Security

[Stebalien]

In rip's current state, a normal user could (depending on kernel settings) trick arbitrary users into overwriting arbitrary files (either on delete or restore).

You need to make separate graveyards per-user and rip needs to make sure that each user graveyard is owned and writable by the user and only by the user. Alternatively, you could use setuid and run rip as root (and do some very careful permission checks) but that's very hard to do correctly. You could also run a rip daemon as root but that would complicate things.

[nivekuil]

Thanks for the feedback. rip now defaults to a per-user graveyard under /tmp, the permissions of which are based off umask, which on my system is 644.

[Stebalien]

You really should make it 0600.

1. All directories will be world readable by default (if you use fs::create_dir_all). This reveals directory structure which may be sensitive.
2. More importantly, fs::copy sets permissions after copying so there's a window where the file will be world readable.

If you make the graveyard itself 0600, it shouldn't matter what permissions the files/directories in it have.