non-superuser chown(2)s considered harmful

Anthony DeBoer adeboer at gjetor.geac.COM
Wed Dec 12 07:36:15 AEST 1990 

In article <5733 at labtam.labtam.oz> iand at labtam.labtam.oz (Ian Donaldson) writes:
>
>johnl at iecc.cambridge.ma.us (John R. Levine) writes:
>>Does anyone really do quota accounting by the UID of the file?  Consider
>>the following scenario: User A creates a large file.  User B links to it.
>>User A then deletes the original link.  If you charge by uid, user A is
>>charged for the file even though she has no control over it any more, and
>>might not even be able to see that it exists, depending on B's directory
>>protections.
>
>This is a silly argument.  For user B to write to the file, he must
>have been granted permission by user A.  Thus it is user A's responsibility
>in the first place that the subsequent space charging is against him.

Who says user B can or needs to be able to write to the file?  All they need
is to be able to read the file in A's directory, write permission to their own
directory, and for both to be on the same disk partition.  These are
sufficient permissions to let them link the file into their own directory. 
Now user A deletes the file, but it doesn't go away because of the second
link. In fact, if B has protected that directory against other users (chmod
700 dirname), user A can't even see where the second link is (note, though,
that if A is on the ball, she might see two links on an ls -l and truncate the
file to zero bytes before removing it).  Even if all user B can do with the
file is look at it, or maybe hopefully eventually blow it away, if you do
quota accounting by user the file still gets charged against A.

>If user A wants to prevent others writing his files, thats easy.
>User A can also prevent people linking to his files by hiding them
>below a directory that has the appropriate permissions.

Permissions to prevent anyone writing in your directory are reasonable and
IMHO something that should be done.  Preventing reading can be reasonable too
if the file is sensitive, but such paranoia should not be required just
because of the way a silly quota system is implemented.
-- 
Anthony DeBoer - NAUI #Z8800                           adeboer at gjetor.geac.com 
Programmer, GEAC J&E Systems Ltd.             uunet!jtsv16!geac!gjetor!adeboer
Toronto, Ontario, Canada             #include <std.random.opinions.disclaimer>

More information about the Comp.unix.internals mailing list