Joshua Branson, le mer. 25 févr. 2026 15:01:27 +0000, a ecrit: > +While this is a silly and light heart example, a malicious user Karen > +(who doesn't even have a `$HOME` directory) could set a translator in > +the world-writeable `/tmp/` directory that silently changes the > +current working directory to `/home/`.
translators cannot "change" the current working directory. The only thing they can do is symlink or firmlink to somewhere else. > If Fred ran `$ rm -r /tmp/*` > +he would inadvertently delete files in own `$HOME`, No, that won't happen, rm is careful about that, it won't traverse a symlink or a firmlink. Even one's own firmlink. > but if he used `# > +rm -r /tmp` he would unknowingly delete all photos on the machine! Nope, even as root. Please people actually *check* what you are saying/copying/etc. Internet is full of things which are either bogus, inaccurate, or simply out of date. > +Karen, or any other attacker, could write a nasty translator that > +never returns from `RPCs`, hoards RAM, and/or runs a pointless and > +endless CPU intensive tasks (for example, bitcoin mining) Karen can directly run all of that, they don't need to go through a translator to each ram/cpu. > +This is the simplest and possibly the most effective solution (which > +is what Linux's FUSE does). The Hurd provides `O_NOTRANS` to disable > +running translators set by others. This policy would protect `joshua` > +from malicious users' rogue translators. However, this policy can be > +too rigid. For example, it is desirable to run `/dev/null` and `ftpfs` > +as non-root, which is the current default. Perhaps `O_NOTRANS` should > +be something like `O_TRUSTED_TRANS` meaning "only run trusted users' > +translators". Perhaps the root user can create a `trusted` group, and > +users only follow translators if they are a member of the `trusted` > +group. But what actually is "trusted"? The whole point of making e.g. the ftpfs non-root is to *not* trust it, and be not too afraid of it having bugs, vulnerabilities etc. because the ftpfs user cannot do much on the machine. But then if you are saying that the ftpfs user should be trusted, that's contradictory. > +However, it should also be possible for users to explicitly enable > +running translators by users that they trust or to never run > +translators set by others (except those in `/dev/` or `/servers/`). > +Perhaps these settings could be set in an environment variable. Or set as xattr on the directory. Samuel
