summaryrefslogtreecommitdiff
path: root/internal
diff options
context:
space:
mode:
Diffstat (limited to 'internal')
-rw-r--r--internal/nametransform/diriv.go10
1 files changed, 9 insertions, 1 deletions
diff --git a/internal/nametransform/diriv.go b/internal/nametransform/diriv.go
index da33aee..c216dd0 100644
--- a/internal/nametransform/diriv.go
+++ b/internal/nametransform/diriv.go
@@ -61,11 +61,19 @@ func fdReadDirIV(fd *os.File) (iv []byte, err error) {
// This function is exported because it is used from fusefrontend, main,
// and also the automated tests.
func WriteDirIVAt(dirfd int) error {
+ // It makes sense to have the diriv files group-readable so the FS can
+ // be mounted from several users from a network drive (see
+ // https://github.com/rfjakob/gocryptfs/issues/387 ).
+ //
+ // Note that gocryptfs.conf is still created with 0400 permissions so the
+ // owner must explicitely chmod it to permit access.
+ const dirivPerms = 0440
+
iv := cryptocore.RandBytes(DirIVLen)
// 0400 permissions: gocryptfs.diriv should never be modified after creation.
// Don't use "ioutil.WriteFile", it causes trouble on NFS:
// https://github.com/rfjakob/gocryptfs/commit/7d38f80a78644c8ec4900cc990bfb894387112ed
- fd, err := syscallcompat.Openat(dirfd, DirIVFilename, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0400)
+ fd, err := syscallcompat.Openat(dirfd, DirIVFilename, os.O_WRONLY|os.O_CREATE|os.O_EXCL, dirivPerms)
if err != nil {
tlog.Warn.Printf("WriteDirIV: Openat: %v", err)
return err