Re: Patchf for 46475: Users may expose files from private folders by 'Move to Trash'

From: Damon Chaplin <damon ximian com>
To: Alexander Larsson <alexl redhat com>
Cc: nautilus <nautilus-list eazel com>
Subject: Re: Patchf for 46475: Users may expose files from private folders by 'Move to Trash'
Date: 07 Jun 2002 12:46:19 -0400

On Fri, 2002-06-07 at 07:27, Alexander Larsson wrote:
> On 6 Jun 2002, Damon Chaplin wrote:
> 
> > 
> > I've added a simple patch to:
> > 
> >    http://bugzilla.gnome.org/show_bug.cgi?id=46475
> > 
> > 
> > It always uses 0700 permissions for trash directories other than
> > ~/.Trash. That stops other users from seeing the files, I hope.
> > (Of course, I should use S_IRWXU rather than 0700.)
> > 
> > I'm a little worried that since other users may have write access to the
> > parent of the trash directories then they may be able to rename, delete
> > or read the trash files in some way. (I'm not a filesystem security
> > expert.)
> > 
> > If the sticky bit is set on the parent directory, that may stop people
> > deleting other people's trash folders. But I'm not sure if that is
> > totally secure. And it needs to be documented.
> 
> I guess this means that you loose the original permissions when you 
> undelete a file. That is sort of unfortunate. I'm not sure what the best 
> way to handle this is.

No, I don't think so. It only changes the permissions on the trash
directory, not the files inside it.



> > It also seems a bit odd to place these directories in the root directory
> > of the device. It means this directory has to be writable by all, or
> > people can't create trash folders. But would sysadmins be happy to make
> > the root directory writable by everyone?
> 
> It used to traverse the whole volume, looking for somewhere it could 
> write, but that was very slow, and results in basically random placement 
> of the thrash directory.
> 
> I guess we should put it in $root/.thrash/.$user instead. then root only 
> has to make .trash writable.

Yes, though root still needs to create $root/.trash (and remember to set
the sticky bit).

Maybe ideally we should have a setuid helper app to create the trash
directory for a user, $root/.trash/user. Then users would only need to
have write access to their own trash directories, and not $root/.trash,
which seems safer to me.

But that would be 2.0.x. Should we still apply the patch for now, as it
does make it a little more secure?

Damon

Follow-Ups:
- Re: Patchf for 46475: Users may expose files from private folders by 'Move to Trash'
  - From: Alexander Larsson

References:
- Re: Patchf for 46475: Users may expose files from private folders by 'Move to Trash'
  - From: Alexander Larsson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]