Open rypervenche opened 3 years ago
IIRC the reasoning to make it world-readable was out of convenience:
often the only other user on a machine is root
, and it's annoying to
have to su
just to be able to read stuff on a personal computer. For
a use case where multi-user security is necessary, you probably
If the only users on a machine are root and a single user, then su
wouldn't be necessary, as both users would have access to the files, so I'm not sure what inconveniences there would be.
As for using a multi-user machine, I still feel that a secure default would be best, as not everyone will realize that others could read their files. A common example would be students using a lab machine at a university. Their home directories are not readable by other users, however everyone will be able to view the files that they've rip
ed into /tmp. If an admin were to install and set this up for the students, they might set up a graveyard with the proper permissions (assuming they know enough about the project). However, if a student installs rip
to their local account, they're likely not going to think about the need to set this up properly and will therefore be sharing their rip
ed files with any student who happens to look in /tmp.
Unless I've overlooked something, I don't see any downsides to this approach. Even if there were something that were inconvenient, I would still personally err on the side of caution and prefer security over ease of use.
When I rm tmp
it becomes less visible, no one can view it as a file. When I rip tmp
it becomes more visible, anyone can view it as a file.
This is because by default files that a user, alice, makes have permissions -rw-r--r-
(anyone can read it), but the user home directory /home/alice
has permissions drwx-----
, only alice can view the files inside it.
When alice runs rip /home/alice/tmp
, tmp moves to /tmp/graveyard-alice/home/alice/tmp
, but /tmp/graveyard-alice/home
has permissions drwxr-xr-x
, anyone on the system can read it. Everyone on the system already had permission to read the file, but now they have permissions to read all the parent directories too.
This can be really problematic for ssh key, or other private files.
I didn't expect this behavior out of this tool, and I don't expect anyone else would either. By default, I would expect the to have the same visibility that it had before I rip
it.
rypervenches's suggestion would be one way to address that.
Yeah, the current behavior is definitely concerning. I'll try to find some time to think about this and other maintenance in the near future.
On 29 May 2021 23:33, blargg @.***> wrote:
When I
rm tmp
it becomes less visible, no one can view it as a file. When Irip tmp
it becomes more visible, anyone can view it as a file.This is because by default files that a user, alice, makes have permissions
-rw-r--r-
(anyone can read it), but the user home directory/home/alice
has permissionsdrwx-----
, only alice can view the files inside it. When alice runsrip /home/alice/tmp
, tmp moves to/tmp/graveyard-alice/home/alice/tmp
, but/tmp/graveyard-alice/home
has permissionsdrwxr-xr-x
, anyone on the system can read it. Everyone on the system already had permission to read the file, but now they have permissions to read all the parent directories too.This can be really problematic for ssh key, or other private files.
I didn't expect this behavior out of this tool, and I don't expect anyone else would either. By default, I would expect the to have the same visibility that it had before I
rip
it.rypervenches's suggestion would be one way to address that.
Thanks. I appreciate that.
Would this not be the solution setfacl
. I recently discovered all of the extended file attributes, sounds like what OP needs, make your trash dir then set the defaults you want, unless they are being over written. Have not tried this. But here is a quick example on stackoverflow, https://unix.stackexchange.com/questions/1314/how-to-set-default-file-permissions-for-all-folders-files-in-a-directory.
I know this thread is old, but I've implemented this in my fork of rm-improved: https://github.com/StandingPadAnimations/rip/releases/tag/0.14.0
Let me know if there's any issues
It would be nice if the default permissions on the graveyard were 700, that way other users wouldn't be able to look at the files inside.