Age | Commit message (Collapse) | Author |
|
When gocryptfs runs as root, we don't want to allow people to create
SUID root files.
|
|
Instead of manually adjusting the user after creating the symlink,
adjust effective permissions and let the kernel deal with it.
Related to https://github.com/rfjakob/gocryptfs/issues/338.
|
|
Instead of manually adjusting the user and mode after creating the
device file, adjust effective permissions and let the kernel deal
with it.
Related to https://github.com/rfjakob/gocryptfs/issues/338.
|
|
Revert commit fcaca5fc94d981aa637beb752edc8cb3c2265e96.
Instead of manually adjusting the user and mode after creating the
directory, adjust effective permissions and let the kernel deal with it.
Related to https://github.com/rfjakob/gocryptfs/issues/338.
|
|
Revert commit b22cc03c7516b2003880db8375d26c76d6dff093.
Instead of manually adjusting the user and mode after creating the
file, adjust effective permissions and let the kernel deal with it.
Related to https://github.com/rfjakob/gocryptfs/issues/338.
|
|
Fixes https://github.com/rfjakob/gocryptfs/issues/259
|
|
Test that we handle symlinks correctly.
|
|
Setting/removing extended attributes on directories was partially fixed with
commit eff35e60b63331e3e10f921792baa10b236a721d. However, on most file systems
it is also possible to do these operations without read access (see tests).
Since we cannot open a write-access fd to a directory, we have to use the
/proc/self/fd trick (already used for ListXAttr) for the other operations aswell.
For simplicity, let's separate the Linux and Darwin code again (basically revert
commit f320b76fd189a363a34bffe981aa67ab97df3362), and always use the
/proc/self/fd trick on Linux. On Darwin we use the best-effort approach with
openBackingFile() as a fallback.
More discussion about the available options is available in
https://github.com/rfjakob/gocryptfs/issues/308.
|
|
Also remove some unnecessary flags: When O_PATH is specified in flags, flag
bits other than O_CLOEXEC, O_DIRECTORY, and O_NOFOLLOW are ignored.
|
|
|
|
* listxattr is fixed via the /proc/self/fd trick
* setxattr,removexattr are fixed by opening the file O_WRONLY
Fixes https://github.com/rfjakob/gocryptfs/issues/308
|
|
These take care of buffer sizing and parsing.
|
|
Now symlink-safe through Readlinkat().
|
|
Old XFS filesystems always return DT_UNKNOWN. Downgrade the message
to "info" level if we are on XFS.
Using the "warning" level means that users on old XFS filesystems
cannot run the test suite as it intentionally aborts on any
warnings.
Fixes https://github.com/rfjakob/gocryptfs/issues/267
|
|
MacOS and old XFS versions do not support very long symlinks,
but let's not make the tests fail because of that.
https://github.com/rfjakob/gocryptfs/issues/267
|
|
Check for O_NWFOLLOW and O_EXCL separately to
make the logic clearer.
|
|
This fixes the "0100 directory" problem in reverse mode,
and should be slightly faster.
|
|
The function used to do two things:
1) Walk the directory tree in a manner safe from symlink attacks
2) Open the final component in the mode requested by the caller
This change drops (2), which was only used once, and lets the caller
handle it. This simplifies the function and makes it fit for reuse in
forward mode in openBackingPath(), and for using O_PATH on Linux.
|
|
These were silently ignored until now (!) but
are rejected by Go 1.11 stdlib.
Drop the flags so the tests work again, until
we figure out a better solution.
https://github.com/golang/go/issues/20130
|
|
xfstests generic/083 fills the filesystem almost completely while
running fsstress in parallel. In fsck, these would show up:
readFileID 2580: incomplete file, got 18 instead of 19 bytes
This could happen when writing the file header works, but writing
the actual data fails.
Now we kill the header again by truncating the file to zero.
|
|
O_DIRECT has no direct equivalent on MacOS
(check out https://github.com/libuv/libuv/issues/1600 for details).
Just define it to zero there.
|
|
We are clean again.
Warnings were:
internal/fusefrontend/fs.go:443:14: should omit type string from declaration
of var cTarget; it will be inferred from the right-hand side
internal/fusefrontend/xattr.go:26:1: comment on exported method FS.GetXAttr
should be of the form "GetXAttr ..."
internal/syscallcompat/sys_common.go:9:7: exported const PATH_MAX should have
comment or be unexported
|
|
Define our own, with the value from Linux.
|
|
Reported by https://goreportcard.com/report/github.com/rfjakob/gocryptfs
|
|
macos rm does not understand --one-file-system,
and it cannot handle unreadable directories.
|
|
|
|
The limit is much lower than on Linux.
https://github.com/rfjakob/gocryptfs/issues/213
|
|
On MacOS, symlinks don't have their own permissions,
so don't check for them.
|
|
The test is known to fail on gccgo
(https://github.com/rfjakob/gocryptfs/issues/201), but
getdents emulation is not used on linux, so let's skip
the test and ignore the failure.
|
|
$ go.gcc build
# github.com/rfjakob/gocryptfs/internal/syscallcompat
internal/syscallcompat/unix2syscall_linux.go:32:13: error: incompatible types in assignment (cannot use type int64 as type syscall.Timespec_sec_t)
s.Atim.Sec = u.Atim.Sec
^
|
|
For some reason the syscall.NAME_MAX constant does not exist
on gccgo, and it does not hurt us to use unix.NAME_MAX instead.
https://github.com/rfjakob/gocryptfs/issues/201
|
|
On mips64le, syscall.Getdents() and struct syscall.Dirent do
not fit together, causing our Getdents implementation to
return garbage ( https://github.com/rfjakob/gocryptfs/issues/200
and https://github.com/golang/go/issues/23624 ).
Switch to unix.Getdents which does not have this problem -
the next Go release with the syscall package fixes is too
far away, and will take time to trickle into distros.
|
|
Due to padding between entries, it is 280 even on 32-bit architectures.
See https://github.com/rfjakob/gocryptfs/issues/197 for details.
|
|
We used to print somewhat strange messages:
Getdents: corrupt entry #1: Reclen=276 > 280. Returning EBADR
Reported at https://github.com/rfjakob/gocryptfs/issues/197
|
|
syscall.ParseDirent only returns the NAMES, we want
everything.
|
|
|
|
Add faccessat(2) with a hack for symlink, because the
kernel does not actually looks at the passed flags.
From man 2 faccessat:
C library/kernel differences
The raw faccessat() system call takes only the first three argu‐
ments. The AT_EACCESS and AT_SYMLINK_NOFOLLOW flags are actually
implemented within the glibc wrapper function for faccessat().
|
|
We need readlinkat to implement Readlink
symlink-race-free.
|
|
The "Atim" field is called "Atimespec" on Darwin,
same for Mtim and Ctim.
|
|
...by using the OpenNofollow helper & Fstatat.
Also introduce a helper to convert from unix.Stat_t to
syscall.Stat_t.
Tracking ticket: https://github.com/rfjakob/gocryptfs/issues/165
|
|
...when opening intermedia directories to give us an
extra layer of safety.
From the FreeBSD man page:
This flag can be used to prevent applications with elevated
privileges from opening files which are even unsafe to open with O_RDONLY,
such as device nodes.
|
|
Sometimes want to open baseDir itself. This case
was broken, fix it.
|
|
Now that we have Fstatat we can use it in Getdents to
get rid of the path name.
Also, add an emulated version of getdents for MacOS. This allows
to drop the !HaveGetdents special cases from fusefrontend.
Modify the getdents test to test both native getdents and the emulated
version.
|
|
Fstatat has recently been added to x/sys/unix. Make
it available for use in gocryptfs.
|
|
OpenNofollow = symlink-race-safe Open
Prepares fixing https://github.com/rfjakob/gocryptfs/issues/165
|
|
The infrastructure will also be used by the upcoming
OpenNofollow tests.
|
|
I'm unsure why I did not notice this earlier, but the
syscall wrappers provided by x/sys/unix seem to do just
fine.
Drop our own version.
|
|
This avoids the conversion to an absolute path.
|
|
For absolute paths, the file descriptor should be ignored. In such a case
there is also no need to hold the lock or change the working directory.
|
|
...and fix the instances where the AT_SYMLINK_NOFOLLOW /
O_NOFOLLOW / O_EXCL flag was missing.
|