72b975867a
If the user manages to replace the directory with a symlink at just the right time, we could be tricked into chown'ing the wrong file. This change fixes the race by using fchownat, which unfortunately is not available on darwin, hence a compat wrapper is added. Scenario, as described by @slackner at https://github.com/rfjakob/gocryptfs/issues/177 : 1. Create a forward mount point with `plaintextnames` enabled 2. Mount as root user with `allow_other` 3. For testing purposes create a file `/tmp/file_owned_by_root` which is owned by the root user 4. As a regular user run inside of the GoCryptFS mount: ``` mkdir tempdir mknod tempdir/file_owned_by_root p & mv tempdir tempdir2 ln -s /tmp tempdir ``` When the steps are done fast enough and in the right order (run in a loop!), the device file will be created in `tempdir`, but the `lchown` will be executed by following the symlink. As a result, the ownership of the file located at `/tmp/file_owned_by_root` will be changed.
76 lines
2.3 KiB
Go
76 lines
2.3 KiB
Go
// Package syscallcompat wraps Linux-specific syscalls.
|
|
package syscallcompat
|
|
|
|
import (
|
|
"sync"
|
|
"syscall"
|
|
|
|
"github.com/rfjakob/gocryptfs/internal/tlog"
|
|
)
|
|
|
|
const _FALLOC_FL_KEEP_SIZE = 0x01
|
|
|
|
var preallocWarn sync.Once
|
|
|
|
// EnospcPrealloc preallocates ciphertext space without changing the file
|
|
// size. This guarantees that we don't run out of space while writing a
|
|
// ciphertext block (that would corrupt the block).
|
|
func EnospcPrealloc(fd int, off int64, len int64) (err error) {
|
|
for {
|
|
err = syscall.Fallocate(fd, _FALLOC_FL_KEEP_SIZE, off, len)
|
|
if err == syscall.EINTR {
|
|
// fallocate, like many syscalls, can return EINTR. This is not an
|
|
// error and just signifies that the operation was interrupted by a
|
|
// signal and we should try again.
|
|
continue
|
|
}
|
|
if err == syscall.EOPNOTSUPP {
|
|
// ZFS and ext3 do not support fallocate. Warn but continue anyway.
|
|
// https://github.com/rfjakob/gocryptfs/issues/22
|
|
preallocWarn.Do(func() {
|
|
tlog.Warn.Printf("Warning: The underlying filesystem " +
|
|
"does not support fallocate(2). gocryptfs will continue working " +
|
|
"but is no longer resistant against out-of-space errors.\n")
|
|
})
|
|
return nil
|
|
}
|
|
return err
|
|
}
|
|
}
|
|
|
|
// Fallocate wraps the Fallocate syscall.
|
|
func Fallocate(fd int, mode uint32, off int64, len int64) (err error) {
|
|
return syscall.Fallocate(fd, mode, off, len)
|
|
}
|
|
|
|
// Openat wraps the Openat syscall.
|
|
func Openat(dirfd int, path string, flags int, mode uint32) (fd int, err error) {
|
|
return syscall.Openat(dirfd, path, flags, mode)
|
|
}
|
|
|
|
// Renameat wraps the Renameat syscall.
|
|
func Renameat(olddirfd int, oldpath string, newdirfd int, newpath string) (err error) {
|
|
return syscall.Renameat(olddirfd, oldpath, newdirfd, newpath)
|
|
}
|
|
|
|
// Unlinkat wraps the Unlinkat syscall.
|
|
func Unlinkat(dirfd int, path string) error {
|
|
return syscall.Unlinkat(dirfd, path)
|
|
}
|
|
|
|
// Mknodat wraps the Mknodat syscall.
|
|
func Mknodat(dirfd int, path string, mode uint32, dev int) (err error) {
|
|
return syscall.Mknodat(dirfd, path, mode, dev)
|
|
}
|
|
|
|
// Dup3 wraps the Dup3 syscall. We want to use Dup3 rather than Dup2 because Dup2
|
|
// is not implemented on arm64.
|
|
func Dup3(oldfd int, newfd int, flags int) (err error) {
|
|
return syscall.Dup3(oldfd, newfd, flags)
|
|
}
|
|
|
|
// Fchownat syscall.
|
|
func Fchownat(dirfd int, path string, uid int, gid int, flags int) (err error) {
|
|
return syscall.Fchownat(dirfd, path, uid, gid, flags)
|
|
}
|