Trash: directories in $topdir, and security
alexl at redhat.com
Tue Sep 7 11:17:17 EEST 2004
On Sat, 2004-09-04 at 02:23 +0400, Mikhail Ramendik wrote:
> Alexander Larsson wrote:
> > > But, I have just had a thought. There seems to be a security-related
> > > drawback in the entire .Trash idea. What if a malicious user creates
> > > ..Trash with wrong permissions (i.e. the sticky bit is not set) ? Or even
> > > as a symlink to some other partition wholly under his control, i.e. one
> > > with a permissionless file system like FAT, or a removable device? What
> > > do we do about this?
> > What we do is that we define the exact permissions of .Trash (i did so
> > in an earlier mail) and refuse to use it if its not right.
> What if:
> (1) the file system does not support permissions at all, i.e. FAT? It's
> quite common for removable devics and for partitions on dual Win/Lin
> (2) the file system does not support Unix permissions, and uses ACLs
> instead? XFS, for example. It's in POSIX, so we can't ignore this
> possibility. Besides, ACLs are really more convenient for ahared
> resources, especially in large organizations.
> In both of these cases, such checks will inevitably fail. In the FAT
> case we can live with .Trash-$uid; but in the ACL case creation of
> ..Trash-$uid might be disallowed.
Case 1 is just a floppy or flash card. Security here is just that you
don't give the floppy to someone you don't trust, so .Trash-$uid is
fine. I'm not sure what the problem is with ACLs filesystems though.
These generally have unix permissions in addition to ACLs, don't they?
We really need to verify the sticky bit is set, or users could remove
other users trash.
Alexander Larsson Red Hat, Inc
alexl at redhat.com alla at lysator.liu.se
He's a war-weary Republican paranormal investigator with a secret. She's a
high-kicking hip-hop cab driver from the wrong side of the tracks. They fight
More information about the xdg