Trash: directories in $topdir, and security

Alexander Larsson alexl at redhat.com
Thu Sep 9 10:30:53 EEST 2004 

On Tue, 2004-09-07 at 13:28 +0400, mr at ramendik.ru wrote:
> Hello,
> 
> 
> >> (2) the file system does not support Unix permissions, and uses ACLs
> >> instead? XFS, for example. It's in POSIX, so we can't ignore this
> >> possibility. Besides, ACLs are really more convenient for ahared
> >> resources, especially in large organizations.
> 
> > I'm not sure what the problem is with ACLs filesystems though.
> > These generally have unix permissions in addition to ACLs, don't they?
> >
> > We really need to verify the sticky bit is set, or users could remove
> > other users trash.
> 
> What if we use an NTFS/Samba share? Only trash to $HOME unless $topdir is
> user writeable? Besides, I've seen some talk that the sticky bit does not
> work on XFS (could not find a reference in English right now).

Well. If the sticky bit is not set any other user could remove your
trashed files, since the .Trash dir is world-writable. Is it safe to use
that dir for trashing then? 

If XFS doesn't support it, what is the permissions of /tmp on an XFS
root?

> And a more "principled" note. We're developing something that was not
> available before - a spec for trashing usable *over a network*. I don't
> think binding it tightly to the Unix architecture is a good idea/
> Especially to a very Unix-specific thing like the old permissions system.
> It may be on the way out, because of ACLs.

Well. What if we word it differently? That the permissions of the .Trash
directory cannot allow other users to remove your directory?

> But. I have an idea. The recommended solution will be to check for the
> sticky bit, but to provide an ability to disable the check for a
> particular top directory. Only root should be able to disable it.
> 
> Is this OK? (If yes, I'll try to release 0.3 no later than tomorrow).

I don't like it. All sorts of common configuration like that gets very
complicated. What if it is a NFS mount which is mounted in different
places on different machines? How will this setting be propagated
between all machines? How do you make the setting per-volume and not
per-mountpoint (for for instance removable media)?

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
                   alexl at redhat.com    alla at lysator.liu.se 
He's a globe-trotting dishevelled gangster in a wheelchair. She's a tortured 
Buddhist mermaid with a song in her heart and a spring in her step. They fight 
crime!

More information about the xdg mailing list