bug#58781: 28.2; move-file-to-trash may move file across filesystems

bug#58781: 28.2; move-file-to-trash may move file across filesystems

[Gustavo Barros]

Hi All,

I'm trying to investigate bug#58721
(https://lists.gnu.org/archive/html/bug-gnu-emacs/2022-10/msg01987.html),
couldn't figure it out yet, but in the process of doing so, I've found
another issue.  Namely, that `move-file-to-trash' may move the file
across filesystems with some undesired implications, including
potential security risk.

This happens because, for the case using the freedesktop.org method,
in setting trash directory, the procedure is the following:

    (xdg-data-dir
     (directory-file-name
      (expand-file-name "Trash"
                        (or (getenv "XDG_DATA_HOME")
                            "~/.local/share"))))

There's no provision to check whether `xdg-data-dir' belongs to the
same filesystem (partition) as the file being moved there.  As a
result, the `move-file-to-trash' may move the file across filesystems.
Indeed, I've tested it and, if you are trashing a file from a
different partition, it ends in "~/.local/share" regardless.

This is a problem for at least two reasons.  First, what should be a
cheap operation, a simple "rename", can become very costly if what is
being trashed is large, because now the file has to be physically
moved.  Second, it may be a security risk.

It certainly is for my setup, for example.  It involves two
partitions, one for the operating system, unencrypted, which includes
"/home/username/", and another one, luks encrypted, where I keep my
user files, and which is symlinked to "/home/username/".  So, trashing
a file from dired, with such a setup, results in the files being
stored unencrypted, when they shouldn't.  I wouldn't say there's
nothing much peculiar in this setup, it is certainly legitimate.

I'm not sure what's the standard expected behavior (I suppose the
freedesktop.org specs for it).  But my distro's file manager (which
happens to be `nemo' from Linux Mint) certainly does not do that.  It
sends such files to a different trash directory at the root of the
other partition's mount point.

Best regards,
Gustavo.

bug#58781: 28.2; move-file-to-trash may move file across filesystems

[Gustavo Barros]

Hi All,

a couple of additions to this report.

First, I did some searching on the freedesktop.org specs, which I
found at: https://specifications.freedesktop.org/trash-spec/trashspec-latest.html.
The relevant bit seems to be:

"A system can have one or more trash directories. The contents of any
trash directory are to be compliant with the same standard, described
below.

For every user a “home trash” directory MUST be available. Its name
and location are $XDG_DATA_HOME/Trash; $XDG_DATA_HOME is the base
directory for user-specific data, as defined in the Desktop Base
Directory Specification .

The “home trash” SHOULD function as the user's main trash directory.
Files that the user trashes from the same file system
(device/partition) SHOULD be stored here (see the next section for the
storage details). A “home trash” directory SHOULD be automatically
created for any new user. If this directory is needed for a trashing
operation but does not exist, the implementation SHOULD automatically
create it, without any warnings or delays.

The implementation MAY also support trashing files from the rest of
the system (including other partitions, shared network resources, and
removable devices) into the “home trash” directory . This is a
“failsafe” method: trashing works for all file locations, the user can
not fill up any space except the home directory, and as other users
generally do not have access to it, no security issues arise.

However, this solution leads to costly file copying (between
partitions, over the network, from a removable device, etc.) A delay
instead of a quick “delete” operation can be unpleasant to users.

An implementation MAY choose not to support trashing in some of these
cases (notably on network resources and removable devices). This is
what some well known operating systems do.

It MAY also choose to provide trashing in the “top directories” of
some or all mounted resources." Etc.

This means `move-file-to-trash' is technically within specs, since
"The implementation MAY also support trashing files from the rest of
the system (including other partitions, shared network resources, and
removable devices) into the “home trash” directory." I heartily
disagree though with the "no security issues arise" statement. And I
still think it would be better to support trashing to "top
directories". Of course, this makes this report a "feature request"
rather than a "bug".

Second, for anyone else half as concerned with this as I am, you may
be interested in a workaround too. For the time being, I'm using:

    (defun system-move-file-to-trash (filename)
      (if-let ((exec (executable-find "gio")))
          (let ((fn (directory-file-name (expand-file-name filename))))
            (set-process-sentinel
             (start-process "trash-file" nil exec "trash" fn)
             (lambda (_proc event)
               (when (string-match-p "^exited abnormally.*" event)
                 (message "Sorry, couldn't trash the file.")))))
        (error "Executable `gio' not found, can't trash file.")))

This is somewhat ad hoc, using the way `move-file-to-trash' is
constructed to support Windows I suppose, but it gets things done. It
is system dependent too, but it is a matter of finding the right
command line incantation for trashing a file in your system to adjust
things.

Best regards,
Gustavo.

On Tue, 25 Oct 2022 at 17:00, Gustavo Barros <gusbrs.2016@gmail.com> wrote:
>
> Hi All,
>
> I'm trying to investigate bug#58721
> (https://lists.gnu.org/archive/html/bug-gnu-emacs/2022-10/msg01987.html),
> couldn't figure it out yet, but in the process of doing so, I've found
> another issue.  Namely, that `move-file-to-trash' may move the file
> across filesystems with some undesired implications, including
> potential security risk.
>
> This happens because, for the case using the freedesktop.org method,
> in setting trash directory, the procedure is the following:
>
>     (xdg-data-dir
>      (directory-file-name
>       (expand-file-name "Trash"
>                         (or (getenv "XDG_DATA_HOME")
>                             "~/.local/share"))))
>
> There's no provision to check whether `xdg-data-dir' belongs to the
> same filesystem (partition) as the file being moved there.  As a
> result, the `move-file-to-trash' may move the file across filesystems.
> Indeed, I've tested it and, if you are trashing a file from a
> different partition, it ends in "~/.local/share" regardless.
>
> This is a problem for at least two reasons.  First, what should be a
> cheap operation, a simple "rename", can become very costly if what is
> being trashed is large, because now the file has to be physically
> moved.  Second, it may be a security risk.
>
> It certainly is for my setup, for example.  It involves two
> partitions, one for the operating system, unencrypted, which includes
> "/home/username/", and another one, luks encrypted, where I keep my
> user files, and which is symlinked to "/home/username/".  So, trashing
> a file from dired, with such a setup, results in the files being
> stored unencrypted, when they shouldn't.  I wouldn't say there's
> nothing much peculiar in this setup, it is certainly legitimate.
>
> I'm not sure what's the standard expected behavior (I suppose the
> freedesktop.org specs for it).  But my distro's file manager (which
> happens to be `nemo' from Linux Mint) certainly does not do that.  It
> sends such files to a different trash directory at the root of the
> other partition's mount point.
>
> Best regards,
> Gustavo.

bug#58781: 28.2; move-file-to-trash may move file across filesystems

[Stefan Kangas]

tags 58781 + security
thanks

Gustavo Barros <gusbrs.2016@gmail.com> writes:

> This means `move-file-to-trash' is technically within specs, since
> "The implementation MAY also support trashing files from the rest of
> the system (including other partitions, shared network resources, and
> removable devices) into the “home trash” directory." I heartily
> disagree though with the "no security issues arise" statement.

Yes, that argument overlooks what happens when files are moved from
encrypted partitions to unencrypted ones.  That is bad.

Maybe someone should bring this issue to the xdg mailing list?

BTW, I also wonder why there is no "xdg-trash" script that we could use.

> And I still think it would be better to support trashing to "top
> directories". Of course, this makes this report a "feature request"
> rather than a "bug".

Agreed, but I don't think this makes it into a non-bug.

> Second, for anyone else half as concerned with this as I am, you may
> be interested in a workaround too. For the time being, I'm using:
>
>     (defun system-move-file-to-trash (filename)
>       (if-let ((exec (executable-find "gio")))
>           (let ((fn (directory-file-name (expand-file-name filename))))
>             (set-process-sentinel
>              (start-process "trash-file" nil exec "trash" fn)
>              (lambda (_proc event)
>                (when (string-match-p "^exited abnormally.*" event)
>                  (message "Sorry, couldn't trash the file.")))))
>         (error "Executable `gio' not found, can't trash file.")))
>
> This is somewhat ad hoc, using the way `move-file-to-trash' is
> constructed to support Windows I suppose, but it gets things done. It
> is system dependent too, but it is a matter of finding the right
> command line incantation for trashing a file in your system to adjust
> things.

Could you write this up as a proper patch, instead?

bug#58781: 28.2; move-file-to-trash may move file across filesystems

[Gustavo Barros]

Hi Stefan,

On Wed, 26 Oct 2022 at 03:22, Stefan Kangas <stefankangas@gmail.com> wrote:

> Yes, that argument overlooks what happens when files are moved from
> encrypted partitions to unencrypted ones.  That is bad.

> Agreed, but I don't think this makes it into a non-bug.

Thanks for looking into this. And, particularly, for the way you
classified the report. It is my understanding too that this should be
cause for concern.

> Could you write this up as a proper patch, instead?

I don't think this snippet is a proper general solution to the
problem, except as a temporary workaround for anyone interested to
keep in their init files. I shared it in this spirit, at least. As far
as I searched, "gio" stands for "Gnome Input/Output", I presume this
is distro specific. Also, even if it was not, "gio trash" appears to
have some limitations in that some places are not supported like
"system internal mounts" (eg. "/tmp/", this is the reason for the
sentinel there), so some further handling of cases would still be
necessary.

Besides, unfortunately I cannot sign a patch (no papers), so I have to
contribute in other ways.

I'm not that well acquainted with `files.el', but as far as I've
looked into `move-file-to-trash', I think the right way to handle it
would be directly there, or in a dedicated `xdg-trash', as you
suggest. It is more complicated than the current standing but it
appears not to be overly so. It's really three cases, and then there
are the checks for "$topdir/.Trash". Anyway, I didn't seem to find any
"universal Linux way" available for the operation so, as far as I can
tell, relying on the system tools would not be a wise alternative.

Best regards,
Gustavo.