Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set graveyard permissions to 700 by default #20

Open
rypervenche opened this issue Oct 20, 2020 · 7 comments
Open

Set graveyard permissions to 700 by default #20

rypervenche opened this issue Oct 20, 2020 · 7 comments

Comments

@rypervenche
Copy link

It would be nice if the default permissions on the graveyard were 700, that way other users wouldn't be able to look at the files inside.

@nivekuil
Copy link
Owner

nivekuil commented Nov 4, 2020 via email

@rypervenche
Copy link
Author

If the only users on a machine are root and a single user, then su wouldn't be necessary, as both users would have access to the files, so I'm not sure what inconveniences there would be.

As for using a multi-user machine, I still feel that a secure default would be best, as not everyone will realize that others could read their files. A common example would be students using a lab machine at a university. Their home directories are not readable by other users, however everyone will be able to view the files that they've riped into /tmp. If an admin were to install and set this up for the students, they might set up a graveyard with the proper permissions (assuming they know enough about the project). However, if a student installs rip to their local account, they're likely not going to think about the need to set this up properly and will therefore be sharing their riped files with any student who happens to look in /tmp.

Unless I've overlooked something, I don't see any downsides to this approach. Even if there were something that were inconvenient, I would still personally err on the side of caution and prefer security over ease of use.

@blargg
Copy link

blargg commented May 30, 2021

When I rm tmp it becomes less visible, no one can view it as a file. When I rip tmp it becomes more visible, anyone can view it as a file.

This is because by default files that a user, alice, makes have permissions -rw-r--r- (anyone can read it), but the user home directory /home/alice has permissions drwx-----, only alice can view the files inside it.
When alice runs rip /home/alice/tmp, tmp moves to /tmp/graveyard-alice/home/alice/tmp, but /tmp/graveyard-alice/home has permissions drwxr-xr-x, anyone on the system can read it. Everyone on the system already had permission to read the file, but now they have permissions to read all the parent directories too.

This can be really problematic for ssh key, or other private files.

I didn't expect this behavior out of this tool, and I don't expect anyone else would either. By default, I would expect the to have the same visibility that it had before I rip it.

rypervenches's suggestion would be one way to address that.

@nivekuil
Copy link
Owner

nivekuil commented May 30, 2021 via email

@blargg
Copy link

blargg commented May 30, 2021

Thanks. I appreciate that.

@ghost
Copy link

ghost commented Jul 25, 2021

Would this not be the solution setfacl. I recently discovered all of the extended file attributes, sounds like what OP needs, make your trash dir then set the defaults you want, unless they are being over written. Have not tried this. But here is a quick example on stackoverflow, https://unix.stackexchange.com/questions/1314/how-to-set-default-file-permissions-for-all-folders-files-in-a-directory.

@StandingPadAnimations
Copy link

I know this thread is old, but I've implemented this in my fork of rm-improved: https://github.com/StandingPadAnimations/rip/releases/tag/0.14.0

Let me know if there's any issues

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants