*security?* Re: Trash spec 0.2, technical questions

Jerry Haltom jhaltom at feedbackplusinc.com
Tue Aug 31 18:11:22 EEST 2004


> Well, assuming you're renaming (link followed by unlink) to trash, 
> then you can rename back again. If you can't, there's a problem.

That's a good rule then.

> It occurs to me that if someone is subverting your media in general, 
> then:

The main situation I see is where a company is running NFS with a public
world-writable share and private home directories on the same mount.

Depending on the file system layout of course, it may be possible for one
user to insert a malicious .xsession file into another user's .Trash, and
have it undelete into that user's home directory.

I realize this is a long shot... but so are a lot of things, until they
happen. I think the last thing we want to be doing is distributing
documentation about how to secure your trash can. No other OS requires
that, and it would be "one of those things" that separate our setup-time
and knowledge from theirs.

Is there any specific reason to allow absolute paths at all?





More information about the xdg mailing list