summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Documentation/MANPAGE.md9
-rw-r--r--main.go18
2 files changed, 18 insertions, 9 deletions
diff --git a/Documentation/MANPAGE.md b/Documentation/MANPAGE.md
index 11d903d..66e8606 100644
--- a/Documentation/MANPAGE.md
+++ b/Documentation/MANPAGE.md
@@ -85,6 +85,15 @@ continue be printed to stdout and stderr.
: Send USR1 to the specified process after successful mount. This is
used internally for daemonization.
+**-o**
+: Pass additonal mount options to the kernel (comma-separated list).
+FUSE filesystems are mounted with "nodev,nosuid" by default. If gocryptfs
+runs as root, you can enable device files by passing the opposite mount option,
+"dev", and if you want to enable suid-binaries, pass "suid".
+"ro" (equivalent to passing the "-ro" option) and "noexec" may also be
+interesting. For a complete liste see the section
+`FILESYSTEM-INDEPENDENT MOUNT OPTIONS` in mount(8).
+
**-openssl bool**
: Use OpenSSL instead of built-in Go crypto (default "auto"). Using
built-in crypto is 4x slower unless your CPU has AES instructions and
diff --git a/main.go b/main.go
index 68dfb0a..b5de959 100644
--- a/main.go
+++ b/main.go
@@ -45,7 +45,7 @@ type argContainer struct {
plaintextnames, quiet, nosyslog, wpanic,
longnames, allow_other, ro bool
masterkey, mountpoint, cipherdir, cpuprofile, config, extpass,
- memprofile string
+ memprofile, o string
notifypid, scryptn int
}
@@ -185,6 +185,7 @@ func main() {
flagSet.StringVar(&args.memprofile, "memprofile", "", "Write memory profile to specified file")
flagSet.StringVar(&args.config, "config", "", "Use specified config file instead of CIPHERDIR/gocryptfs.conf")
flagSet.StringVar(&args.extpass, "extpass", "", "Use external program for the password prompt")
+ flagSet.StringVar(&args.o, "o", "", "Pass additional mount options to the kernel, comma-separated list")
flagSet.IntVar(&args.notifypid, "notifypid", 0, "Send USR1 to the specified process after "+
"successful mount - used internally for daemonization")
flagSet.IntVar(&args.scryptn, "scryptn", configfile.ScryptDefaultLogN, "scrypt cost parameter logN. "+
@@ -402,13 +403,6 @@ func initFuseFrontend(key []byte, args argContainer, confFile *configfile.ConfFi
// Make the kernel check the file permissions for us
mOpts.Options = append(mOpts.Options, "default_permissions")
}
- if os.Getuid() == 0 {
- // FUSE filesystems are mounted with "nodev" by default. If we run as root,
- // we can use device files by passing the opposite mount option, "dev".
- mOpts.Options = append(mOpts.Options, "dev")
- // Same thing for "nosuid". If we run as root, we can pass "suid".
- mOpts.Options = append(mOpts.Options, "suid")
- }
// Set values shown in "df -T" and friends
// First column, "Filesystem"
mOpts.Options = append(mOpts.Options, "fsname="+args.cipherdir)
@@ -419,7 +413,13 @@ func initFuseFrontend(key []byte, args argContainer, confFile *configfile.ConfFi
if args.ro {
mOpts.Options = append(mOpts.Options, "ro")
}
-
+ // Add additional mount options (if any) after the stock ones, so the user has
+ // a chance to override them.
+ if args.o != "" {
+ parts := strings.Split(args.o, ",")
+ tlog.Debug.Printf("Adding -o mount options: %v", parts)
+ mOpts.Options = append(mOpts.Options, parts...)
+ }
srv, err := fuse.NewServer(conn.RawFS(), args.mountpoint, &mOpts)
if err != nil {
tlog.Fatal.Printf("Mount failed: %v", err)