GNOME Bugzilla – Bug 46475
Users may expose files from private folders by 'Move to Trash'
Last modified: 2004-12-22 21:47:04 UTC
Moving a file contained in a private folder on a public server to Trash places the file in a public Trash directory. If it's reasonable that users may expect an /h/public directory's content to be private by setting its permissions, then this may be a significant problem. [Filing as food for thought at John Sullivan's request.] * REPRODUCIBLE: Always * STEPS TO REPRODUCE: 1. Navigate to your /h/public/{username} directory in Nautilus 2. Select "New Folder", and put a file into that new folder 3. Show Properties on the folder you just created, and remove read/write/execute permissions for everyone except for 'Owner'. 4. Open the folder. 5. Right-click on the item you placed in it, and select "Move to Trash" * ACTUAL RESULTS: The item is now visible to the world in /h/public/.Trash-{username}. ------- Additional Comments From sullivan@eazel.com 2001-02-09 15:32:30 ---- I don't know if this is worth addressing for 1.0 or even in the future, but I assumed it was better to have Don/Pavel/etc ponder the issue than to ignore it. Leaving for Don to assign priority. ------- Additional Comments From don@eazel.com 2001-02-16 00:16:41 ---- Not a 1.0 blocker. ------- Additional Comments From pavel@eazel.com 2001-03-16 11:30:38 ---- One thing that might be simple and get the job done is make the Trash directory only readable and writable by the user. Setting the time estimate for that solution. ------- Additional Comments From snickell@stanford.edu 2001-07-23 00:40:22 ---- Taking bugs previously assigned to Pavel, assigning them to myself. Will parse them out at my leisure , but many are GnomeVFS bugs we should look at for 2.0 ------- Bug moved to this database by unknown@bugzilla.gnome.org 2001-09-09 20:59 -------
Changing to "old" target milestone for all bugs laying around with no milestone set.
Seems like this could be a security issue, so marking gnome2 and 1.1.x. Alex et al. is this still relevant????
Marking this 'high' because it is a theoretical security concern, but can't/won't mark 2.0.0 because it is only applicable to the (as of yet) very small group that is affected by large multi-user installations.
Created attachment 8986 [details] [review] Sets permissions to 0700 for trash directories on other devices
The patch seems fine, please commit it to gnome-2-0 branch as well as HEAD.
patch applied to HEAD and gnome-2-0 branch.
This bug needs to be reopened. Currently only half the problem when the home dir resides on other devices is resolved. In this case, gnome-vfs/modules/file-method.c:do_find_directory() ignores/overrides user specified permissions to create .Trash with 700. In the normal case, file perms are honored and .Trash gets created with 755 permissions. So the user's trash is readable and this is a concern for example, on solaris, where home dirs are created 755. Possible solution, First, gnome-vfs/modules/file-method.c:do_find_directory() needs to be changed to uniformly ignore user specified permissions while creating .Trash. gnome-vfs api documentation could also be updated to reflect this change. And, nautilus has to be modified to send 0000 (something unused) instead of the current 777. With this I guess, we can guarantee a 700 .Trash for a user.
Created attachment 9741 [details] [review] Attaching a patch.
Attached a patch to set permissions to 0700 for .Trash directory created in the users home directory.
I applied these patches.