forward mode: create gocryptfs.diriv files with 0440 permissions
Makes it easier to share an encrypted folder via a network drive. https://github.com/rfjakob/gocryptfs/issues/387
This commit is contained in:
parent
a4f461a305
commit
ec17445b99
@ -166,6 +166,11 @@ Changelog
|
|||||||
vNEXT, in progress
|
vNEXT, in progress
|
||||||
* Support wild cards in reverse mode via `--exclude-wildcard`
|
* Support wild cards in reverse mode via `--exclude-wildcard`
|
||||||
([#367](https://github.com/rfjakob/gocryptfs/pull/367)). Thanks @ekalin!
|
([#367](https://github.com/rfjakob/gocryptfs/pull/367)). Thanks @ekalin!
|
||||||
|
* Create `gocryptfs.diriv` files with 0440 permissions to make it easier to
|
||||||
|
share an encrypted folder via a network drive
|
||||||
|
([#387](https://github.com/rfjakob/gocryptfs/issues/387)).
|
||||||
|
Note: as a security precaution, the owner must still manually
|
||||||
|
`chmod gocryptfs.conf 0440` to allow mounting.
|
||||||
|
|
||||||
v1.7, 2019-03-17
|
v1.7, 2019-03-17
|
||||||
* **Fix possible symlink race attacks in forward mode** when using allow_other + plaintextnames
|
* **Fix possible symlink race attacks in forward mode** when using allow_other + plaintextnames
|
||||||
|
@ -61,11 +61,19 @@ func fdReadDirIV(fd *os.File) (iv []byte, err error) {
|
|||||||
// This function is exported because it is used from fusefrontend, main,
|
// This function is exported because it is used from fusefrontend, main,
|
||||||
// and also the automated tests.
|
// and also the automated tests.
|
||||||
func WriteDirIVAt(dirfd int) error {
|
func WriteDirIVAt(dirfd int) error {
|
||||||
|
// It makes sense to have the diriv files group-readable so the FS can
|
||||||
|
// be mounted from several users from a network drive (see
|
||||||
|
// https://github.com/rfjakob/gocryptfs/issues/387 ).
|
||||||
|
//
|
||||||
|
// Note that gocryptfs.conf is still created with 0400 permissions so the
|
||||||
|
// owner must explicitely chmod it to permit access.
|
||||||
|
const dirivPerms = 0440
|
||||||
|
|
||||||
iv := cryptocore.RandBytes(DirIVLen)
|
iv := cryptocore.RandBytes(DirIVLen)
|
||||||
// 0400 permissions: gocryptfs.diriv should never be modified after creation.
|
// 0400 permissions: gocryptfs.diriv should never be modified after creation.
|
||||||
// Don't use "ioutil.WriteFile", it causes trouble on NFS:
|
// Don't use "ioutil.WriteFile", it causes trouble on NFS:
|
||||||
// https://github.com/rfjakob/gocryptfs/commit/7d38f80a78644c8ec4900cc990bfb894387112ed
|
// https://github.com/rfjakob/gocryptfs/commit/7d38f80a78644c8ec4900cc990bfb894387112ed
|
||||||
fd, err := syscallcompat.Openat(dirfd, DirIVFilename, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0400)
|
fd, err := syscallcompat.Openat(dirfd, DirIVFilename, os.O_WRONLY|os.O_CREATE|os.O_EXCL, dirivPerms)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
tlog.Warn.Printf("WriteDirIV: Openat: %v", err)
|
tlog.Warn.Printf("WriteDirIV: Openat: %v", err)
|
||||||
return err
|
return err
|
||||||
|
@ -43,6 +43,26 @@ func TestInit(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Test that gocryptfs.conf and gocryptfs.diriv are there with the expected
|
||||||
|
// permissions after -init
|
||||||
|
func TestInitFilePerms(t *testing.T) {
|
||||||
|
dir := test_helpers.InitFS(t)
|
||||||
|
var st syscall.Stat_t
|
||||||
|
syscall.Stat(dir+"/gocryptfs.conf", &st)
|
||||||
|
perms := st.Mode & 0777
|
||||||
|
if perms != 0400 {
|
||||||
|
t.Errorf("Wrong permissions for gocryptfs.conf: %#o", perms)
|
||||||
|
}
|
||||||
|
st = syscall.Stat_t{}
|
||||||
|
syscall.Stat(dir+"/gocryptfs.diriv", &st)
|
||||||
|
perms = st.Mode & 0777
|
||||||
|
// From v1.7.1, these are created with 0440 permissions, see
|
||||||
|
// https://github.com/rfjakob/gocryptfs/issues/387
|
||||||
|
if perms != 0440 {
|
||||||
|
t.Errorf("Wrong permissions for gocryptfs.diriv: %#o", perms)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Test -init with -devrandom flag
|
// Test -init with -devrandom flag
|
||||||
func TestInitDevRandom(t *testing.T) {
|
func TestInitDevRandom(t *testing.T) {
|
||||||
test_helpers.InitFS(t, "-devrandom")
|
test_helpers.InitFS(t, "-devrandom")
|
||||||
|
Loading…
Reference in New Issue
Block a user