Re: rm patch suggestion

[Oystein Viggen]

* [Marcus Brinkmann] 

> Make this "you never want to recurse into directory translators" of
> untrusted people.

That's much better.  And we probably want to trust root.

> The general concept in Hurd is: Make translators as transparent to Unix as
> possible.  Your change is conflicting with this.  I think it might possibly
> be better to have an option to enable this behaviour, rather than make it
> the default on some combinations of traditional flags.

I am aware that my proposed change might be seen as breaking the nice
transparency of translators.  I still think that we all agree that
certain system commands need to be translator aware, and that the
question is more one of how to do it. 

> This problem should, for traditional Unix usage, only crop up in two
> situations: Removing files in /tmp, removing a user's home directory (or
> files in there).  Both is only commonly done by the sysadmin, who will not
> find it hard to learn the one new option to rm to make these safe operations
> (of course, it should be visibly documented in the Hurd docs).

I note that you think more highly of sysadmins than I do.  While I agree
that people who think that "I don't need to read the docs, because I'm
so smart" needs a little ego dampening, I'm not sure if this is a good
policy for OS developers  :)

> For all other users, the default is to not allow anyone to meddle with ones
> files, so they are safe if they are careful.

Agreed.  We can't protect people from themselves.

> You have one strong argument in favour of your change though: And that is
> that rm -fR does not follow symlinks either.  I want to cite a comment from
> glibc/hurd/lookup-retry.c (which I pointed to in the prior discussion about
> this topic, IIRC):
>
>   [...]
>
> So, for rm, it might similarly be a good thing to follow root owned
> translators, or maybe even all translators that run on a node owned by the
> current user (eg, those would count as being trusted), possibly both.

I think both would be a good idea.  (Although still think that rm should
not follow symlinks, even if owned by root, so as to be more consistent
with what would be expected by Unix users.)

> This is something we have to think more about.  Maybe a general rule like:
> If you would normally not follow symlinks in Unix for security, don't follow
> translators not owned by root/you/either of them/... as well.

Sounds good to me.  Also, if you stop at mount points in Unix, you stop
at translators in the Hurd.  (As mentioned by Joshua earlier).

> We might not find out but by trying, experience, and smart people like you
> who identify the problems/attacks/etc... this can take some time :)

Eek, he used flattery.  Now I _have_ to fix it  :)

I wouldn't be able to do anything even remotely useful about this
without the valuable input from the lists, however.

> I hope with the connection to O_NOFOLLOW I could give some hint where
> similar problems occur, and maybe the relation is strong enough to hold
> some water.

I will look further into O_NOFOLLOW (last time, I did not notice the
"ignored if owned by root" part, so I could not get it to work).

Oystein
-- 
When in doubt: Think again.