diff options
Diffstat (limited to 'internal')
| -rw-r--r-- | internal/nametransform/diriv.go | 8 | ||||
| -rw-r--r-- | internal/nametransform/longnames.go | 2 | ||||
| -rw-r--r-- | internal/nametransform/perms.go | 16 | 
3 files changed, 17 insertions, 9 deletions
| diff --git a/internal/nametransform/diriv.go b/internal/nametransform/diriv.go index 6dbf028..b2f165b 100644 --- a/internal/nametransform/diriv.go +++ b/internal/nametransform/diriv.go @@ -62,14 +62,6 @@ func fdReadDirIV(fd *os.File) (iv []byte, err error) {  // This function is exported because it is used from fusefrontend, main,  // and also the automated tests.  func WriteDirIVAt(dirfd int) error { -	// It makes sense to have the diriv files group-readable so the FS can -	// be mounted from several users from a network drive (see -	// https://github.com/rfjakob/gocryptfs/issues/387 ). -	// -	// Note that gocryptfs.conf is still created with 0400 permissions so the -	// owner must explicitly chmod it to permit access. -	const dirivPerms = 0440 -  	iv := cryptocore.RandBytes(DirIVLen)  	// 0400 permissions: gocryptfs.diriv should never be modified after creation.  	// Don't use "ioutil.WriteFile", it causes trouble on NFS: diff --git a/internal/nametransform/longnames.go b/internal/nametransform/longnames.go index 1bbcbb6..aa463a1 100644 --- a/internal/nametransform/longnames.go +++ b/internal/nametransform/longnames.go @@ -136,7 +136,7 @@ func (n *NameTransform) WriteLongNameAt(dirfd int, hashName string, plainName st  	// Write the encrypted name into hashName.name  	fdRaw, err := syscallcompat.Openat(dirfd, hashName+LongNameSuffix, -		syscall.O_WRONLY|syscall.O_CREAT|syscall.O_EXCL, 0400) +		syscall.O_WRONLY|syscall.O_CREAT|syscall.O_EXCL, namePerms)  	if err != nil {  		// Don't warn if the file already exists - this is allowed for renames  		// and should be handled by the caller. diff --git a/internal/nametransform/perms.go b/internal/nametransform/perms.go new file mode 100644 index 0000000..98b51d6 --- /dev/null +++ b/internal/nametransform/perms.go @@ -0,0 +1,16 @@ +package nametransform + +const ( +	// Permissions for gocryptfs.diriv files +	// +	// It makes sense to have the diriv files group-readable so the FS can +	// be mounted from several users from a network drive (see +	// https://github.com/rfjakob/gocryptfs/issues/387 ). +	// +	// Note that gocryptfs.conf is still created with 0400 permissions so the +	// owner must explicitly chmod it to permit access. +	dirivPerms = 0440 + +	// Permissions for gocryptfs.longname.[sha256].name files +	namePerms = 0400 +) | 
