nametransform: move permission constants to perms.go

Prep for https://github.com/rfjakob/gocryptfs/issues/539
This commit is contained in:
Jakob Unterwurzacher 2021-01-10 07:27:04 +01:00
parent de108d3fc0
commit f3394ae286
3 changed files with 17 additions and 9 deletions

View File

@ -62,14 +62,6 @@ func fdReadDirIV(fd *os.File) (iv []byte, err error) {
// This function is exported because it is used from fusefrontend, main, // This function is exported because it is used from fusefrontend, main,
// and also the automated tests. // and also the automated tests.
func WriteDirIVAt(dirfd int) error { func WriteDirIVAt(dirfd int) error {
// It makes sense to have the diriv files group-readable so the FS can
// be mounted from several users from a network drive (see
// https://github.com/rfjakob/gocryptfs/issues/387 ).
//
// Note that gocryptfs.conf is still created with 0400 permissions so the
// owner must explicitly chmod it to permit access.
const dirivPerms = 0440
iv := cryptocore.RandBytes(DirIVLen) iv := cryptocore.RandBytes(DirIVLen)
// 0400 permissions: gocryptfs.diriv should never be modified after creation. // 0400 permissions: gocryptfs.diriv should never be modified after creation.
// Don't use "ioutil.WriteFile", it causes trouble on NFS: // Don't use "ioutil.WriteFile", it causes trouble on NFS:

View File

@ -136,7 +136,7 @@ func (n *NameTransform) WriteLongNameAt(dirfd int, hashName string, plainName st
// Write the encrypted name into hashName.name // Write the encrypted name into hashName.name
fdRaw, err := syscallcompat.Openat(dirfd, hashName+LongNameSuffix, fdRaw, err := syscallcompat.Openat(dirfd, hashName+LongNameSuffix,
syscall.O_WRONLY|syscall.O_CREAT|syscall.O_EXCL, 0400) syscall.O_WRONLY|syscall.O_CREAT|syscall.O_EXCL, namePerms)
if err != nil { if err != nil {
// Don't warn if the file already exists - this is allowed for renames // Don't warn if the file already exists - this is allowed for renames
// and should be handled by the caller. // and should be handled by the caller.

View File

@ -0,0 +1,16 @@
package nametransform
const (
// Permissions for gocryptfs.diriv files
//
// It makes sense to have the diriv files group-readable so the FS can
// be mounted from several users from a network drive (see
// https://github.com/rfjakob/gocryptfs/issues/387 ).
//
// Note that gocryptfs.conf is still created with 0400 permissions so the
// owner must explicitly chmod it to permit access.
dirivPerms = 0440
// Permissions for gocryptfs.longname.[sha256].name files
namePerms = 0400
)