Trash mechanism

[Alexander Larsson]

On Thu, 2004-08-26 at 15:31, David Faure wrote:

> > > The user creating the .Trash directory would need to make it world-writable, right?
> > 
> > Yeah. We should probably also make it world unreadable and with sticky
> > bit (like /tmp) so that you can't look at it, and rename or remove other
> > peoples trash dirs. Of course, even with the sticky bit set the person
> > who creates the .Trash dir can still rename/remove other users trash
> > dirs. I dunno what to do about that.
> 
> Waldo suggested the following solution:
> we should make a small suid-root program that creates $topdir/.Trash and 
> $topdir/.Trash/$uid for the user calling that program. This solves the
> problem you mention (deleting other people's $uid dirs) as well as another
> similar problem (creating a $uid dir before the other user can do it, effectively
> preventing him from doing it).
> I suck at writing suid-root programs though - maybe this is something
> you (or any other C programmer who volunteers) could look into? :/

I'm not sure having a setuid root program that can create directories
everywhere is a good idea. However, maybe we can have one that does the
chroot and sets the right permissions. Need to think a bit about the
security implications here.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
                   alexl at redhat.com    alla at lysator.liu.se 
He's a genetically engineered dishevelled househusband who dotes on his loving 
old ma. She's a foxy foul-mouthed advertising executive with an MBA from 
Harvard. They fight crime!