On Thu, Sep 1, 2016 at 12:38 PM, Richard Braun <rbr...@sceen.net> wrote:
> This was famously shown with the example of the
> firmlink translator used in /tmp, which would cause the removal of
> any file targeted by the firmlink on /tmp cleanup during system
> startup.
>
I see that. It seems to still have that problem. I created a directory
/root/baitdir, and put in it a file named 'bait'. As a non-privileged
user, I created a firmlink in /tmp to /root/baitdir and rebooted. Voila!
'bait' vanished.
I took the time to read some of this mailing list's archive on the
subject. The consensus seems to be that you can't trust unprivileged
translators. So "find", which is used to clean /tmp, should not, in this
case, cross translator boundaries.
I was thinking at first that we should have something like the "-xdev"
switch; "-xtrans", maybe?
Yet since filesystem mounts are themselves done with translators, what does
"-xdev" mean on Hurd? I've poked around a bit in the source, and played
with 'stat'. It seems like several translators take an arbitrary number
and present it as their device number. Seems like legacy support, and it's
easy for a translator to defeat -xdev by announcing the same device as its
parent.
So, now I'm thinking that find's "-xdev" option shouldn't cross translator
boundaries, and since find uses FTS, and the find call in
/lib/init/bootclean.sh already specifies -xdev, that would require only a
change to glibc. This would affect any program that uses the FTS library
calls.
Since "rm" also uses FTS, this change would affect rm. It's
--one-file-system option would have the effect of avoiding recursion into
translators. It doesn't sound like a bad thing. In fact, it sounds to me
like that switch might become a lot more useful. A few slight changes to
rm itself, and we could use "rm -rfx" as a common verb meaning "delete
everything and don't go into translators".
"chmod", "chown", "chcon", "grep", and "mv" also use FTS, but don't provide
options that map through into FTS_XDEV. "du" uses FTS and does provide
such an option (-x / --one-file-system). These are the only programs that
I've been able to find on my system that use FTS.
I haven't been able to find any other places on my system where find uses
-xdev; just bootclean.sh, but my search has not been exhaustive.
Obviously there's been a long history behind this problem, and I'm new on
the scene. Does this change make sense?
On a related note, how do you find the owner of a passive translator? I
expected either showtrans or ls to provide that information (perhaps with a
verbose switch), but it had eluded me...
agape
brent
