summaryrefslogtreecommitdiff
path: root/internal/nametransform
diff options
context:
space:
mode:
Diffstat (limited to 'internal/nametransform')
-rw-r--r--internal/nametransform/perms.go24
1 files changed, 17 insertions, 7 deletions
diff --git a/internal/nametransform/perms.go b/internal/nametransform/perms.go
index 98b51d6..cfcd062 100644
--- a/internal/nametransform/perms.go
+++ b/internal/nametransform/perms.go
@@ -1,16 +1,26 @@
package nametransform
const (
- // Permissions for gocryptfs.diriv files
+ // Permissions for gocryptfs.diriv files.
+ // The gocryptfs.diriv files are created once, never modified,
+ // never chmod'ed or chown'ed.
//
- // It makes sense to have the diriv files group-readable so the FS can
- // be mounted from several users from a network drive (see
- // https://github.com/rfjakob/gocryptfs/issues/387 ).
+ // Group-readable so the FS can be mounted by several users in the same group
+ // (see https://github.com/rfjakob/gocryptfs/issues/387 ).
//
// Note that gocryptfs.conf is still created with 0400 permissions so the
// owner must explicitly chmod it to permit access.
- dirivPerms = 0440
+ //
+ // World-readable so an encrypted directory can be copied by the non-root
+ // owner when gocryptfs is running as root
+ // ( https://github.com/rfjakob/gocryptfs/issues/539 ).
+ dirivPerms = 0444
- // Permissions for gocryptfs.longname.[sha256].name files
- namePerms = 0400
+ // Permissions for gocryptfs.longname.[sha256].name files.
+ // The .name files are created once, never modified,
+ // never chmod'ed or chown'ed.
+ //
+ // Group- and world-readable for the same reasons as the gocryptfs.diriv
+ // files (see above).
+ namePerms = 0444
)