[jira] Commented: (HADOOP-2514) Trash and permissions don't mix

Mon, 07 Jan 2008 17:10:58 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-2514?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12556795#action_12556795
 ] 

Robert Chansler commented on HADOOP-2514:
-----------------------------------------

When I first thought about this problem, I judged that suborning the trash 
collector to rm things that I could not rm was the most severe problem with the 
trash model. But I'm now thinking this is not (much) of a problem. In the 
absence of links you cannot tell whether I deleted a directory or else just 
moved it to some place invisible to you. Perhaps to a place invisible to you 
and me. (The superuser could always do a full search of the file system.) Isn't 
making a directory invisible the moral equivalent of deleting it?

In any case, a checked move to trash requires that the mv and the checking be 
an atomic operation. And having moved something to the trash, the only sure way 
to be certain that it is then deleted is for the collector to be the superuser 
since permissions might have changed since the move.

So I'm thinking that extra checking has little benefit without really 
protecting from curious circumstances.

> Trash and permissions don't mix
> -------------------------------
>
>                 Key: HADOOP-2514
>                 URL: https://issues.apache.org/jira/browse/HADOOP-2514
>             Project: Hadoop
>          Issue Type: New Feature
>          Components: dfs
>    Affects Versions: 0.16.0
>            Reporter: Robert Chansler
>             Fix For: 0.16.0
>
>
> Shell command "rm" is really "mv" to trash with the expectation that the 
> server will at some point really delete the contents of trash. With the 
> advent of permissions, a user can "mv" folders that the user cannot "rm". The 
> present trash feature as implemented would allow the user to suborn the 
> server into deleting a folder in violation of the permissions model.
> A related issue is that if anybody can mv a folder to the trash anybody else 
> can mv that same folder from the trash. This may be contrary to the 
> expectations of the user.
> What is a better model for trash?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to