Re: Patchf for 46475: Users may expose files from private folders by 'Move to Trash'

From: Alexander Larsson <alexl redhat com>
To: Damon Chaplin <damon ximian com>
Cc: nautilus <nautilus-list eazel com>
Subject: Re: Patchf for 46475: Users may expose files from private folders by 'Move to Trash'
Date: Sat, 8 Jun 2002 06:20:58 -0400 (EDT)

On 7 Jun 2002, Damon Chaplin wrote:

> On Fri, 2002-06-07 at 07:27, Alexander Larsson wrote:
> > On 6 Jun 2002, Damon Chaplin wrote:
> > 
> > > 
> > > I've added a simple patch to:
> > > 
> > >    http://bugzilla.gnome.org/show_bug.cgi?id=46475
> > > 
> > > 
> > > It always uses 0700 permissions for trash directories other than
> > > ~/.Trash. That stops other users from seeing the files, I hope.
> > > (Of course, I should use S_IRWXU rather than 0700.)
> > > 
> > > I'm a little worried that since other users may have write access to the
> > > parent of the trash directories then they may be able to rename, delete
> > > or read the trash files in some way. (I'm not a filesystem security
> > > expert.)
> > > 
> > > If the sticky bit is set on the parent directory, that may stop people
> > > deleting other people's trash folders. But I'm not sure if that is
> > > totally secure. And it needs to be documented.
> > 
> > I guess this means that you loose the original permissions when you 
> > undelete a file. That is sort of unfortunate. I'm not sure what the best 
> > way to handle this is.
> 
> No, I don't think so. It only changes the permissions on the trash
> directory, not the files inside it.
> 
> 
> 
> > > It also seems a bit odd to place these directories in the root directory
> > > of the device. It means this directory has to be writable by all, or
> > > people can't create trash folders. But would sysadmins be happy to make
> > > the root directory writable by everyone?
> > 
> > It used to traverse the whole volume, looking for somewhere it could 
> > write, but that was very slow, and results in basically random placement 
> > of the thrash directory.
> > 
> > I guess we should put it in $root/.thrash/.$user instead. then root only 
> > has to make .trash writable.
> 
> Yes, though root still needs to create $root/.trash (and remember to set
> the sticky bit).
> 
> Maybe ideally we should have a setuid helper app to create the trash
> directory for a user, $root/.trash/user. Then users would only need to
> have write access to their own trash directories, and not $root/.trash,
> which seems safer to me.
> 
> But that would be 2.0.x. Should we still apply the patch for now, as it
> does make it a little more secure?

Yeah. please do.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
                   alexl redhat com    alla lysator liu se 
He's a fast talking arachnophobic cowboy with a mysterious suitcase handcuffed 
to his arm. She's a sarcastic punk politician who dreams of becoming Elvis. 
They fight crime!

References:
- Re: Patchf for 46475: Users may expose files from private folders by 'Move to Trash'
  - From: Damon Chaplin

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]