hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sanjay Radia (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HADOOP-2514) Trash and permissions don't mix
Date Mon, 07 Jan 2008 22:51:34 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-2514?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12556752#action_12556752
] 

Sanjay Radia commented on HADOOP-2514:
--------------------------------------

As we decide the correct solution, I just wanted to document the semantics of trash if we
do minimal for trash.
(One option is to leave the trash and permission as in in release 0.16 and to fix it in 0.17)

Here is the minimal we do in 0.16:
==========================
a. / has is world rx
b. /trash has world rwx (so that shell commands can move dirs and files to /trash)
c. Things moved to /trash do not preserve the parent path. (change from 0.15 - we cannot preserve
the parent perms from client side.)

What is the security violation of the above?
=================================
  - A user  can read/write/x only if they have read write or x on object that was moved to
trash; so no violation.
Violations:
  - Any user can delete any file (but not necessarily dir) at top level in trash
  - Any user can move any file or dir out of trash to their personal dir - but can read/write/x
only if they have the right permission on object moved out of trash.
  - Any user can trick the trash compacter to delete objects that they have permission to
move but not to delete.

Can we live with the above for 0.16? 

> Trash and permissions don't mix
> -------------------------------
>
>                 Key: HADOOP-2514
>                 URL: https://issues.apache.org/jira/browse/HADOOP-2514
>             Project: Hadoop
>          Issue Type: New Feature
>          Components: dfs
>    Affects Versions: 0.16.0
>            Reporter: Robert Chansler
>             Fix For: 0.16.0
>
>
> Shell command "rm" is really "mv" to trash with the expectation that the server will
at some point really delete the contents of trash. With the advent of permissions, a user
can "mv" folders that the user cannot "rm". The present trash feature as implemented would
allow the user to suborn the server into deleting a folder in violation of the permissions
model.
> A related issue is that if anybody can mv a folder to the trash anybody else can mv that
same folder from the trash. This may be contrary to the expectations of the user.
> What is a better model for trash?

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message