Re: Patchf for 46475: Users may expose files from private folders by 'Move to Trash'

[Alexander Larsson <alexl redhat com>]

On 6 Jun 2002, Damon Chaplin wrote:

> 
> I've added a simple patch to:
> 
>    http://bugzilla.gnome.org/show_bug.cgi?id=46475
> 
> 
> It always uses 0700 permissions for trash directories other than
> ~/.Trash. That stops other users from seeing the files, I hope.
> (Of course, I should use S_IRWXU rather than 0700.)
> 
> I'm a little worried that since other users may have write access to the
> parent of the trash directories then they may be able to rename, delete
> or read the trash files in some way. (I'm not a filesystem security
> expert.)
> 
> If the sticky bit is set on the parent directory, that may stop people
> deleting other people's trash folders. But I'm not sure if that is
> totally secure. And it needs to be documented.

I guess this means that you loose the original permissions when you 
undelete a file. That is sort of unfortunate. I'm not sure what the best 
way to handle this is.
  
> It also seems a bit odd to place these directories in the root directory
> of the device. It means this directory has to be writable by all, or
> people can't create trash folders. But would sysadmins be happy to make
> the root directory writable by everyone?

It used to traverse the whole volume, looking for somewhere it could 
write, but that was very slow, and results in basically random placement 
of the thrash directory.

I guess we should put it in $root/.thrash/.$user instead. then root only 
has to make .trash writable.
-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
                   alexl redhat com    alla lysator liu se 
He's an impetuous soccer-playing matador in drag. She's an elegant 
belly-dancing femme fatale with an MBA from Harvard. They fight crime!