fusefrontend: -allow_other: Use SymlinkatUser in Symlink FUSE call.

Instead of manually adjusting the user after creating the symlink,
adjust effective permissions and let the kernel deal with it.

Related to https://github.com/rfjakob/gocryptfs/issues/338.

3 files changed, 34 insertions, 14 deletions

diff --git a/internal/fusefrontend/fs.go b/internal/fusefrontend/fs.go
index 9637acf..c4b1a01 100644
--- a/internal/fusefrontend/fs.go
+++ b/internal/fusefrontend/fs.go
@@ -483,6 +483,10 @@ func (fs *FS) Symlink(target string, linkName string, context *fuse.Context) (co
 		return fuse.ToStatus(err)
 	}
 	defer syscall.Close(dirfd)
+	// Make sure context is nil if we don't want to preserve the owner
+	if !fs.args.PreserveOwner {
+		context = nil
+	}
 	cTarget := target
 	if !fs.args.PlaintextNames {
 		// Symlinks are encrypted like file contents (GCM) and base64-encoded
@@ -495,26 +499,15 @@ func (fs *FS) Symlink(target string, linkName string, context *fuse.Context) (co
 			return fuse.ToStatus(err)
 		}
 		// Create "gocryptfs.longfile." symlink
-		err = syscallcompat.Symlinkat(cTarget, dirfd, cName)
+		err = syscallcompat.SymlinkatUser(cTarget, dirfd, cName, context)
 		if err != nil {
 			nametransform.DeleteLongNameAt(dirfd, cName)
 		}
 	} else {
 		// Create symlink
-		err = syscallcompat.Symlinkat(cTarget, dirfd, cName)
-	}
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-	// Set owner
-	if fs.args.PreserveOwner {
-		err = syscallcompat.Fchownat(dirfd, cName, int(context.Owner.Uid),
-			int(context.Owner.Gid), unix.AT_SYMLINK_NOFOLLOW)
-		if err != nil {
-			tlog.Warn.Printf("Symlink: Fchownat failed: %v", err)
-		}
+		err = syscallcompat.SymlinkatUser(cTarget, dirfd, cName, context)
 	}
-	return fuse.OK
+	return fuse.ToStatus(err)
 }
 
 // Rename - FUSE call.
diff --git a/internal/syscallcompat/sys_darwin.go b/internal/syscallcompat/sys_darwin.go
index c9f3ad7..52803ab 100644
--- a/internal/syscallcompat/sys_darwin.go
+++ b/internal/syscallcompat/sys_darwin.go
@@ -80,6 +80,11 @@ func Symlinkat(oldpath string, newdirfd int, newpath string) (err error) {
 	return emulateSymlinkat(oldpath, newdirfd, newpath)
 }
 
+func SymlinkatUser(oldpath string, newdirfd int, newpath string, context *fuse.Context) (err error) {
+	// FIXME: take into account context.Owner
+	return Symlinkat(oldpath, newdirfd, newpath)
+}
+
 func Mkdirat(dirfd int, path string, mode uint32) (err error) {
 	return emulateMkdirat(dirfd, path, mode)
 }
diff --git a/internal/syscallcompat/sys_linux.go b/internal/syscallcompat/sys_linux.go
index cf747b1..6f2a70d 100644
--- a/internal/syscallcompat/sys_linux.go
+++ b/internal/syscallcompat/sys_linux.go
@@ -197,6 +197,28 @@ func Symlinkat(oldpath string, newdirfd int, newpath string) (err error) {
 	return unix.Symlinkat(oldpath, newdirfd, newpath)
 }
 
+// SymlinkatUser runs the Symlinkat syscall in the context of a different user.
+func SymlinkatUser(oldpath string, newdirfd int, newpath string, context *fuse.Context) (err error) {
+	if context != nil {
+		runtime.LockOSThread()
+		defer runtime.UnlockOSThread()
+
+		err = syscall.Setregid(-1, int(context.Owner.Gid))
+		if err != nil {
+			return err
+		}
+		defer syscall.Setregid(-1, 0)
+
+		err = syscall.Setreuid(-1, int(context.Owner.Uid))
+		if err != nil {
+			return err
+		}
+		defer syscall.Setreuid(-1, 0)
+	}
+
+	return Symlinkat(oldpath, newdirfd, newpath)
+}
+
 // Mkdirat syscall.
 func Mkdirat(dirfd int, path string, mode uint32) (err error) {
 	return syscall.Mkdirat(dirfd, path, mode)