Add "-allow_other" command-line option

As requested in https://github.com/rfjakob/gocryptfs/issues/26 ,
this adds the option to allow other users to access the filesystem.
This commit is contained in:
Jakob Unterwurzacher 2016-05-16 23:59:26 +02:00
parent 5d1d564512
commit e7f78135b3
2 changed files with 25 additions and 3 deletions

View File

@ -1,6 +1,6 @@
% GOCRYPTFS(1)
% github.com/rfjakob
% Nov 2015
% May 2016
NAME
====
@ -30,6 +30,13 @@ DESCRIPTION
Options:
**-allow_other**
: By default, the Linux kernel prevents any other user (even root) to
access a mounted FUSE filesystem. Settings this option allows access for
other users, subject to file permission checking. Only works if
user_allow_other is set in /etc/fuse.conf. This option is equivalent to
"allow_other" plus "default_permissions" described in fuse(8).
**-config string**
: Use specified config file instead of CIPHERDIR/gocryptfs.conf
@ -136,3 +143,7 @@ mkdir /tmp/g1 /tmp/g2
gocryptfs -init /tmp/g1
gocryptfs /tmp/g1 /tmp/g2
SEE ALSO
========
fuse(8)

15
main.go
View File

@ -44,7 +44,7 @@ const (
type argContainer struct {
debug, init, zerokey, fusedebug, openssl, passwd, foreground, version,
plaintextnames, quiet, diriv, emenames, gcmiv128, nosyslog, wpanic,
longnames bool
longnames, allow_other bool
masterkey, mountpoint, cipherdir, cpuprofile, config, extpass,
memprofile string
notifypid, scryptn int
@ -159,6 +159,7 @@ func main() {
flagSet.BoolVar(&args.fusedebug, "fusedebug", false, "Enable fuse library debug output")
flagSet.BoolVar(&args.init, "init", false, "Initialize encrypted directory")
flagSet.BoolVar(&args.zerokey, "zerokey", false, "Use all-zero dummy master key")
// Tri-state true/false/auto
flagSet.StringVar(&opensslAuto, "openssl", "auto", "Use OpenSSL instead of built-in Go crypto")
flagSet.BoolVar(&args.passwd, "passwd", false, "Change password")
flagSet.BoolVar(&args.foreground, "f", false, "Stay in the foreground")
@ -172,6 +173,8 @@ func main() {
flagSet.BoolVar(&args.nosyslog, "nosyslog", false, "Do not redirect output to syslog when running in the background")
flagSet.BoolVar(&args.wpanic, "wpanic", false, "When encountering a warning, panic and exit immediately")
flagSet.BoolVar(&args.longnames, "longnames", true, "Store names longer than 176 bytes in extra files")
flagSet.BoolVar(&args.allow_other, "allow_other", false, "Allow other users to access the filesystem. "+
"Only works if user_allow_other is set in /etc/fuse.conf.")
flagSet.StringVar(&args.masterkey, "masterkey", "", "Mount with explicit master key")
flagSet.StringVar(&args.cpuprofile, "cpuprofile", "", "Write cpu profile to specified file")
flagSet.StringVar(&args.memprofile, "memprofile", "", "Write memory profile to specified file")
@ -395,6 +398,13 @@ func initFuseFrontend(key []byte, args argContainer, confFile *configfile.ConfFi
conn := nodefs.NewFileSystemConnector(pathFs.Root(), fuseOpts)
var mOpts fuse.MountOptions
mOpts.AllowOther = false
if args.allow_other {
toggledlog.Info.Printf(colorYellow + "The option \"-allow_other\" is set. Make sure the file " +
"permissions protect your data from unwanted access." + colorReset)
mOpts.AllowOther = true
// Make the kernel check the file permissions for us
mOpts.Options = append(mOpts.Options, "default_permissions")
}
// Set values shown in "df -T" and friends
// First column, "Filesystem"
mOpts.Options = append(mOpts.Options, "fsname="+args.cipherdir)
@ -436,7 +446,7 @@ func handleSigint(srv *fuse.Server, mountpoint string) {
}
// Escape sequences for terminal colors
var colorReset, colorGrey, colorRed, colorGreen string
var colorReset, colorGrey, colorRed, colorGreen, colorYellow string
func setupColors() {
if terminal.IsTerminal(int(os.Stdout.Fd())) {
@ -444,5 +454,6 @@ func setupColors() {
colorGrey = "\033[2m"
colorRed = "\033[31m"
colorGreen = "\033[32m"
colorYellow = "\033[33m"
}
}