Replaying journals of other OS's filesystems, by mounting them, is unsafe
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
iso-scan (Ubuntu) |
Triaged
|
High
|
Unassigned | ||
linux (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned | ||
lupin (Ubuntu) |
Triaged
|
Low
|
Unassigned | ||
os-prober (Debian) |
Fix Released
|
Unknown
|
|||
partman-basicfilesystems (Ubuntu) |
Fix Released
|
High
|
Colin Watson |
Bug Description
I have just done a clean install of recent dapper (20060426.1 live i386) on my main testbed machine.
The automatic volume discovery system has not only found the filesystems from various of the other installations (which is not quite so bad) but has dug into my LVM system and found the fs for a frozen Xen image !
This kind of thing can cause serious data loss. Modern journalling filesystems go even more badly wrong than traditional fs's if they are accessed by two running systems in an interleaved fashion, which is what results if Dapper automatically finds and mounts these filesystems, replaying the journal, while a frozen (whether by a VM like Xen or by ordinary hibernation) image has them mounted.
In the current setup I think it would be easy to cause disaster simply by installing dapper twice on the same machine and then continuously hibernating one while using the other. More complex schemes are also possible.
All of these filesystems discovered in this way should be made read-only unless it can be somehow known that it's safe to make them r/w.
Related branches
- Dimitri John Ledkov: Needs Information
- Steve Langasek: Needs Information
- Canonical Hardware Enablement: Pending (hwe) requested
-
Diff: 43 lines (+18/-1)2 files modifiedscripts/casper (+2/-0)
scripts/casper-helpers (+16/-1)
Changed in partman-basicfilesystems: | |
assignee: | nobody → ijackson |
Changed in os-prober: | |
status: | Unknown → Unconfirmed |
Changed in partman-basicfilesystems: | |
assignee: | ijackson → nobody |
Changed in os-prober (Debian): | |
status: | New → Fix Released |
Mounting a filesystem read-only doesn't prevent the journal from being replayed.