diff options
| -rw-r--r-- | README.md | 2 | ||||
| -rw-r--r-- | internal/fusefrontend/node.go | 4 | ||||
| -rw-r--r-- | internal/nametransform/perms.go | 24 | ||||
| -rw-r--r-- | tests/cli/cli_test.go | 6 |
4 files changed, 27 insertions, 9 deletions
@@ -193,6 +193,8 @@ Changelog vNEXT, in progress * MANPAGE: Split options into sections acc. to where they apply ([#517](https://github.com/rfjakob/gocryptfs/issues/517)) * `-idle`: count cwd inside the mount as busy ([#533](https://github.com/rfjakob/gocryptfs/issues/533)) +* Make `gocryptfs.diriv` and `gocryptfs.xxx.name` files world-readable to make encrypted backups easier + when mounting via [/etc/fstab](Documentation/MANPAGE.md#fstab) ([#539](https://github.com/rfjakob/gocryptfs/issues/539)) v2.0-beta2, 2020-11-14 * Improve [performance](Documentation/performance.txt#L69) diff --git a/internal/fusefrontend/node.go b/internal/fusefrontend/node.go index 80d642c..87ba835 100644 --- a/internal/fusefrontend/node.go +++ b/internal/fusefrontend/node.go @@ -239,6 +239,10 @@ func (n *Node) Setattr(ctx context.Context, f fs.FileHandle, in *fuse.SetAttrIn, defer syscall.Close(dirfd) // chmod(2) + // + // gocryptfs.diriv & gocryptfs.longname.[sha256].name files do NOT get chmod'ed + // or chown'ed with their parent file/dir for simplicity. + // See nametransform/perms.go for details. if mode, ok := in.GetMode(); ok { errno = fs.ToErrno(syscallcompat.FchmodatNofollow(dirfd, cName, mode)) if errno != 0 { diff --git a/internal/nametransform/perms.go b/internal/nametransform/perms.go index 98b51d6..cfcd062 100644 --- a/internal/nametransform/perms.go +++ b/internal/nametransform/perms.go @@ -1,16 +1,26 @@ package nametransform const ( - // Permissions for gocryptfs.diriv files + // Permissions for gocryptfs.diriv files. + // The gocryptfs.diriv files are created once, never modified, + // never chmod'ed or chown'ed. // - // It makes sense to have the diriv files group-readable so the FS can - // be mounted from several users from a network drive (see - // https://github.com/rfjakob/gocryptfs/issues/387 ). + // Group-readable so the FS can be mounted by several users in the same group + // (see https://github.com/rfjakob/gocryptfs/issues/387 ). // // Note that gocryptfs.conf is still created with 0400 permissions so the // owner must explicitly chmod it to permit access. - dirivPerms = 0440 + // + // World-readable so an encrypted directory can be copied by the non-root + // owner when gocryptfs is running as root + // ( https://github.com/rfjakob/gocryptfs/issues/539 ). + dirivPerms = 0444 - // Permissions for gocryptfs.longname.[sha256].name files - namePerms = 0400 + // Permissions for gocryptfs.longname.[sha256].name files. + // The .name files are created once, never modified, + // never chmod'ed or chown'ed. + // + // Group- and world-readable for the same reasons as the gocryptfs.diriv + // files (see above). + namePerms = 0444 ) diff --git a/tests/cli/cli_test.go b/tests/cli/cli_test.go index 6aa2feb..2872592 100644 --- a/tests/cli/cli_test.go +++ b/tests/cli/cli_test.go @@ -59,8 +59,10 @@ func TestInitFilePerms(t *testing.T) { syscall.Stat(dir+"/gocryptfs.diriv", &st) perms = st.Mode & 0777 // From v1.7.1, these are created with 0440 permissions, see - // https://github.com/rfjakob/gocryptfs/issues/387 - if perms != 0440 { + // https://github.com/rfjakob/gocryptfs/issues/387 . + // From v2.0, created with 0444 perms, see + // https://github.com/rfjakob/gocryptfs/issues/539 . + if perms != 0444 { t.Errorf("Wrong permissions for gocryptfs.diriv: %#o", perms) } } |