1 files changed, 17 insertions, 7 deletions

diff --git a/internal/nametransform/perms.go b/internal/nametransform/perms.go
index 98b51d6..cfcd062 100644
--- a/internal/nametransform/perms.go
+++ b/internal/nametransform/perms.go
@@ -1,16 +1,26 @@
 package nametransform
 
 const (
-	// Permissions for gocryptfs.diriv files
+	// Permissions for gocryptfs.diriv files.
+	// The gocryptfs.diriv files are created once, never modified,
+	// never chmod'ed or chown'ed.
 	//
-	// It makes sense to have the diriv files group-readable so the FS can
-	// be mounted from several users from a network drive (see
-	// https://github.com/rfjakob/gocryptfs/issues/387 ).
+	// Group-readable so the FS can be mounted by several users in the same group
+	// (see https://github.com/rfjakob/gocryptfs/issues/387 ).
 	//
 	// Note that gocryptfs.conf is still created with 0400 permissions so the
 	// owner must explicitly chmod it to permit access.
-	dirivPerms = 0440
+	//
+	// World-readable so an encrypted directory can be copied by the non-root
+	// owner when gocryptfs is running as root
+	// ( https://github.com/rfjakob/gocryptfs/issues/539 ).
+	dirivPerms = 0444
 
-	// Permissions for gocryptfs.longname.[sha256].name files
-	namePerms = 0400
+	// Permissions for gocryptfs.longname.[sha256].name files.
+	// The .name files are created once, never modified,
+	// never chmod'ed or chown'ed.
+	//
+	// Group- and world-readable for the same reasons as the gocryptfs.diriv
+	// files (see above).
+	namePerms = 0444
 )