Skip to content

Second cut at a fs-mistrust crate.

Nick Mathewson requested to merge nickm/arti:fs-mistrust-v2 into main

This crate is meant to solve #315 (closed) by giving a way to make sure that a file or directory is only accessible by trusted users. I've tried to explain carefully (in comments and documentation) what this crate is doing and why, under the assumption that it will someday be read by another person like me who does not live and breathe unix file permissions. The crate is still missing some key features, noted in the TODO section.

It differs from the first version of the crate by taking a more principled approach to directory checking: it emulates the path lookup process (reading symlinks and all) one path change at a time, thus ensuring that we check every directory which could enable an untrusted user to get to our target file, or which could enable them to get to any symlink that would get them to the target file.

The API is also slightly different: It separates the Mistrust object (where you configure what you do or do not trust) from the Verifier (where you set up a check that you want to perform on a single object). Verifiers are set up to be a bit ephemeral, so that it is hard to accidentally declare that every object is meant to be readable when you only mean that some objects may be readable.

This is part of #315 (closed), but not yet a complete implementation, since the fs-mistrust crate is not yet used.

Edited by Nick Mathewson

Merge request reports

Loading