Unifying ~/Desktop - security issues with ~/Trash

Rapha�l Quinet quinet at gamers.org
Thu Jun 13 09:36:42 BST 2002 

On 11 Jun 2002 22:01:05 -0400, "Havoc Pennington" <hp at redhat.com> wrote:
[...]
> (If throw away a file, and it ends up in ~/Trash, then it's quite
> possible that moving it from its original location to ~/Trash changes
> the set of people that are able to or likely to see it, or changes
> whether the file is on a crypted filesystem, or perhaps moves the file
> from local storage onto my NFS-mounted home dir; all those are
> possible - though in my mind not very important - security issues.

This is not pure speculation because I have exactly this case here: I
have several machines on which some project directories containing
confidential documents are on (local) encrypted filesystems, while all
home directories and some non-confidential project directories are
NFS-mounted from several remote servers.

Although I do not use Nautilus (yet) on these machines, I would
certainly object to having a file manager that moves some deleted files
from an encrypted file system to an NFS-mounted home directory.  The
confidential documents would suddenly become available on the remote
servers, even after the machine containing the original files (e.g., a
laptop) has been disconnected from the network.  I would consider this
to be a serious security issue.

In addition, the NFS-mounted home directories have relatively low quota
limits, while the local filesystems have no quotas.  Moving some large
files from a local filesystem (encrypted or not) to their home
directories could cause some users to exceed their quota or to come
close to their limit.

-Raphaël

P.S.: Although I am not too concerned about that, I also expect some
      problems if the filesystem from which the file is deleted and
      the home filesystem have different limitations for the names or
      attributes of the files.  For example: ext2/3, minix, msdos and
      isofs have different limitations.  Moving a file to the trash
      and then moving it back may not restore its name or attributes
      correctly if they are on different filesystems.

More information about the kde-core-devel mailing list