Marc Lehmann writes:
> No, it just means gparted has a security bug, because the permissions > did work as the user intended before gparted changed them without the > users knowledge, and they would have worked if gparted wasn't insecurely > exposing the files. Claiming that the side effect of keeping the fs either unmounted or mounted somewhere users can't see is part of the permissions is like claiming that keeping power from reaching the computer is part of the security system. I mean, without the ability to power on the computer, people can't access the files, so by your logic, if I plug the computer in then I'm the problem. Any setup that relies on directory traversal to prevent people from reaching files that they otherwise are given access to is very fragile and badly set up. If an admin later builds a chroot environment for isntance, and sets up some bind mounts, they can inadvertently give access to the wrong users because they now can see the files that have poorly configured permissions. It's just not smart to do things that way. > The reason why your logic doesn't work is that you claim *every* debian > root fs has the wrong permissions, because some directories might be > world-writable (such as /tmp) which might not be what the user > intended It isn't /tmp that is wrong, but whatever files you are storing in the btrfs volume and have left set to 777. Don't do that. > by not having the fs mounted in an insecure location (and thus allowing a > DoS attack). It would also mean filesystems such as fat, without intrinsic > permissions, would somehow have "wrong" permissions. That's why fat has mount options to set the permissions on the fs globally. >> When gparted mounts it somewhere that isn't traverse proof, yes, that >> does allow access where it was not previously, but that's really only >> exposing the underlying bug that was always there: that the permissions >> on the files are too loose. > > Well, I have asked you for the source of this claim, but you haven't given > one - and I claim you just made it up, because I can't believe you have a > source. Source? The source is the givens of the scenario we are discussing -- a file or files in a filesystem with mode 777 so that everyone can access it, but mounted in a directory that is traverse restricted. That is de facto too loose. If you are just going to make an appeal to authority fallacy in continued attempts to semantically redefine loose to tight and wrong right, then this is just a waste of time.