Date: Mon, 30 Oct 2006 19:38:49 +1100 From: Peter Jeremy <peterjeremy@optushome.com.au> To: perryh@pluto.rain.com Cc: freebsd-hackers@freebsd.org Subject: Re: [patch] rm can have undesired side-effects Message-ID: <20061030083849.GB871@turion.vk2pj.dyndns.org> In-Reply-To: <45455f6a.yNcc0kkyEKpoRv3m%perryh@pluto.rain.com> References: <20061029222847.GA68272@marvin.astase.com> <20061030003628.42bc5f8d@loki.starkstrom.lan> <45455f6a.yNcc0kkyEKpoRv3m%perryh@pluto.rain.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--24zk1gE8NUlDmwG9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, 2006-Oct-29 18:11:54 -0800, perryh@pluto.rain.com wrote: >I think a very strong case can be made that the *intent* of -P -- >to prevent retrieval of the contents by reading the filesystem's >free space -- implies that it should affect only the "real" removal >of the file, when its blocks are released because the link count >has become zero. =2E.. >In this interpretation, "rm -P" when the link count exceeds 1 is >an erroneous command. I agree. Doing "rm -P" on a file with multiple links suggests that the user is unaware that there are multiple links. I don't think that just unlinking the file and issuing a warning is a good solution because it's then virtually impossible to locate the other copy(s) of the file, which remains viewable. I believe this is a security hole. Consider: In FreeBSD, it is possible to create a hardlink to a file if you are not the owner, even if you can't read it. Mallory may decide to create hardlinks to Alice's files, even if he can't read them today on the off-chance that he may be able to circumvent the protections at a later date. Unless Alice notices that her file has a second link before she deletes it, when she issues "rm -P", she will lose her link to the file (and her only way of uniquely identifying it) whilst leaving the remaining link to the file in Mallory's control. --=20 Peter Jeremy --24zk1gE8NUlDmwG9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFRboZ/opHv/APuIcRAitpAJ9O/dA5PyqDQLnbFMSEBOJDYCJacgCaA3Nh XGIis5mvhU/OHHhHdvOHjuI= =fOZo -----END PGP SIGNATURE----- --24zk1gE8NUlDmwG9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061030083849.GB871>