From e7f78135b3092bbd2479beac5b7da077cb5d1497 Mon Sep 17 00:00:00 2001 From: Jakob Unterwurzacher Date: Mon, 16 May 2016 23:59:26 +0200 Subject: [PATCH] Add "-allow_other" command-line option As requested in https://github.com/rfjakob/gocryptfs/issues/26 , this adds the option to allow other users to access the filesystem. --- Documentation/MANPAGE.md | 13 ++++++++++++- main.go | 15 +++++++++++++-- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/Documentation/MANPAGE.md b/Documentation/MANPAGE.md index 411a1d5..0ddd772 100644 --- a/Documentation/MANPAGE.md +++ b/Documentation/MANPAGE.md @@ -1,6 +1,6 @@ % GOCRYPTFS(1) % github.com/rfjakob -% Nov 2015 +% May 2016 NAME ==== @@ -30,6 +30,13 @@ DESCRIPTION Options: +**-allow_other** +: By default, the Linux kernel prevents any other user (even root) to +access a mounted FUSE filesystem. Settings this option allows access for +other users, subject to file permission checking. Only works if +user_allow_other is set in /etc/fuse.conf. This option is equivalent to +"allow_other" plus "default_permissions" described in fuse(8). + **-config string** : Use specified config file instead of CIPHERDIR/gocryptfs.conf @@ -136,3 +143,7 @@ mkdir /tmp/g1 /tmp/g2 gocryptfs -init /tmp/g1 gocryptfs /tmp/g1 /tmp/g2 + +SEE ALSO +======== +fuse(8) diff --git a/main.go b/main.go index d9a37f0..83bd8d7 100644 --- a/main.go +++ b/main.go @@ -44,7 +44,7 @@ const ( type argContainer struct { debug, init, zerokey, fusedebug, openssl, passwd, foreground, version, plaintextnames, quiet, diriv, emenames, gcmiv128, nosyslog, wpanic, - longnames bool + longnames, allow_other bool masterkey, mountpoint, cipherdir, cpuprofile, config, extpass, memprofile string notifypid, scryptn int @@ -159,6 +159,7 @@ func main() { flagSet.BoolVar(&args.fusedebug, "fusedebug", false, "Enable fuse library debug output") flagSet.BoolVar(&args.init, "init", false, "Initialize encrypted directory") flagSet.BoolVar(&args.zerokey, "zerokey", false, "Use all-zero dummy master key") + // Tri-state true/false/auto flagSet.StringVar(&opensslAuto, "openssl", "auto", "Use OpenSSL instead of built-in Go crypto") flagSet.BoolVar(&args.passwd, "passwd", false, "Change password") flagSet.BoolVar(&args.foreground, "f", false, "Stay in the foreground") @@ -172,6 +173,8 @@ func main() { flagSet.BoolVar(&args.nosyslog, "nosyslog", false, "Do not redirect output to syslog when running in the background") flagSet.BoolVar(&args.wpanic, "wpanic", false, "When encountering a warning, panic and exit immediately") flagSet.BoolVar(&args.longnames, "longnames", true, "Store names longer than 176 bytes in extra files") + flagSet.BoolVar(&args.allow_other, "allow_other", false, "Allow other users to access the filesystem. "+ + "Only works if user_allow_other is set in /etc/fuse.conf.") flagSet.StringVar(&args.masterkey, "masterkey", "", "Mount with explicit master key") flagSet.StringVar(&args.cpuprofile, "cpuprofile", "", "Write cpu profile to specified file") flagSet.StringVar(&args.memprofile, "memprofile", "", "Write memory profile to specified file") @@ -395,6 +398,13 @@ func initFuseFrontend(key []byte, args argContainer, confFile *configfile.ConfFi conn := nodefs.NewFileSystemConnector(pathFs.Root(), fuseOpts) var mOpts fuse.MountOptions mOpts.AllowOther = false + if args.allow_other { + toggledlog.Info.Printf(colorYellow + "The option \"-allow_other\" is set. Make sure the file " + + "permissions protect your data from unwanted access." + colorReset) + mOpts.AllowOther = true + // Make the kernel check the file permissions for us + mOpts.Options = append(mOpts.Options, "default_permissions") + } // Set values shown in "df -T" and friends // First column, "Filesystem" mOpts.Options = append(mOpts.Options, "fsname="+args.cipherdir) @@ -436,7 +446,7 @@ func handleSigint(srv *fuse.Server, mountpoint string) { } // Escape sequences for terminal colors -var colorReset, colorGrey, colorRed, colorGreen string +var colorReset, colorGrey, colorRed, colorGreen, colorYellow string func setupColors() { if terminal.IsTerminal(int(os.Stdout.Fd())) { @@ -444,5 +454,6 @@ func setupColors() { colorGrey = "\033[2m" colorRed = "\033[31m" colorGreen = "\033[32m" + colorYellow = "\033[33m" } }