Re: Patchf for 46475: Users may expose files from private folders by 'Move to Trash'
- From: Damon Chaplin <damon ximian com>
- To: Alexander Larsson <alexl redhat com>
- Cc: nautilus <nautilus-list eazel com>
- Subject: Re: Patchf for 46475: Users may expose files from private folders by 'Move to Trash'
- Date: 07 Jun 2002 12:46:19 -0400
On Fri, 2002-06-07 at 07:27, Alexander Larsson wrote:
> On 6 Jun 2002, Damon Chaplin wrote:
>
> >
> > I've added a simple patch to:
> >
> > http://bugzilla.gnome.org/show_bug.cgi?id=46475
> >
> >
> > It always uses 0700 permissions for trash directories other than
> > ~/.Trash. That stops other users from seeing the files, I hope.
> > (Of course, I should use S_IRWXU rather than 0700.)
> >
> > I'm a little worried that since other users may have write access to the
> > parent of the trash directories then they may be able to rename, delete
> > or read the trash files in some way. (I'm not a filesystem security
> > expert.)
> >
> > If the sticky bit is set on the parent directory, that may stop people
> > deleting other people's trash folders. But I'm not sure if that is
> > totally secure. And it needs to be documented.
>
> I guess this means that you loose the original permissions when you
> undelete a file. That is sort of unfortunate. I'm not sure what the best
> way to handle this is.
No, I don't think so. It only changes the permissions on the trash
directory, not the files inside it.
> > It also seems a bit odd to place these directories in the root directory
> > of the device. It means this directory has to be writable by all, or
> > people can't create trash folders. But would sysadmins be happy to make
> > the root directory writable by everyone?
>
> It used to traverse the whole volume, looking for somewhere it could
> write, but that was very slow, and results in basically random placement
> of the thrash directory.
>
> I guess we should put it in $root/.thrash/.$user instead. then root only
> has to make .trash writable.
Yes, though root still needs to create $root/.trash (and remember to set
the sticky bit).
Maybe ideally we should have a setuid helper app to create the trash
directory for a user, $root/.trash/user. Then users would only need to
have write access to their own trash directories, and not $root/.trash,
which seems safer to me.
But that would be 2.0.x. Should we still apply the patch for now, as it
does make it a little more secure?
Damon
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]