writes: > Christoph Hellwig wrote: >> On Tue, Dec 15, 2009 at 06:45:01PM +0000, Jamie Lokier wrote: >> > access=rw >> > access=ro >> > access=auto (default) >> >> Yes, that sounds like the least clumsy one. I still think the current >> implementation is a very bad default, though. > > Without agreeing or disagreeing over whether it's a bad default :), a > usability problem occurs with the current implementation when you > deliberately "chmod 444" an image to have high confidence that it's > opened read only: When running as root, file permissions are ignored > (except sometimes on NFS). > > For that reason I use "chattr +i" on all my read-only image files, to > really make sure that no qemu invocation mistake could accidentally > corrupt valuable images. That works, but it's not very convenient. > > If the "auto" method is kept, I think it would be an improvement if it > checks the file permission itself, and does not even try to open a > file O_RDWR if there are no writable permission bits - so that "chmod > 444" has the same "open as read only" effect when qemu is invoked as root.
"Improving" on the kernel's permission checking easily ends in tears. And if we change the the current "auto" behavior in incompatible ways anyway, then my preferred change would be to just drop it.
