Commit Graph

585 Commits

Author SHA1 Message Date
Sebastian Lackner
a97d14c42d syscallcompat: fetch supplementary groups for OpenatUser & friends
Handled the same way in GlusterFS, disorderfs, libfuse.
Fixes https://github.com/rfjakob/gocryptfs/issues/394
2019-05-01 17:52:07 +02:00
Jakob Unterwurzacher
3ac9872230 tests: split testParentDir by UID
When we run tests as root, they will leave root-owned files
in testParentDir, which causes trouble when we run tests as
a normal user later on. Split by UID.
2019-05-01 13:12:44 +02:00
Jakob Unterwurzacher
7d81494a64 fusefrontend: get rid of last hardcoded "gocryptfs.diriv" instances
Makes it easier to change the name (as some people want to):
https://github.com/rfjakob/gocryptfs/issues/37
2019-04-09 20:51:33 +02:00
Jakob Unterwurzacher
fe06e9f456 readpassword: delete CheckTrailingGarbage
CheckTrailingGarbage was called even when "-passfile" was
used, which is stupid, and causes false positives:

https://github.com/rfjakob/gocryptfs/issues/391
(false error "Received trailing garbage after the password"
when using -passfile in .bash_profile)

Instead of trying to improve the logic to handle that case
and make everything even more complicated, delete the function.

It is unclear if actually helps in some cases, and it definitely
harms as shown by the above bug report.
2019-04-08 20:18:45 +02:00
Jakob Unterwurzacher
8459bb15c1 configfile: fall back to sync() if fsync() fails
This can happen on network drives: FRITZ.NAS mounted on MacOS returns
"operation not supported": https://github.com/rfjakob/gocryptfs/issues/390
2019-04-08 19:54:54 +02:00
Jakob Unterwurzacher
ec17445b99 forward mode: create gocryptfs.diriv files with 0440 permissions
Makes it easier to share an encrypted folder via a network drive.

https://github.com/rfjakob/gocryptfs/issues/387
2019-03-30 20:06:40 +01:00
Jakob Unterwurzacher
fba9b2b995 reverse: don't show gocryptfs.conf if a custom config path was passed
GetAttr checks for this, but OpenDir did not.

https://github.com/rfjakob/gocryptfs/issues/385
2019-03-26 20:59:52 +01:00
Eduardo M KALINOWSKI
3bc100aeb3 reverse mode: support wildcard exclude (--exclude-wildcard)
This adds support for gitignore-like wildcards and exclude patters in
reverse mode. It (somewhat) fixes #273: no regexp support, but the
syntax should be powerful enough to satisfy most needs.

Also, since adding a lot of --exclude options can be tedious, it adds
the --exclude-from option to read patterns from a file (or files).
2019-03-26 20:56:37 +01:00
Jakob Unterwurzacher
cf27037f20 Allow multiple -extpass arguments
To support arguments containing spaces, -extpass can now
be passed multiple times.

https://github.com/rfjakob/gocryptfs/issues/289
2019-03-03 13:25:30 +01:00
Jakob Unterwurzacher
179471b648 ParseHeader: print hexdump on error
Should help debugging https://github.com/rfjakob/gocryptfs/issues/363
2019-02-17 17:13:20 +01:00
Jakob Unterwurzacher
19cb6d046a nametransform: reject names longer than 255 chars
Looks like we allowed creating longer names by accident.
Fix that, and add a test that verifies it.
2019-02-17 17:05:05 +01:00
Jakob Unterwurzacher
16fac26c57 Disable Trezor support
Trezor support has been broken since Sept 2018
( https://github.com/rfjakob/gocryptfs/issues/261 ).

Disable trezor.go by renaming to trezor.go.broken.
This keeps "dep" from having to pull in A LOT OF dependencies:

Before:

  $ du -sh vendor/
  49M	vendor/

After:

  $ du -sh vendor/
  16M	vendor/
2019-02-04 22:08:03 +01:00
Jakob Unterwurzacher
b08cbce5c1 fusefronted: comment why Access() does not check context.Uid
https://github.com/rfjakob/gocryptfs/issues/347
2019-01-20 14:37:36 +01:00
Jakob Unterwurzacher
962c523644 fusefrontend: ensure directories without W or X perms can be deleted
This fixed the "Permission denied" bug, but still has the problem that
the directory may be replaced behind our back. Mitigated by the fact
that we skip the workaround when running as root with -allow_other.

https://github.com/rfjakob/gocryptfs/issues/354
2019-01-20 14:29:28 +01:00
Jakob Unterwurzacher
3d6b2685fb Revert "syscallcompat: drop Faccessat AT_SYMLINK_NOFOLLOW helper"
Breaks mounting on MacOS: unix.Faccessat on Darwin does NOT (yet)
support AT_SYMLINK_NOFOLLOW. See d44fe89ba4 .

This reverts commit 0805a63df1.
2019-01-20 13:10:59 +01:00
Jakob Unterwurzacher
0805a63df1 syscallcompat: drop Faccessat AT_SYMLINK_NOFOLLOW helper
unix.Faccessat has added support for AT_SYMLINK_NOFOLLOW in July 2018,
bd9dbc187b (diff-341484dbbe3180cd7a31ef2ad2d679b6)
which means we no longer need our own helper.

Closes https://github.com/rfjakob/gocryptfs/issues/347
2019-01-20 12:59:59 +01:00
Jakob Unterwurzacher
8c09df03aa ctlsock: fix buffer truncation of JSON unmarshal error
In the error case, buf was not restored to the original
capacity. Instead of truncating "buf" and restoring (or forgetting to restore)
later, introduce the "data" slice.

Fixes https://github.com/rfjakob/gocryptfs/issues/356
2019-01-20 12:13:49 +01:00
Sebastian Lackner
452b8b00f4 fusefrontend: Always use intFd() method instead of int(f.fd.Fd()). 2019-01-16 20:55:20 +01:00
Sebastian Lackner
682e642cfa fusefrontend: Rework the Utimens handling on macOS.
For Linux, everything effectively stays the same. For both path-based and
fd-based Utimens() calls, we use unix.UtimesNanoAt(). To avoid introducing
a separate syscall wrapper for futimens() (as done in go-fuse, for example),
we instead use the /proc/self/fd - trick.

On macOS, this changes quite a lot:

* Path-based Utimens() calls were previously completely broken, since
  unix.UtimensNanoAt() ignores the passed file descriptor. Note that this
  cannot be fixed easily since there IS no appropriate syscall available on
  macOS prior to High Sierra (10.13). We emulate this case by using
  Fchdir() + setattrlist().

* Fd-based Utimens() calls were previously translated to f.GetAttr() (to
  fill any empty parameters) and syscall.Futimes(), which does not does
  support nanosecond precision. Both issues can be fixed by switching to
  fsetattrlist().

Fixes https://github.com/rfjakob/gocryptfs/issues/350
2019-01-16 20:55:20 +01:00
Sebastian Lackner
8f33145651 fusefrontend: Print 'too many open files' warning for both short and long names.
While we're at it, also replace os.* constants with syscall.* constants.
2019-01-15 22:07:37 +01:00
Sebastian Lackner
d8bb223dd3 fusefrontend_reverse: Delete leftover debug statement. 2019-01-15 22:07:37 +01:00
Jakob Unterwurzacher
20140e24ed tests: reduce noise on MacOS
This should get rid of

    Openat: O_NOFOLLOW missing: flags = 0x0
    Fchmodat: adding missing AT_SYMLINK_NOFOLLOW flag
    sys_common_test.go:203: chmod on symlink should have failed, but did not. New mode=0333
    UnmountErr: "[...]/057376762.mnt" was not found in MountInfo, cannot check for FD leak

and add some context to

    --- FAIL: TestUtimesNano (0.00s)
    matrix_test.go:628: no such file or directory

See https://github.com/rfjakob/gocryptfs/pull/343#issuecomment-453888006
for full test output
2019-01-14 22:11:15 +01:00
Jakob Unterwurzacher
6542ddd2f9 syscallcompat: fix FchmodatNofollow tests
FchmodatNofollow dropped the flags parameter.
2019-01-14 21:57:24 +01:00
Jakob Unterwurzacher
a7d59032d3 syscallcompat: rework Fchmodat to FchmodatNofollow
We never want Fchmodat to follow symlinks, so follow what
Qemu does, and call our function FchmodatNofollow.
2019-01-14 21:54:16 +01:00
Sebastian Lackner
a9d8eb49ef syscallcompat: Drop Fstatat emulation on macOS. 2019-01-14 21:27:28 +01:00
Sebastian Lackner
4134ff7570 syscallcompat: Drop Mkdirat emulation on macOS. 2019-01-14 21:27:28 +01:00
Sebastian Lackner
7b0d56fe98 syscallcompat: Drop Symlinkat emulation on macOS. 2019-01-14 21:27:28 +01:00
Sebastian Lackner
92110628ee syscallcompat: Drop Fchownat emulation on macOS. 2019-01-14 21:27:28 +01:00
Sebastian Lackner
0345cc0830 syscallcompat: Drop Fchmodat emulation on macOS.
On macOS the function has a flags argument, so we don't need the
/proc/self/fd trick used on Linux.
2019-01-14 21:27:28 +01:00
Sebastian Lackner
229a9da74b syscallcompat: Drop Unlinkat emulation on macOS. 2019-01-14 21:27:28 +01:00
Sebastian Lackner
42bf6d1c68 syscallcompat: Drop Renameat emulation on macOS. 2019-01-14 21:27:28 +01:00
Sebastian Lackner
da557702d7 syscallcompat: Drop Openat emulation on macOS. 2019-01-14 21:27:28 +01:00
Sebastian Lackner
d7be766851 syscallcompat: Use pthread_setugid_np() to implement *User() functions on macOS.
Fixes -allow_other mode on macOS.
2019-01-14 21:27:28 +01:00
Jakob Unterwurzacher
e885f08746 fusefrontend: drop last remaining call into loopbackFileSystem
The only call forwarded to loopbackFileSystem was Statfs,
which is trivial to implement.

Implement it and drop loopbackFileSystem, as having it carries the
risk that a coding error bypasses the usual encryption/decryption
chain.
2019-01-13 20:27:35 +01:00
Sebastian Lackner
d44fe89ba4 fusefrontend: Do not pass unsupported flags to Faccessat on macOS.
Fixes mounting of forward mounts on macOS High Sierra.
2019-01-13 14:10:34 +01:00
Jakob Unterwurzacher
711ef81bfb macos: filter SUID and SGID bits in OpenatUser, MknodatUser, MkdiratUser
When gocryptfs runs as root, we don't want to allow people to create
SUID root files.
2019-01-13 14:05:03 +01:00
Sebastian Lackner
99e8b6d288 fusefrontend: Preserve SUID/SGID/sticky-bits in openWriteOnlyFile and Rmdir.
Fixes https://github.com/rfjakob/gocryptfs/issues/336 and
https://github.com/rfjakob/gocryptfs/issues/337.
2019-01-12 21:24:50 +01:00
Sebastian Lackner
efc280330c fusefrontend: -allow_other: Use SymlinkatUser in Symlink FUSE call.
Instead of manually adjusting the user after creating the symlink,
adjust effective permissions and let the kernel deal with it.

Related to https://github.com/rfjakob/gocryptfs/issues/338.
2019-01-12 21:22:58 +01:00
Sebastian Lackner
1fbe7798cf fusefrontend: -allow_other: Use MknodatUser in Mknod FUSE call.
Instead of manually adjusting the user and mode after creating the
device file, adjust effective permissions and let the kernel deal
with it.

Related to https://github.com/rfjakob/gocryptfs/issues/338.
2019-01-12 21:20:16 +01:00
Sebastian Lackner
a525e33eaa fusefrontend: -allow_other: Use MkdiratUser in Mkdir FUSE call.
Revert commit fcaca5fc94.

Instead of manually adjusting the user and mode after creating the
directory, adjust effective permissions and let the kernel deal with it.

Related to https://github.com/rfjakob/gocryptfs/issues/338.
2019-01-12 21:20:07 +01:00
Sebastian Lackner
03b9d65cce fusefrontend: -allow_other: Use OpenatUser in Create FUSE call.
Revert commit b22cc03c75.

Instead of manually adjusting the user and mode after creating the
file, adjust effective permissions and let the kernel deal with it.

Related to https://github.com/rfjakob/gocryptfs/issues/338.
2019-01-12 20:54:39 +01:00
Sebastian Lackner
669322482a fusefrontend: Don't chown gocryptfs.diriv files.
The current code has a risk of race-conditions, since we pass a path
containing "/" to Fchownat. We could fix this by opening a file descriptor,
however, this does not seem worth the effort. We also don't chown *.name files.
2019-01-12 20:35:50 +01:00
Sebastian Lackner
fcaca5fc94 fusefrontend: -allow_other: set file mode after chown in Mkdir().
Make sure that the directory belongs to the correct owner before users
can access it. For directories with SUID/SGID mode, there is a risk of
race-conditions when files are created before the correct owner is set.
They will then inherit the wrong user and/or group.

See https://github.com/rfjakob/gocryptfs/issues/327 for more details.
2019-01-09 20:48:00 +01:00
Sebastian Lackner
aae45b4d77 nametransform: Create *.name files with 0400 permission.
Similar to gocryptfs.iv files they are never modified.
2019-01-09 20:42:18 +01:00
Jakob Unterwurzacher
b22cc03c75 fusefrontend: -allow_other: set file mode *after* chown in Create()
Reported by @slackner at https://github.com/rfjakob/gocryptfs/issues/327 :

Possible race-conditions between file creation and Fchownat

* Assume a system contains a gocryptfs mount as root user
  with -allow_other
* As a regular user create a new file with mode containing
  the SUID flag and write access for other users
* Before gocryptfs executes the Fchownat call, try to open
  the file again, write some exploit code to it, and try to run it.

For a short time, the file is owned by root and has the SUID flag, so
this is pretty dangerous.
2019-01-08 21:50:10 +01:00
Sebastian Lackner
4170ef00f3 syscallcompat: Implement workaround for Fchmodat with AT_SYMLINK_NOFOLLOW.
Fixes https://github.com/rfjakob/gocryptfs/issues/259
2019-01-07 23:07:53 +01:00
Jakob Unterwurzacher
8253c55386 tests: add Fchmodat test
Test that we handle symlinks correctly.
2019-01-07 23:07:53 +01:00
Sebastian Lackner
57a52d6aef fusefrontend: Clarify access mode check related to O_WRONLY handling.
Use O_ACCMODE mask in openWriteOnlyFile for improved readability.
2019-01-07 21:25:23 +01:00
Sebastian Lackner
2332462e78 fusefrontend: Filter O_CREAT in mangleOpenFlags. 2019-01-07 21:19:13 +01:00
Sebastian Lackner
aa2fa24c42 fusefrontend: Check result of Fchmod syscall.
Fixes https://github.com/rfjakob/gocryptfs/issues/328
2019-01-06 21:00:17 +01:00