fuse-encfs-1.9.2 causes permission denied #398
Comments
|
Hi, encfs runs as root? |
|
yes, it is running as root via fstab: /opt/encfs/bin/mount.encfs#/home/group.encrypt /home/group fuse auto 0 0 mount.encfs is finally executing what was shown above |
|
Hmm. Looking at your strace and at the mknod code, we see that setting the gid fails with: Then the But why, given that EncFS runs as root? Are you running on NFS? |
|
Can you post |
|
PS: The setfsgid error handler does not work because setfsgid does not return -1 Line 40 in 1f02e63 |
|
as requested: after downgrade to 1.9.1 and umount/mount here is the diff voluntary_ctxt_switches differs somehow |
|
I managed to reproduce the With non-root user, touching a file : With root user : |
|
I don't understand this at all. The strace of the OP shows that we call setresgid: However, looking at Line 54 in 85a2d74 we see that the call to setegid (which ultimately calls setresgid) is wrapped in ifndef linux.
On my machine, I get this in strace: EncFS calls |
Yes, but if it is called after |
|
No, works fine here. |
|
With master : With patch #403 : Files' result : We clearly see that group of |
|
I can reproduce on CentOS 7. Here, EncFS calls setresuid, though I don't understand why: |
|
@benrubson I think there are two things to fix here:
|
|
I think we should use |
|
Looks like the |
|
Good catch, you confirm ! |
|
Your change missed a few "ifdef linux", I'll push just this change in a new PR |
The "linux" define is not available with "g++ -std=c++11", which resulted in bug vgough#398 . Available defines for gcc 7.1.1, g++ 7.1.7, clang 4.0.0: $ g++ -dM -E -x c++ /dev/null | grep linux $ g++ -dM -E -x c++ -std=c++11 /dev/null | grep linux $ echo "" | gcc -E -dM -c - | grep linux $ echo "" | clang -E - -dM | grep linux
The "linux" define is not available with "g++ -std=c++11", which resulted in bug vgough#398 . Available defines for gcc 7.1.1, g++ 7.1.7, clang 4.0.0: $ g++ -dM -E -x c++ /dev/null | grep linux $ g++ -dM -E -x c++ -std=c++11 /dev/null | grep linux $ echo "" | gcc -E -dM -c - | grep linux $ echo "" | clang -E - -dM | grep linux
|
I would like to merge #405 first as this is the minimal fix for the problem the user is seeing. For the other platforms, where do you test? FreeBSD? |
The "linux" define is not available with "g++ -std=c++11", which resulted in bug #398 . Available defines for gcc 7.1.1, g++ 7.1.7, clang 4.0.0: $ g++ -dM -E -x c++ /dev/null | grep linux $ g++ -dM -E -x c++ -std=c++11 /dev/null | grep linux $ echo "" | gcc -E -dM -c - | grep linux $ echo "" | clang -E - -dM | grep linux
|
In addition #403 solves an issue where setfsuid / setfsgid return codes were not correctly used. |
- use these functions in the correct order ; - correctly check for their return code. This helps to correct #398.
while fuse-encfs-1.9.2-3.el7.src.rpm rebuilded fine, I ran into issue. Looks like some benchmark code was included since 1.9.2? This can be solved by changing EL7 spec file: In addition because of the by default (?) now installed benchmark headers and libraries, a bunch of files must be "removed" before packaging is successful: -> there should be an option to build/install without that benchmark piece. BTW: a bunch of warnings appearing during compilation, mostly "defined but not used" and some integer comparison" issues. edit : see #407 |
|
I can't apply patch cleanly: |
|
Use master ? Patches have been merged. |
|
I believe this is for the rpm package, master is not good enough Have you seen why the patch does not apply? |
|
I am use tag v1.9.2. I don't want use master for fedora package. |
One or 2 things remaining before 1.9.3 :) |
|
I am think this patch can't be appyed cleanly to v.1.9.2 because need previous patches for reported files. |
|
Apply it manually, it's quite tiny and will be very easy to apply :) |
|
Hm, OK :) |
|
FYI This problem is still reproducible on some conditions. If I use '..' or '.' inside my path while mounting encfs, I still have Permission denied. |
|
Where are the |
|
Ben you are right. /disk/script is root owned and has 700 permission and it all makes sense now. It didn't occur to me initially though. Also I was able access files as root but not as other users. Thank you for quick response. |
|
Hello, I found out the issue in #403. I added a comment for it seems not to be working properly. |
See also https://bugzilla.redhat.com/show_bug.cgi?id=1487354
particular home directories are encrypted at once, means
/home/group.encrypted <- encrypted directory
/home/group <- mounted via fuse
inside /home/group several user directories are existing like
/home/group/user1
/home/group/user2
/home/group/user3
...
effective mount options:
encfs on /home/group type fuse.encfs (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other)
and in this case it looks like that 1.9.2 will prevent any write now by normal user while it works still with 1.9.1
$ touch test123
touch: cannot touch ‘test123’: Permission denied
effective encfs process:
encfs --public --extpass=cat /etc/opt/encfs/=home=group.encrypt.pass /home/group.encrypt /home/group -o rw,dev,suid
checking with strace, the following lines look like:
[pid 5461] <... setresgid resumed> ) = -1 EPERM (Operation not permitted)
[pid 5458] <... rt_sigreturn resumed> ) = 202
[pid 5461] open("/home/group.encrypt/g9xbJePBJcxv84QVUpc3Zr1i/5oWBWnT4DJTD,,wXsn-OsUmX", O_WRONLY|O_CREAT|O_EXCL, 0100644 <unfinished ...>
[pid 5458] futex(0x7ffd2827ee60, FUTEX_WAIT_PRIVATE, 0, NULL <unfinished ...>
[pid 5461] <... open resumed> ) = -1 EACCES (Permission denied)
[pid 5461] <... setresgid resumed> ) = -1 EPERM (Operation not permitted)
[pid 5458] <... rt_sigreturn resumed> ) = 202
[pid 5461] open("/home/group.encrypt/g9xbJePBJcxv84QVUpc3Zr1i/5oWBWnT4DJTD,,wXsn-OsUmX", O_WRONLY|O_CREAT|O_EXCL, 0100644 <unfinished ...>
[pid 5458] futex(0x7ffd2827ee60, FUTEX_WAIT_PRIVATE, 0, NULL <unfinished ...>
[pid 5461] <... open resumed> ) = -1 EACCES (Permission denied)
but directory exists and unix permissions are proper....and it works with 1.9.1
The text was updated successfully, but these errors were encountered: