Set graveyard permissions to 700 by default

Question

Set graveyard permissions to 700 by default

rypervenche opened this issue 4 years ago · 7 comments

It would be nice if the default permissions on the graveyard were 700, that way other users wouldn't be able to look at the files inside.

Answer 1 · 2020-11-04T06:33:59.000Z

IIRC the reasoning to make it world-readable was out of convenience: often the only other user on a machine is `root`, and it's annoying to have to `su` just to be able to read stuff on a personal computer. For a use case where multi-user security is necessary, you probably 1. already have some sort of private directory structure to put the graveyard under and 2. already have some sort of automated environment setup to lean on, so it's not much trouble to configure per-user graveyards. Does that apply to your use case?

Answer 2 · 2020-11-12T15:52:38.000Z

If the only users on a machine are root and a single user, then su wouldn't be necessary, as both users would have access to the files, so I'm not sure what inconveniences there would be.

As for using a multi-user machine, I still feel that a secure default would be best, as not everyone will realize that others could read their files. A common example would be students using a lab machine at a university. Their home directories are not readable by other users, however everyone will be able to view the files that they've riped into /tmp. If an admin were to install and set this up for the students, they might set up a graveyard with the proper permissions (assuming they know enough about the project). However, if a student installs rip to their local account, they're likely not going to think about the need to set this up properly and will therefore be sharing their riped files with any student who happens to look in /tmp.

Unless I've overlooked something, I don't see any downsides to this approach. Even if there were something that were inconvenient, I would still personally err on the side of caution and prefer security over ease of use.

Answer 3 · 2021-05-30T06:32:58.000Z

When I rm tmp it becomes less visible, no one can view it as a file. When I rip tmp it becomes more visible, anyone can view it as a file.

This is because by default files that a user, alice, makes have permissions -rw-r--r- (anyone can read it), but the user home directory /home/alice has permissions drwx-----, only alice can view the files inside it.
When alice runs rip /home/alice/tmp, tmp moves to /tmp/graveyard-alice/home/alice/tmp, but /tmp/graveyard-alice/home has permissions drwxr-xr-x, anyone on the system can read it. Everyone on the system already had permission to read the file, but now they have permissions to read all the parent directories too.

This can be really problematic for ssh key, or other private files.

I didn't expect this behavior out of this tool, and I don't expect anyone else would either. By default, I would expect the to have the same visibility that it had before I rip it.

rypervenches's suggestion would be one way to address that.

Answer 4 · 2021-05-30T07:06:08.000Z

Yeah, the current behavior is definitely concerning. I'll try to find some time to think about this and other maintenance in the near future.

…

On 29 May 2021 23:33, blargg ***@***.***> wrote: When I `rm tmp` it becomes less visible, no one can view it as a file. When I `rip tmp` it becomes more visible, anyone can view it as a file. This is because by default files that a user, alice, makes have permissions `-rw-r--r-` (anyone can read it), but the user home directory `/home/alice` has permissions `drwx-----`, only alice can view the files inside it. When alice runs `rip /home/alice/tmp`, tmp moves to `/tmp/graveyard-alice/home/alice/tmp`, but `/tmp/graveyard-alice/home` has permissions `drwxr-xr-x`, anyone on the system can read it. Everyone on the system already had permission to read the file, but now they have permissions to read all the parent directories too. This can be really problematic for ssh key, or other private files. I didn't expect this behavior out of this tool, and I don't expect anyone else would either. By default, I would expect the to have the same visibility that it had before I `rip` it. rypervenches's suggestion would be one way to address that.

Answer 5 · 2021-05-30T18:25:04.000Z

Thanks. I appreciate that.

Answer 6 · 2021-07-25T10:37:00.000Z

Would this not be the solution setfacl. I recently discovered all of the extended file attributes, sounds like what OP needs, make your trash dir then set the defaults you want, unless they are being over written. Have not tried this. But here is a quick example on stackoverflow, https://unix.stackexchange.com/questions/1314/how-to-set-default-file-permissions-for-all-folders-files-in-a-directory.

Answer 7 · 2024-02-02T13:40:45.000Z

I know this thread is old, but I've implemented this in my fork of rm-improved: https://github.com/StandingPadAnimations/rip/releases/tag/0.14.0

Let me know if there's any issues