Trash: directories in $topdir, and security

[Mikhail Ramendik]

Hello,

On the matter of directories in $topdir, I think we have two options at
this point:

(a) $topdir/.Trash/$uid only, with .Trash getting created by the admin,
and if it's not there, by the user. (If the creation fails, the user
falls back to trashing to the directory in $HOME). 

(b) $topdir/.Trash/$uid , but if .Trash is not there, the user creates
..Trash-$uid .

I have seen letters in support of both; but I have failed to understand
from the discussion why (b) is better (even though I have read through
the whole thread).

But, I have just had a thought. There seems to be a security-related
drawback in the entire .Trash idea. What if a malicious user creates
..Trash with wrong permissions (i.e. the sticky bit is not set) ? Or even
as a symlink to some other partition wholly under his control, i.e. one
with a permissionless file system like FAT, or a removable device? What
do we do about this?

To avoid this, .Trash-$uid might work - but what if the permissions on
$topdir don't allow the users to create these directories?

Note that option (b) won't resolve this problem, because if a malicious
user does create .Trash, other users' software will still use it.

Yours, Mikhail Ramendik