Age | Commit message (Collapse) | Author |
|
This fixed the "Permission denied" bug, but still has the problem that
the directory may be replaced behind our back. Mitigated by the fact
that we skip the workaround when running as root with -allow_other.
https://github.com/rfjakob/gocryptfs/issues/354
|
|
Breaks mounting on MacOS: unix.Faccessat on Darwin does NOT (yet)
support AT_SYMLINK_NOFOLLOW. See d44fe89ba4f3252c5bd00c4f7730197732f2a26a .
This reverts commit 0805a63df1b5f915b228727f6074c2506922d0ad.
|
|
unix.Faccessat has added support for AT_SYMLINK_NOFOLLOW in July 2018,
https://github.com/golang/sys/commit/bd9dbc187b6e1dacfdd2722a87e83093c2d7bd6e#diff-341484dbbe3180cd7a31ef2ad2d679b6
which means we no longer need our own helper.
Closes https://github.com/rfjakob/gocryptfs/issues/347
|
|
|
|
For Linux, everything effectively stays the same. For both path-based and
fd-based Utimens() calls, we use unix.UtimesNanoAt(). To avoid introducing
a separate syscall wrapper for futimens() (as done in go-fuse, for example),
we instead use the /proc/self/fd - trick.
On macOS, this changes quite a lot:
* Path-based Utimens() calls were previously completely broken, since
unix.UtimensNanoAt() ignores the passed file descriptor. Note that this
cannot be fixed easily since there IS no appropriate syscall available on
macOS prior to High Sierra (10.13). We emulate this case by using
Fchdir() + setattrlist().
* Fd-based Utimens() calls were previously translated to f.GetAttr() (to
fill any empty parameters) and syscall.Futimes(), which does not does
support nanosecond precision. Both issues can be fixed by switching to
fsetattrlist().
Fixes https://github.com/rfjakob/gocryptfs/issues/350
|
|
While we're at it, also replace os.* constants with syscall.* constants.
|
|
We never want Fchmodat to follow symlinks, so follow what
Qemu does, and call our function FchmodatNofollow.
|
|
The only call forwarded to loopbackFileSystem was Statfs,
which is trivial to implement.
Implement it and drop loopbackFileSystem, as having it carries the
risk that a coding error bypasses the usual encryption/decryption
chain.
|
|
Fixes mounting of forward mounts on macOS High Sierra.
|
|
Fixes https://github.com/rfjakob/gocryptfs/issues/336 and
https://github.com/rfjakob/gocryptfs/issues/337.
|
|
Instead of manually adjusting the user after creating the symlink,
adjust effective permissions and let the kernel deal with it.
Related to https://github.com/rfjakob/gocryptfs/issues/338.
|
|
Instead of manually adjusting the user and mode after creating the
device file, adjust effective permissions and let the kernel deal
with it.
Related to https://github.com/rfjakob/gocryptfs/issues/338.
|
|
Revert commit fcaca5fc94d981aa637beb752edc8cb3c2265e96.
Instead of manually adjusting the user and mode after creating the
directory, adjust effective permissions and let the kernel deal with it.
Related to https://github.com/rfjakob/gocryptfs/issues/338.
|
|
Revert commit b22cc03c7516b2003880db8375d26c76d6dff093.
Instead of manually adjusting the user and mode after creating the
file, adjust effective permissions and let the kernel deal with it.
Related to https://github.com/rfjakob/gocryptfs/issues/338.
|
|
The current code has a risk of race-conditions, since we pass a path
containing "/" to Fchownat. We could fix this by opening a file descriptor,
however, this does not seem worth the effort. We also don't chown *.name files.
|
|
Make sure that the directory belongs to the correct owner before users
can access it. For directories with SUID/SGID mode, there is a risk of
race-conditions when files are created before the correct owner is set.
They will then inherit the wrong user and/or group.
See https://github.com/rfjakob/gocryptfs/issues/327 for more details.
|
|
Reported by @slackner at https://github.com/rfjakob/gocryptfs/issues/327 :
Possible race-conditions between file creation and Fchownat
* Assume a system contains a gocryptfs mount as root user
with -allow_other
* As a regular user create a new file with mode containing
the SUID flag and write access for other users
* Before gocryptfs executes the Fchownat call, try to open
the file again, write some exploit code to it, and try to run it.
For a short time, the file is owned by root and has the SUID flag, so
this is pretty dangerous.
|
|
Use O_ACCMODE mask in openWriteOnlyFile for improved readability.
|
|
|
|
Fixes https://github.com/rfjakob/gocryptfs/issues/328
|
|
Do not use PlainSizeToCipherSize() since this adds the 18 bytes file header.
Partially fixes https://github.com/rfjakob/gocryptfs/issues/311
|
|
Fixes https://github.com/rfjakob/gocryptfs/issues/304
|
|
The files are apparently processed in alphabetic order, so cli_args.go is
processed before main.go. In order to run before the go-fuse imports, put
the 'ensure fds' code in a separate package. Debug messages are omitted
to avoid additional imports (that might contain other code messing up our
file descriptors).
|
|
Setting/removing extended attributes on directories was partially fixed with
commit eff35e60b63331e3e10f921792baa10b236a721d. However, on most file systems
it is also possible to do these operations without read access (see tests).
Since we cannot open a write-access fd to a directory, we have to use the
/proc/self/fd trick (already used for ListXAttr) for the other operations aswell.
For simplicity, let's separate the Linux and Darwin code again (basically revert
commit f320b76fd189a363a34bffe981aa67ab97df3362), and always use the
/proc/self/fd trick on Linux. On Darwin we use the best-effort approach with
openBackingFile() as a fallback.
More discussion about the available options is available in
https://github.com/rfjakob/gocryptfs/issues/308.
|
|
|
|
As the dirCache now has 3 entries, the tests should accept
up to 3 extra fds without declaring an fd leak.
|
|
The missing break meant that we may find a second
hit in the cache, Dup() a second fd, and leak the first
one.
Thanks @slackner for finding this.
|
|
We alread have this warning in Open(), but xfstests generic/488
causes "too many open files" via Create. Add the same message so
the user sees what is going on.
|
|
Directories cannot be opened read-write. Retry with RDONLY.
|
|
This was inadvertedly kept enabled after benchmarking.
|
|
3 entries should work well for up to three parallel users.
It works well for extractloop.bash (two parallel tar extracts).
|
|
When the old size is zero, there are no existing blocks to merge the
new data with. Directly use Ftruncate if the size is block-aligned.
Fixes https://github.com/rfjakob/gocryptfs/issues/305
|
|
Found with the 'codespell' utility.
|
|
When O_PATH is specified in flags, flag bits other than O_CLOEXEC, O_DIRECTORY,
and O_NOFOLLOW are ignored.
|
|
|
|
|
|
|
|
We already do 'defer fs.dirCache.Clear()', so this is no longer required.
|
|
This code was accidentially added in 4f66d66755da63c78b09201c6c72353009251cf2.
|
|
Bug looked like this:
$ ls -l .
total 0
drwxrwxr-x. 2 jakob jakob 60 Jan 3 15:42 foo
-rw-rw-r--. 1 jakob jakob 0 Jan 3 15:46 x
$ ls -l .
ls: cannot access '.': No such file or directory
(only happened when "" was in the dirCache)
|
|
|
|
Un-spaghettify the function and let the callers open
the directory.
|
|
Copy-paste error.
https://github.com/rfjakob/gocryptfs/issues/308
|
|
This function is in all fastpaths, will get a cache, and needs
its own file.
renamed: internal/fusefrontend/names.go -> internal/fusefrontend/openbackingdir.go
renamed: internal/fusefrontend/names_test.go -> internal/fusefrontend/openbackingdir_test.go
|
|
Finally allows us to delete EncryptPathDirIV.
|
|
* listxattr is fixed via the /proc/self/fd trick
* setxattr,removexattr are fixed by opening the file O_WRONLY
Fixes https://github.com/rfjakob/gocryptfs/issues/308
|
|
|
|
Darwin now also has these functions, use them. Simplifies
the code and makes it symlink-safe on Darwin as well.
|
|
Reported by @slackner at
https://github.com/rfjakob/gocryptfs/commit/932efbd4593fe6be6c86f0dafeaea32910b7c246#r31813373
thanks!
|
|
|