[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: rm patch suggestion
From: |
Oystein Viggen |
Subject: |
Re: rm patch suggestion |
Date: |
Tue, 07 May 2002 22:13:17 +0200 |
User-agent: |
Gnus/5.090007 (Oort Gnus v0.07) XEmacs/21.1 (Capitol Reef, i386-debian-linux) |
* [Marcus Brinkmann]
> Make this "you never want to recurse into directory translators" of
> untrusted people.
That's much better. And we probably want to trust root.
> The general concept in Hurd is: Make translators as transparent to Unix as
> possible. Your change is conflicting with this. I think it might possibly
> be better to have an option to enable this behaviour, rather than make it
> the default on some combinations of traditional flags.
I am aware that my proposed change might be seen as breaking the nice
transparency of translators. I still think that we all agree that
certain system commands need to be translator aware, and that the
question is more one of how to do it.
> This problem should, for traditional Unix usage, only crop up in two
> situations: Removing files in /tmp, removing a user's home directory (or
> files in there). Both is only commonly done by the sysadmin, who will not
> find it hard to learn the one new option to rm to make these safe operations
> (of course, it should be visibly documented in the Hurd docs).
I note that you think more highly of sysadmins than I do. While I agree
that people who think that "I don't need to read the docs, because I'm
so smart" needs a little ego dampening, I'm not sure if this is a good
policy for OS developers :)
> For all other users, the default is to not allow anyone to meddle with ones
> files, so they are safe if they are careful.
Agreed. We can't protect people from themselves.
> You have one strong argument in favour of your change though: And that is
> that rm -fR does not follow symlinks either. I want to cite a comment from
> glibc/hurd/lookup-retry.c (which I pointed to in the prior discussion about
> this topic, IIRC):
>
> [...]
>
> So, for rm, it might similarly be a good thing to follow root owned
> translators, or maybe even all translators that run on a node owned by the
> current user (eg, those would count as being trusted), possibly both.
I think both would be a good idea. (Although still think that rm should
not follow symlinks, even if owned by root, so as to be more consistent
with what would be expected by Unix users.)
> This is something we have to think more about. Maybe a general rule like:
> If you would normally not follow symlinks in Unix for security, don't follow
> translators not owned by root/you/either of them/... as well.
Sounds good to me. Also, if you stop at mount points in Unix, you stop
at translators in the Hurd. (As mentioned by Joshua earlier).
> We might not find out but by trying, experience, and smart people like you
> who identify the problems/attacks/etc... this can take some time :)
Eek, he used flattery. Now I _have_ to fix it :)
I wouldn't be able to do anything even remotely useful about this
without the valuable input from the lists, however.
> I hope with the connection to O_NOFOLLOW I could give some hint where
> similar problems occur, and maybe the relation is strong enough to hold
> some water.
I will look further into O_NOFOLLOW (last time, I did not notice the
"ignored if owned by root" part, so I could not get it to work).
Oystein
--
When in doubt: Think again.
Re: rm patch suggestion, Oystein Viggen, 2002/05/07
- Re: rm patch suggestion, Marcus Brinkmann, 2002/05/07
- Re: rm patch suggestion, Roland McGrath, 2002/05/07
- Re: rm patch suggestion, Marcus Brinkmann, 2002/05/07
- Re: rm patch suggestion, Oystein Viggen, 2002/05/07
- Re: rm patch suggestion, Marcus Brinkmann, 2002/05/07
- Re: rm patch suggestion, Neal H Walfield, 2002/05/07