firmlink deleting files on boot / interpretation of find -xdev switch

[Brent W. Baccala]

On Thu, Sep 1, 2016 at 12:38 PM, Richard Braun <rbraun@sceen.net> wrote:

This was famously shown with the example of the
firmlink translator used in /tmp, which would cause the removal of
any file targeted by the firmlink on /tmp cleanup during system
startup.

I see that.  It seems to still have that problem.  I created a directory /root/baitdir, and put in it a file named 'bait'.  As a non-privileged user, I created a firmlink in /tmp to /root/baitdir and rebooted.  Voila!  'bait' vanished.

I took the time to read some of this mailing list's archive on the subject.  The consensus seems to be that you can't trust unprivileged translators.  So "find", which is used to clean /tmp, should not, in this case, cross translator boundaries.

I was thinking at first that we should have something like the "-xdev" switch; "-xtrans", maybe?

Yet since filesystem mounts are themselves done with translators, what does "-xdev" mean on Hurd?  I've poked around a bit in the source, and played with 'stat'.  It seems like several translators take an arbitrary number and present it as their device number.  Seems like legacy support, and it's easy for a translator to defeat -xdev by announcing the same device as its parent.

So, now I'm thinking that find's "-xdev" option shouldn't cross translator boundaries, and since find uses FTS, and the find call in /lib/init/bootclean.sh already specifies -xdev, that would require only a change to glibc.  This would affect any program that uses the FTS library calls.

Since "rm" also uses FTS, this change would affect rm.  It's --one-file-system option would have the effect of avoiding recursion into translators.  It doesn't sound like a bad thing.  In fact, it sounds to me like that switch might become a lot more useful.  A few slight changes to rm itself, and we could use "rm -rfx" as a common verb meaning "delete everything and don't go into translators".

"chmod", "chown", "chcon", "grep", and "mv" also use FTS, but don't provide options that map through into FTS_XDEV.  "du" uses FTS and does provide such an option (-x / --one-file-system).  These are the only programs that I've been able to find on my system that use FTS.

I haven't been able to find any other places on my system where find uses -xdev; just bootclean.sh, but my search has not been exhaustive.

Obviously there's been a long history behind this problem, and I'm new on the scene.  Does this change make sense?

On a related note, how do you find the owner of a passive translator?  I expected either showtrans or ls to provide that information (perhaps with a verbose switch), but it had eluded me...

    agape

    brent