Trash spec: need decisions on some points

David Faure dfaure at trolltech.com
Sun Aug 29 14:32:18 EEST 2004 

On Sunday 29 August 2004 12:45, Mikhail Ramendik wrote:
> If we honor absolute paths on removable devices, one could make a
> "trojan device" which would show a file allegedly "deleted from the hard
> drive" in the Trash view!
The worse that would happen is that "restore" would try to overwrite an
existing file, but the user will obviously get a "do you want to overwrite this
file" dialog when doing this.

But yes, when we can detect a removeable device, better use relative
paths on it.

> OK. Let's leave this alone for the implementation. I will recommend
> making "full trash emptying" an operation done from root, and granting
> user access to it, when necessary, by separate means. 
I disagree to this. Emptying my ~/.Trash shouldn't require root access.

The whole idea of $topdir/.Trash/$uid was that the user could also empty that 
one without root rights.

> I can think of a number of implementations that don't even involve suid;
> notably a trash cleaning daemon, and a FIFO or flag file for it, and
> access control to this FIFO/file. 
It seems everything needs to be implemented with a daemon nowadays...
The complexity and risks of such a solution don't seem to be worth it IMHO.

> A side note... This seems to be a result of absence of ACLs. With ACLs
> one could always give privileges to all trash folders to those with the
> "clean the trash" right.
But you can't distinguish cleaning from listing, so the privacy issues remain.

> (We're way beyond what Windoze does in its Trash anyway, even with all
> those NTFS ACLs... Windoze Trash is designed as merely a personal
> thing).
I'm also seeing this as a personal thing.

> > > besides, those with no access to the shared resource don't get to see
> > > the trash.
> > But every separate group that has access to the shared resource (but would
> > normally only have access to a per-group subdir of it), would see everyone
> > else's trashed files - so the visibility escalates here as well. At least the
> > groups/<groupname> idea avoids that part.
> 
> Trash dirs in non-$topdir would be somewhat hard to find from another
> machine. 
Yes.

I think the other-partitions case still needs input from Alexander before we
can write the spec on that part.

-- 
David Faure, faure at kde.org, sponsored by Trolltech to work on KDE,
Konqueror (http://www.konqueror.org), and KOffice (http://www.koffice.org).

More information about the xdg mailing list