diff --git a/internal/nametransform/diriv.go b/internal/nametransform/diriv.go index 6dbf028..b2f165b 100644 --- a/internal/nametransform/diriv.go +++ b/internal/nametransform/diriv.go @@ -62,14 +62,6 @@ func fdReadDirIV(fd *os.File) (iv []byte, err error) { // This function is exported because it is used from fusefrontend, main, // and also the automated tests. func WriteDirIVAt(dirfd int) error { - // It makes sense to have the diriv files group-readable so the FS can - // be mounted from several users from a network drive (see - // https://github.com/rfjakob/gocryptfs/issues/387 ). - // - // Note that gocryptfs.conf is still created with 0400 permissions so the - // owner must explicitly chmod it to permit access. - const dirivPerms = 0440 - iv := cryptocore.RandBytes(DirIVLen) // 0400 permissions: gocryptfs.diriv should never be modified after creation. // Don't use "ioutil.WriteFile", it causes trouble on NFS: diff --git a/internal/nametransform/longnames.go b/internal/nametransform/longnames.go index 1bbcbb6..aa463a1 100644 --- a/internal/nametransform/longnames.go +++ b/internal/nametransform/longnames.go @@ -136,7 +136,7 @@ func (n *NameTransform) WriteLongNameAt(dirfd int, hashName string, plainName st // Write the encrypted name into hashName.name fdRaw, err := syscallcompat.Openat(dirfd, hashName+LongNameSuffix, - syscall.O_WRONLY|syscall.O_CREAT|syscall.O_EXCL, 0400) + syscall.O_WRONLY|syscall.O_CREAT|syscall.O_EXCL, namePerms) if err != nil { // Don't warn if the file already exists - this is allowed for renames // and should be handled by the caller. diff --git a/internal/nametransform/perms.go b/internal/nametransform/perms.go new file mode 100644 index 0000000..98b51d6 --- /dev/null +++ b/internal/nametransform/perms.go @@ -0,0 +1,16 @@ +package nametransform + +const ( + // Permissions for gocryptfs.diriv files + // + // It makes sense to have the diriv files group-readable so the FS can + // be mounted from several users from a network drive (see + // https://github.com/rfjakob/gocryptfs/issues/387 ). + // + // Note that gocryptfs.conf is still created with 0400 permissions so the + // owner must explicitly chmod it to permit access. + dirivPerms = 0440 + + // Permissions for gocryptfs.longname.[sha256].name files + namePerms = 0400 +)