Trash: directories in $topdir, and security

Mikhail Ramendik mr at
Sat Sep 4 01:23:35 EEST 2004

Alexander Larsson wrote:

> > But, I have just had a thought. There seems to be a security-related
> > drawback in the entire .Trash idea. What if a malicious user creates
> > ..Trash with wrong permissions (i.e. the sticky bit is not set) ? Or even
> > as a symlink to some other partition wholly under his control, i.e. one
> > with a permissionless file system like FAT, or a removable device? What
> > do we do about this?
> What we do is that we define the exact permissions of .Trash (i did so
> in an earlier mail) and refuse to use it if its not right.

What if:

(1) the file system does not support permissions at all, i.e. FAT? It's
quite common for removable devics and for partitions on dual Win/Lin


(2) the file system does not support Unix permissions, and uses ACLs
instead? XFS, for example. It's in POSIX, so we can't ignore this
possibility. Besides, ACLs are really more convenient for ahared
resources, especially in large organizations. 

In both of these cases, such checks will inevitably fail. In the FAT
case we can live with .Trash-$uid; but in the ACL case creation of
..Trash-$uid might be disallowed.

Yours, Mikhail Ramendik

More information about the xdg mailing list