Trash: directories in $topdir, and security

Alexander Larsson alexl at
Tue Sep 7 11:17:17 EEST 2004

On Sat, 2004-09-04 at 02:23 +0400, Mikhail Ramendik wrote:
> Alexander Larsson wrote:
> > > But, I have just had a thought. There seems to be a security-related
> > > drawback in the entire .Trash idea. What if a malicious user creates
> > > ..Trash with wrong permissions (i.e. the sticky bit is not set) ? Or even
> > > as a symlink to some other partition wholly under his control, i.e. one
> > > with a permissionless file system like FAT, or a removable device? What
> > > do we do about this?
> > 
> > What we do is that we define the exact permissions of .Trash (i did so
> > in an earlier mail) and refuse to use it if its not right.
> What if:
> (1) the file system does not support permissions at all, i.e. FAT? It's
> quite common for removable devics and for partitions on dual Win/Lin
> installs.
> or
> (2) the file system does not support Unix permissions, and uses ACLs
> instead? XFS, for example. It's in POSIX, so we can't ignore this
> possibility. Besides, ACLs are really more convenient for ahared
> resources, especially in large organizations. 
> In both of these cases, such checks will inevitably fail. In the FAT
> case we can live with .Trash-$uid; but in the ACL case creation of
> ..Trash-$uid might be disallowed.

Case 1 is just a floppy or flash card. Security here is just that you
don't give the floppy to someone you don't trust, so .Trash-$uid is
fine. I'm not sure what the problem is with ACLs filesystems though.
These generally have unix permissions in addition to ACLs, don't they?

We really need to verify the sticky bit is set, or users could remove
other users trash.

 Alexander Larsson                                            Red Hat, Inc 
                   alexl at    alla at 
He's a war-weary Republican paranormal investigator with a secret. She's a 
high-kicking hip-hop cab driver from the wrong side of the tracks. They fight 

More information about the xdg mailing list