Re: autoclean mode for tmpfs

[Mouse <mouse%Rodents-Montreal.ORG@localhost>]

> It's a security FAQ. If you do rm -rf (or nearly any of the other
> obvious/easy alternatives) in a world-writable directory, a hostile
> user can interact with it to erase any file on the system.

I believe that this is partially fixable: provided there is at least
one file descriptor available per directory level, I think it is
possible to safely remove everything but directories.  Most briefly,
fchdir to each directory, stat . and make sure it matches the directory
we thought we chdired into (to avoid doing damage if we lose a symlink
race).  Then delete things using relative-to-. paths and fchdir back
out.  However, since there's no way to make rmdir(2) use NOFOLLOW, we
have to either leave directory structure in place or risk removing an
attacker's choice of empty directories.

Not that this makes it any easier to do the usual find | xargs rm style
of cleanup, though.  To do it safely in the way I refer to above would
require doing it all inside rm.  Might be worth doing, but quite
possibly better done in the filesystem, to (a) avoid the need for the
file descriptors, (b) delete a file here and a file there rather than
the wholesale destruction of rm -rf (even if I'm right about it being
possible to make it safe against hostile users), and (c) get
directories right.

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
 X  Against HTML                mouse%rodents-montreal.org@localhost
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B