Trash mechanism

David Faure dfaure at trolltech.com
Sun Aug 29 01:36:55 EEST 2004 

On Saturday 28 August 2004 23:59, C. Gatzemeier wrote:
> Am Saturday 28 August 2004 21:46 schrieb David Faure:
> > On Saturday 28 August 2004 21:12, C. Gatzemeier wrote:
> > > Am Friday 27 August 2004 23:26 schrieb David Faure:
> 
> 
> > If I'm part of N groups, and I delete a file from each group, I would need
> > N different trashcans...
> 
> You mean when copying to you /home trash can? 
Not only.

> But for example if the group dirs reside under /group and the trash for this 
> subdir can be stored therein.
> 
> /group  root:root rwxr-x--
> /group/student staff:student  rwxrws---
> /group/teacher root:teacher rwxrws---
> 
> /group/.Trash root:root rwxr-x---
> /group/.Trash/student staff:student  rwxrws---
> /group/.Trash/teacher root:teacher  rwxrws---
> /group/.Trash/teacher/classlist[deldate] smith:teacher rw-rw----

Plus /group/.Trash/smith/* for files where smith removed the group-writeable flag before deleting the file.
So the argument against private trash doesn't hold; you need them in any case.
You can't assume that all files in this partition will always be group-writable.
So then the namespaces collide (user names vs group names) and the whole thing
needs to be reorganized (like .Trash/groups/student/ and .Trash/users/smith/).

But this still leads to some sort of "privilege escalation":
Imagine I store group-writable files in a non-group-writable directory (because I used
chmod g-rwx on the directory, but I can't change my umask, so every new file is still g+w).
When I trash such a file, it would suddenly become visible to the whole group again.
This is assuming that we choose between groups/ and users/ depending on the g+w flag.
In fact we would have to check every upwards directory for g+x access... I 
don't even want to think about the ACLs case :)
Trash directories that belong to a group seem like a strange concept to me.
There's basically no way to know if the user who deletes the file wants to 
make it available to the group (yes, it was initially, but maybe the user trashes
the file _because_ it was there by mistake and shouldn't be read by the group :-)

> Hm, what was the reason again you opted for trash directories on in the 
> filesystem that pool all deleted files together?

Instead of... ? putting the .Trash dir in the last writeable directory when going up?
See solution C) in my "summarizing" mail. We haven't "opted" for anything yet,
IMHO, until we know what Alexander thinks about those different solutions :-)
I'm implementing the trash with only ~/.Trash currently, but still waiting for 
a decision on the "trash directories on other partitions" problem.

-- 
David Faure, faure at kde.org, sponsored by Trolltech to work on KDE,
Konqueror (http://www.konqueror.org), and KOffice (http://www.koffice.org).

More information about the xdg mailing list