| Age | Commit message (Collapse) | Author | 
|---|
|  | * listxattr is fixed via the /proc/self/fd trick
* setxattr,removexattr are fixed by opening the file O_WRONLY
Fixes https://github.com/rfjakob/gocryptfs/issues/308 | 
|  | These take care of buffer sizing and parsing. | 
|  | Now symlink-safe through Readlinkat(). | 
|  | Old XFS filesystems always return DT_UNKNOWN. Downgrade the message
to "info" level if we are on XFS.
Using the "warning" level means that users on old XFS filesystems
cannot run the test suite as it intentionally aborts on any
warnings.
Fixes https://github.com/rfjakob/gocryptfs/issues/267 | 
|  | MacOS and old XFS versions do not support very long symlinks,
but let's not make the tests fail because of that.
https://github.com/rfjakob/gocryptfs/issues/267 | 
|  | Check for O_NWFOLLOW and O_EXCL separately to
make the logic clearer. | 
|  | This fixes the "0100 directory" problem in reverse mode,
and should be slightly faster. | 
|  | The function used to do two things:
1) Walk the directory tree in a manner safe from symlink attacks
2) Open the final component in the mode requested by the caller
This change drops (2), which was only used once, and lets the caller
handle it. This simplifies the function and makes it fit for reuse in
forward mode in openBackingPath(), and for using O_PATH on Linux. | 
|  | These were silently ignored until now (!) but
are rejected by Go 1.11 stdlib.
Drop the flags so the tests work again, until
we figure out a better solution.
https://github.com/golang/go/issues/20130 | 
|  | xfstests generic/083 fills the filesystem almost completely while
running fsstress in parallel. In fsck, these would show up:
  readFileID 2580: incomplete file, got 18 instead of 19 bytes
This could happen when writing the file header works, but writing
the actual data fails.
Now we kill the header again by truncating the file to zero. | 
|  | O_DIRECT has no direct equivalent on MacOS
(check out https://github.com/libuv/libuv/issues/1600 for details).
Just define it to zero there. | 
|  | We are clean again.
Warnings were:
internal/fusefrontend/fs.go:443:14: should omit type string from declaration
of var cTarget; it will be inferred from the right-hand side
internal/fusefrontend/xattr.go:26:1: comment on exported method FS.GetXAttr
should be of the form "GetXAttr ..."
internal/syscallcompat/sys_common.go:9:7: exported const PATH_MAX should have
comment or be unexported | 
|  | Define our own, with the value from Linux. | 
|  | Reported by https://goreportcard.com/report/github.com/rfjakob/gocryptfs | 
|  | macos rm does not understand --one-file-system,
and it cannot handle unreadable directories. | 
|  |  | 
|  | The limit is much lower than on Linux.
https://github.com/rfjakob/gocryptfs/issues/213 | 
|  | On MacOS, symlinks don't have their own permissions,
so don't check for them. | 
|  | The test is known to fail on gccgo
(https://github.com/rfjakob/gocryptfs/issues/201), but
getdents emulation is not used on linux, so let's skip
the test and ignore the failure. | 
|  | $ go.gcc build
# github.com/rfjakob/gocryptfs/internal/syscallcompat
internal/syscallcompat/unix2syscall_linux.go:32:13: error: incompatible types in assignment (cannot use type int64 as type syscall.Timespec_sec_t)
  s.Atim.Sec = u.Atim.Sec
             ^ | 
|  | For some reason the syscall.NAME_MAX constant does not exist
on gccgo, and it does not hurt us to use unix.NAME_MAX instead.
https://github.com/rfjakob/gocryptfs/issues/201 | 
|  | On mips64le, syscall.Getdents() and struct syscall.Dirent do
not fit together, causing our Getdents implementation to
return garbage ( https://github.com/rfjakob/gocryptfs/issues/200
and https://github.com/golang/go/issues/23624 ).
Switch to unix.Getdents which does not have this problem -
the next Go release with the syscall package fixes is too
far away, and will take time to trickle into distros. | 
|  | Due to padding between entries, it is 280 even on 32-bit architectures.
See https://github.com/rfjakob/gocryptfs/issues/197 for details. | 
|  | We used to print somewhat strange messages:
	Getdents: corrupt entry #1: Reclen=276 > 280. Returning EBADR
Reported at https://github.com/rfjakob/gocryptfs/issues/197 | 
|  | syscall.ParseDirent only returns the NAMES, we want
everything. | 
|  |  | 
|  | Add faccessat(2) with a hack for symlink, because the
kernel does not actually looks at the passed flags.
From man 2 faccessat:
   C library/kernel differences
       The  raw faccessat() system call takes only the first three argu‐
       ments.  The AT_EACCESS and AT_SYMLINK_NOFOLLOW flags are actually
       implemented  within  the  glibc wrapper function for faccessat(). | 
|  | We need readlinkat to implement Readlink
symlink-race-free. | 
|  | The "Atim" field is called "Atimespec" on Darwin,
same for Mtim and Ctim. | 
|  | ...by using the OpenNofollow helper & Fstatat.
Also introduce a helper to convert from unix.Stat_t to
syscall.Stat_t.
Tracking ticket: https://github.com/rfjakob/gocryptfs/issues/165 | 
|  | ...when opening intermedia directories to give us an
extra layer of safety.
From the FreeBSD man page:
     This flag can be used to prevent applications with elevated
     privileges from opening files which are even unsafe to open with O_RDONLY,
     such as device nodes. | 
|  | Sometimes want to open baseDir itself. This case
was broken, fix it. | 
|  | Now that we have Fstatat we can use it in Getdents to
get rid of the path name.
Also, add an emulated version of getdents for MacOS. This allows
to drop the !HaveGetdents special cases from fusefrontend.
Modify the getdents test to test both native getdents and the emulated
version. | 
|  | Fstatat has recently been added to x/sys/unix. Make
it available for use in gocryptfs. | 
|  | OpenNofollow = symlink-race-safe Open
Prepares fixing https://github.com/rfjakob/gocryptfs/issues/165 | 
|  | The infrastructure will also be used by the upcoming
OpenNofollow tests. | 
|  | I'm unsure why I did not notice this earlier, but the
syscall wrappers provided by x/sys/unix seem to do just
fine.
Drop our own version. | 
|  | This avoids the conversion to an absolute path. | 
|  | For absolute paths, the file descriptor should be ignored. In such a case
there is also no need to hold the lock or change the working directory. | 
|  | ...and fix the instances where the AT_SYMLINK_NOFOLLOW /
O_NOFOLLOW / O_EXCL flag was missing. | 
|  | Also fix the bug in emulateFchmodat that was found by the tests. | 
|  | This will allow to test them under linux as well. | 
|  | Fixes the same problem as described in 72b975867a3b9bdf53fc2da62e2ba4a328d7e4ab,
except for directories instead of device nodes. | 
|  |  | 
|  |  | 
|  |  | 
|  | * Acquire the lock before reading the current directory
* Fix a file descriptor leak | 
|  | If the user manages to replace the directory with
a symlink at just the right time, we could be tricked
into chown'ing the wrong file.
This change fixes the race by using fchownat, which
unfortunately is not available on darwin, hence a compat
wrapper is added.
Scenario, as described by @slackner at
https://github.com/rfjakob/gocryptfs/issues/177 :
1. Create a forward mount point with `plaintextnames` enabled
2. Mount as root user with `allow_other`
3. For testing purposes create a file `/tmp/file_owned_by_root`
   which is owned by the root user
4. As a regular user run inside of the GoCryptFS mount:
```
mkdir tempdir
mknod tempdir/file_owned_by_root p &
mv tempdir tempdir2
ln -s /tmp tempdir
```
When the steps are done fast enough and in the right order
(run in a loop!), the device file will be created in
`tempdir`, but the `lchown` will be executed by following
the symlink. As a result, the ownership of the file located
at `/tmp/file_owned_by_root` will be changed. | 
|  | This could lead to test failures like this:
  --- FAIL: TestGetdents (0.02s)
  	getdents_test.go:57: len(getdentsEntries)=362, len(readdirEntries)=360
  FAIL | 
|  | ...and if Getdents is not available at all.
Due to this warning I now know that SSHFS always returns DT_UNKNOWN:
    gocryptfs[8129]: Getdents: convertDType: received DT_UNKNOWN, falling back to Lstat
This behavoir is confirmed at http://ahefner.livejournal.com/16875.html:
    "With sshfs, I finally found that obscure case. The dtype is always set to DT_UNKNOWN [...]" |