Marc Lehmann writes:
> It happens also for filesystems with correct permissions - maybe this is > the point you have problems with? > > The effective permissions for a path depend on more than just the > permissions of the file it refers to. For example, a root-only readable > file can still be changed by normal users if the directory is writable for > them. No, it can't. If the directory is writable, then the user can modify the directory, i.e. to rm the file, but they can't modify the file itself. > That means the whole access path needs to be taken into account, and > this is why the security issue is in gparted, because gparted changes > effective permissions in ways not expected by the user, by mounting it in > an insecure location. The only way it can change the effective permissions are if you normally have it mounted in a directory that uses the traverse/execute permission to restrict who can traverse it with the files inside otherwise having looser permissions, and that amounts to the same thing as just not keeping it mounted most of the time. Or I suppose you could use a filesystem namespace so that it is only mounted to the one user and not visable to the rest of the system. Either way, it begs the question: why not just set the permissions correctly instead? Come to think of it, maybe using filesystem namespaces would be a better idea than chmod()ing the /tmp mount point ( and then creating another subdirectory in which to actually mount the fs ).
