Correctly set gid/uid when allow_other is used

[benrubson]

Hi,

This change fixes the setfsgid bug found in #398 and should then fix this issue.

Fix was to run setfsgid before setfsuid, as of course the reverse order can't work.

Ben

[rfjakob]

But... How could this have worked in earlier versions?

[benrubson]

I think files never got the correct GID ?
The correct UID yes, but not the correct GID.

[rfjakob]

The user in the bugzilla says that downgrading to 1.9.1 fixes the issue. I wonder what happened

[benrubson]

I also reproduced the setfsgid bug (permission denied) with 1.9.1.
Perhaps he's facing another issue, or thanks to perhaps some better error handling in 1.9.2 the correct return code (-1) is returned up to the application ?

[benrubson]

I will let you tell me if it's OK for you to merge this 👍

[rfjakob]

Your explaination makes sense, I'll test this tomorrow morning!

[Mamak2000]

Hi,
I am not sure it is really solved. I mounted a directory from root with the --public option.
I have several users who belong to different groups:

• louis belongs to famille + parents + enfants + eleonore + apolline
• ag belongs to famille + parents + enfants + eleonore + apolline
• eleonore belongs to famille + enfants + eleonore
• apolline belongs to famille + enfants + apolline
  "famille" group is the primary group. Other are secondary-groups.

I am using version 1.9.5 on raspbian (it did not work with the builtin RPM so I added the 1.9.5 .deb package manually for it was supposed to integrate a fix).

I set up several directories as follows:
pi@raspnas:~ $ ls -al /NAS/VISIBLE/donnes_dechiffres2
total 40
drwxrws--- 7 pi famille 4096 oct. 22 22:25 .
drwxr-xr-x 8 root root 4096 oct. 29 21:44 ..
drwxrws--- 3 ag parents 4096 oct. 30 18:35 ag
drwxrws--- 2 eleonore eleonore 4096 oct. 22 21:55 eleonore
drwxrws--- 2 eleonore enfants 4096 oct. 30 18:27 enfants
-rw-rw---- 1 ag famille 17 oct. 22 21:34 fichier_ag.txt
-rw-rw---- 1 eleonore famille 5 oct. 22 21:31 fichier_eleonore.txt
-rw-rw---- 1 louis famille 3 oct. 22 21:30 lkkllk.txt
drwxrws--- 2 louis parents 4096 oct. 31 10:09 louis
drwxrws--- 2 louis parents 4096 oct. 22 21:34 parents

In directories that belong to "famille" any user can read/write and create files/sub-directories.
In directories that belong to "louis:parents", only user "louis" can create new files. User "ag" can read the files or modify existing ones but cannot create new files. I assume it is because the directory belongs to user "louis" as well as group "parents".
In directories that belong to "eleonore:enfants", only user "eleonore" can create a file. Users "louis" and "ag" can modify existing files and read them but cannot create new ones.

Example:

user "louis" tries to create a file in /NAS/VISIBLE/donnes_dechiffres2/ag (that belongs to ag:parents)

root@raspnas:~# encfs --version
encfs version 1.9.5

Directories are encrypted/decrypted with this CLI
root@raspnas:~# encfs -v -f /NAS/.coffre2/ /NAS/VISIBLE/donnes_dechiffres2/ --public

I also tried the switch "-o rw,dev,suid" but it made no difference.
root@raspnas:~# encfs -v -f /NAS/.coffre2/ /NAS/VISIBLE/donnes_dechiffres2/ --public -o rw,dev,suid
2019-10-31 16:58:04,839 VERBOSE Root directory: /NAS/.coffre2/ [main.cpp:686]
2019-10-31 16:58:04,839 VERBOSE Fuse arguments: (fg) (threaded) (keyCheck) (ownerCreate) encfs /NAS/VISIBLE/donnes_dechiffres2/ -f -o allow_other -o rw,dev,suid -o use_ino -o default_permissions [main.cpp:687]
2019-10-31 16:58:04,858 VERBOSE found new serialization format [FileUtils.cpp:299]
2019-10-31 16:58:04,858 VERBOSE subVersion = 20100713 [FileUtils.cpp:313]
2019-10-31 16:58:04,859 VERBOSE checking if ssl/aes(3:0:2) implements ssl/aes(3:0) [Interface.cpp:103]
2019-10-31 16:58:04,859 VERBOSE allocated cipher ssl/aes, keySize 32, ivlength 16 [SSL_Cipher.cpp:395]
2019-10-31 16:58:04,859 VERBOSE useStdin: 0 [FileUtils.cpp:1660]
Mot de passe :
2019-10-31 16:58:12,558 VERBOSE checking if ssl/aes(3:0:2) implements ssl/aes(3:0) [Interface.cpp:103]
2019-10-31 16:58:12,559 VERBOSE allocated cipher ssl/aes, keySize 32, ivlength 16 [SSL_Cipher.cpp:395]
2019-10-31 16:58:15,631 VERBOSE cipher key size = 52 [FileUtils.cpp:1673]
2019-10-31 16:58:15,631 VERBOSE checking if nameio/block(4:0:2) implements nameio/block(4:0) [Interface.cpp:103]

Mount command shows:
encfs on /NAS/VISIBLE/donnes_dechiffres2 type fuse.encfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,default_permissions,allow_other)

or this with "-o rw,dev,suid" switch
encfs on /NAS/VISIBLE/donnes_dechiffres2 type fuse.encfs (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other)

$ id
uid=1002(louis) gid=1001(famille) groupes=1001(famille),46(plugdev),1002(parents),1003(enfants),1006(eleonore),1007(apolline)
$ touch /NAS/VISIBLE/donnes_dechiffres2/ag/fichier_louis.txt
touch: impossible de faire un touch '/NAS/VISIBLE/donnes_dechiffres2/ag/fichier_louis.txt': Permission non accordée

2019-10-31 16:48:45,427 VERBOSE fs block size = 1024, macBytes = 8, randBytes = 0 [MACFileIO.cpp:70]
2019-10-31 16:48:45,427 VERBOSE created FileNode for /NAS/.coffre2/ [DirNode.cpp:717]
2019-10-31 16:48:45,427 VERBOSE op: getattr : /NAS/.coffre2/ [encfs.cpp:156]
2019-10-31 16:48:45,427 VERBOSE fs block size = 1024, macBytes = 8, randBytes = 0 [MACFileIO.cpp:70]
2019-10-31 16:48:45,427 VERBOSE created FileNode for /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD [DirNode.cpp:717]
2019-10-31 16:48:45,428 VERBOSE op: getattr : /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD [encfs.cpp:156]
2019-10-31 16:48:45,428 VERBOSE fs block size = 1024, macBytes = 8, randBytes = 0 [MACFileIO.cpp:70]
2019-10-31 16:48:45,428 DEBUG getAttr error on /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD/8tsmeWlCqDHfIcDNNqK6xCH3LzgwQz546isNJHhxnGVLo0: Aucun fichier ou dossier de ce type [RawFileIO.cpp:177]
2019-10-31 16:48:45,428 VERBOSE in setIV, current IV = 0, new IV = 8589455418987121476, fileIV = 0 [CipherFileIO.cpp:88]
2019-10-31 16:48:45,428 VERBOSE created FileNode for /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD/8tsmeWlCqDHfIcDNNqK6xCH3LzgwQz546isNJHhxnGVLo0 [DirNode.cpp:717]
2019-10-31 16:48:45,428 VERBOSE op: getattr : /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD/8tsmeWlCqDHfIcDNNqK6xCH3LzgwQz546isNJHhxnGVLo0 [encfs.cpp:156]
2019-10-31 16:48:45,428 DEBUG getAttr error on /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD/8tsmeWlCqDHfIcDNNqK6xCH3LzgwQz546isNJHhxnGVLo0: Aucun fichier ou dossier de ce type [RawFileIO.cpp:177]
2019-10-31 16:48:45,428 DEBUG op: getattr error: Aucun fichier ou dossier de ce type [encfs.cpp:186]
2019-10-31 16:48:45,429 VERBOSE fs block size = 1024, macBytes = 8, randBytes = 0 [MACFileIO.cpp:70]
2019-10-31 16:48:45,429 DEBUG getAttr error on /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD/8tsmeWlCqDHfIcDNNqK6xCH3LzgwQz546isNJHhxnGVLo0: Aucun fichier ou dossier de ce type [RawFileIO.cpp:177]
2019-10-31 16:48:45,429 VERBOSE in setIV, current IV = 0, new IV = 8589455418987121476, fileIV = 0 [CipherFileIO.cpp:88]
2019-10-31 16:48:45,429 VERBOSE created FileNode for /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD/8tsmeWlCqDHfIcDNNqK6xCH3LzgwQz546isNJHhxnGVLo0 [DirNode.cpp:717]
2019-10-31 16:48:45,429 VERBOSE mknod on /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD/8tsmeWlCqDHfIcDNNqK6xCH3LzgwQz546isNJHhxnGVLo0, mode 33200, dev 0 [encfs.cpp:308]
2019-10-31 16:48:45,429 VERBOSE mknod error: Permission non accordée [FileNode.cpp:192]
2019-10-31 16:48:45,429 VERBOSE trying public filesystem workaround for /ag [encfs.cpp:323]
2019-10-31 16:48:45,429 VERBOSE fs block size = 1024, macBytes = 8, randBytes = 0 [MACFileIO.cpp:70]
2019-10-31 16:48:45,429 VERBOSE created FileNode for /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD [DirNode.cpp:717]
2019-10-31 16:48:45,430 VERBOSE mknod error: Permission non accordée [FileNode.cpp:192]
2019-10-31 16:48:45,430 VERBOSE fs block size = 1024, macBytes = 8, randBytes = 0 [MACFileIO.cpp:70]
2019-10-31 16:48:45,430 DEBUG getAttr error on /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD/8tsmeWlCqDHfIcDNNqK6xCH3LzgwQz546isNJHhxnGVLo0: Aucun fichier ou dossier de ce type [RawFileIO.cpp:177]
2019-10-31 16:48:45,430 VERBOSE in setIV, current IV = 0, new IV = 8589455418987121476, fileIV = 0 [CipherFileIO.cpp:88]
2019-10-31 16:48:45,430 VERBOSE created FileNode for /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD/8tsmeWlCqDHfIcDNNqK6xCH3LzgwQz546isNJHhxnGVLo0 [DirNode.cpp:717]
2019-10-31 16:48:45,430 VERBOSE op: getattr : /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD/8tsmeWlCqDHfIcDNNqK6xCH3LzgwQz546isNJHhxnGVLo0 [encfs.cpp:156]
2019-10-31 16:48:45,430 DEBUG getAttr error on /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD/8tsmeWlCqDHfIcDNNqK6xCH3LzgwQz546isNJHhxnGVLo0: Aucun fichier ou dossier de ce type [RawFileIO.cpp:177]
2019-10-31 16:48:45,431 DEBUG op: getattr error: Aucun fichier ou dossier de ce type [encfs.cpp:186]

There is still the mknod error
2019-10-31 16:48:45,430 VERBOSE mknod error: Permission non accordée [FileNode.cpp:192]

Creating a file successfully in a directory that belongs to louis:parents
$ touch /NAS/VISIBLE/donnes_dechiffres2/ag/fichier_louis.txt
touch: impossible de faire un touch '/NAS/VISIBLE/donnes_dechiffres2/ag/fichier_ louis.txt': Permission non accordée
$ touch /NAS/VISIBLE/donnes_dechiffres2/louis/fichier_louis_test2.txt
$

2019-10-31 16:58:51,321 VERBOSE fs block size = 1024, macBytes = 8, randBytes = 0 [MACFileIO.cpp:70]
2019-10-31 16:58:51,322 VERBOSE created FileNode for /NAS/.coffre2/ [DirNode.cpp:717]
2019-10-31 16:58:51,322 VERBOSE op: getattr : /NAS/.coffre2/ [encfs.cpp:156]
2019-10-31 16:58:51,322 VERBOSE fs block size = 1024, macBytes = 8, randBytes = 0 [MACFileIO.cpp:70]
2019-10-31 16:58:51,322 VERBOSE created FileNode for /NAS/.coffre2/21FF6VJ2CW4FgxEVP1liVJN5 [DirNode.cpp:717]
2019-10-31 16:58:51,322 VERBOSE op: getattr : /NAS/.coffre2/21FF6VJ2CW4FgxEVP1liVJN5 [encfs.cpp:156]
2019-10-31 16:58:51,323 VERBOSE fs block size = 1024, macBytes = 8, randBytes = 0 [MACFileIO.cpp:70]
2019-10-31 16:58:51,323 DEBUG getAttr error on /NAS/.coffre2/21FF6VJ2CW4FgxEVP1liVJN5/raGOyJZQbQsMP2mZdd407Py7aU9Mew,u5xr-JdzUYbwom0: Aucun fichier ou dossier de ce type [RawFileIO.cpp:177]
2019-10-31 16:58:51,323 VERBOSE in setIV, current IV = 0, new IV = 13102686159142326848, fileIV = 0 [CipherFileIO.cpp:88]
2019-10-31 16:58:51,323 VERBOSE created FileNode for /NAS/.coffre2/21FF6VJ2CW4FgxEVP1liVJN5/raGOyJZQbQsMP2mZdd407Py7aU9Mew,u5xr-JdzUYbwom0 [DirNode.cpp:717]
2019-10-31 16:58:51,323 VERBOSE op: getattr : /NAS/.coffre2/21FF6VJ2CW4FgxEVP1liVJN5/raGOyJZQbQsMP2mZdd407Py7aU9Mew,u5xr-JdzUYbwom0 [encfs.cpp:156]
2019-10-31 16:58:51,323 DEBUG getAttr error on /NAS/.coffre2/21FF6VJ2CW4FgxEVP1liVJN5/raGOyJZQbQsMP2mZdd407Py7aU9Mew,u5xr-JdzUYbwom0: Aucun fichier ou dossier de ce type [RawFileIO.cpp:177]
2019-10-31 16:58:51,324 DEBUG op: getattr error: Aucun fichier ou dossier de ce type [encfs.cpp:186]
2019-10-31 16:58:51,324 VERBOSE fs block size = 1024, macBytes = 8, randBytes = 0 [MACFileIO.cpp:70]
2019-10-31 16:58:51,324 DEBUG getAttr error on /NAS/.coffre2/21FF6VJ2CW4FgxEVP1liVJN5/raGOyJZQbQsMP2mZdd407Py7aU9Mew,u5xr-JdzUYbwom0: Aucun fichier ou dossier de ce type [RawFileIO.cpp:177]
2019-10-31 16:58:51,324 VERBOSE in setIV, current IV = 0, new IV = 13102686159142326848, fileIV = 0 [CipherFileIO.cpp:88]
2019-10-31 16:58:51,324 VERBOSE created FileNode for /NAS/.coffre2/21FF6VJ2CW4FgxEVP1liVJN5/raGOyJZQbQsMP2mZdd407Py7aU9Mew,u5xr-JdzUYbwom0 [DirNode.cpp:717]
2019-10-31 16:58:51,324 VERBOSE mknod on /NAS/.coffre2/21FF6VJ2CW4FgxEVP1liVJN5/raGOyJZQbQsMP2mZdd407Py7aU9Mew,u5xr-JdzUYbwom0, mode 33200, dev 0 [encfs.cpp:308]
2019-10-31 16:58:51,325 VERBOSE fs block size = 1024, macBytes = 8, randBytes = 0 [MACFileIO.cpp:70]
2019-10-31 16:58:51,325 VERBOSE in setIV, current IV = 0, new IV = 13102686159142326848, fileIV = 0 [CipherFileIO.cpp:88]
2019-10-31 16:58:51,325 VERBOSE created FileNode for /NAS/.coffre2/21FF6VJ2CW4FgxEVP1liVJN5/raGOyJZQbQsMP2mZdd407Py7aU9Mew,u5xr-JdzUYbwom0 [DirNode.cpp:717]
2019-10-31 16:58:51,325 VERBOSE open call, requestWrite = 1 [RawFileIO.cpp:121]
2019-10-31 16:58:51,325 VERBOSE open file with flags 131074, result = 4 [RawFileIO.cpp:145]
2019-10-31 16:58:51,325 VERBOSE encfs_open for /NAS/.coffre2/21FF6VJ2CW4FgxEVP1liVJN5/raGOyJZQbQsMP2mZdd407Py7aU9Mew,u5xr-JdzUYbwom0, flags 133185 [encfs.cpp:655]
2019-10-31 16:58:51,326 VERBOSE op: fgetattr : /NAS/.coffre2/21FF6VJ2CW4FgxEVP1liVJN5/raGOyJZQbQsMP2mZdd407Py7aU9Mew,u5xr-JdzUYbwom0 [encfs.cpp:156]
2019-10-31 16:58:51,326 VERBOSE op: flush : /NAS/.coffre2/21FF6VJ2CW4FgxEVP1liVJN5/raGOyJZQbQsMP2mZdd407Py7aU9Mew,u5xr-JdzUYbwom0 [encfs.cpp:156]
2019-10-31 16:58:51,326 VERBOSE open call, requestWrite = 0 [RawFileIO.cpp:121]
2019-10-31 16:58:51,326 VERBOSE using existing file descriptor [RawFileIO.cpp:125]
2019-10-31 16:58:51,326 VERBOSE op: utimens : /NAS/.coffre2/21FF6VJ2CW4FgxEVP1liVJN5/raGOyJZQbQsMP2mZdd407Py7aU9Mew,u5xr-JdzUYbwom0 [encfs.cpp:96]
2019-10-31 16:58:51,327 VERBOSE op: getattr : /NAS/.coffre2/21FF6VJ2CW4FgxEVP1liVJN5/raGOyJZQbQsMP2mZdd407Py7aU9Mew,u5xr-JdzUYbwom0 [encfs.cpp:156]
2019-10-31 16:58:51,327 VERBOSE op: flush : /NAS/.coffre2/21FF6VJ2CW4FgxEVP1liVJN5/raGOyJZQbQsMP2mZdd407Py7aU9Mew,u5xr-JdzUYbwom0 [encfs.cpp:156]
2019-10-31 16:58:51,327 VERBOSE open call, requestWrite = 0 [RawFileIO.cpp:121]
2019-10-31 16:58:51,327 VERBOSE using existing file descriptor [RawFileIO.cpp:125]

[benrubson]

Does all this permission plan work as you expect on the same FS used by EncFS, but out of EncFS (so with plain / unencrypted tree) ?

[Mamak2000]

Hi,
yes it does work. At first I wanted to setup a non encrypted filesystem. Then I decided to go for encfs since I discovered the --public option that was supposed to meet my needs.

So for the record (:p) I duplicated the "decrypted/encrypted" filesystem to another directory in the same tree. This directory has no encryption at all.

groups of user "louis"
$ id
uid=1002(louis) gid=1001(famille) groupes=1001(famille),46(plugdev),1002(parents),1003(enfants),1006(eleonore),1007(apolline)

Listing and permission of subdirectories of the plain/without encryption tree:
==>the whole tree has exactly the same permissions/ownership as the tree of the decrypted folder
$ cd /NAS/TEST/
$ ls -al
total 12
drwxr-xr-x 3 root root 4096 oct. 31 21:59 .
drwxr-xrwx 11 root root 4096 oct. 31 21:58 ..
drwxrws--- 7 pi famille 4096 oct. 31 22:04 test_nature

$ cd test_nature

$ ls -al
total 40
drwxrws--- 7 pi famille 4096 oct. 31 22:00 .
drwxr-xr-x 3 root root 4096 oct. 31 21:59 ..
drwxrws--- 3 ag parents 4096 oct. 30 18:35 ag
drwxrws--- 2 eleonore eleonore 4096 oct. 22 21:55 eleonore
drwxrws--- 2 eleonore enfants 4096 oct. 30 18:27 enfants
-rw-rw---- 1 ag famille 17 oct. 22 21:34 fichier_ag.txt
-rw-rw---- 1 eleonore famille 5 oct. 22 21:31 fichier_eleonore.txt
-rw-rw---- 1 louis famille 3 oct. 22 21:30 lkkllk.txt
drwxrws--- 2 louis parents 4096 oct. 31 16:58 louis
drwxrws--- 2 louis parents 4096 oct. 22 21:34 parents

Current listing of "ag" subdirectory that belongs to ag:parents:
$ ls -al ag
total 20
drwxrws--- 3 ag parents 4096 oct. 30 18:35 .
drwxrws--- 7 pi famille 4096 oct. 31 22:00 ..
-rw-rw-r-- 1 ag parents 0 oct. 30 18:35 fichier_ag_20191030.txt
-rw-rw---- 1 ag parents 18 oct. 22 21:40 fichier_ag.txt
-rw-rw-r-- 1 ag parents 27 oct. 31 09:34 fichier_maman.txt
drwxrws--- 2 ag parents 4096 oct. 30 18:35 sous-rep_ag

Creation of a file as user "louis":
$ touch ag/fichier_louis.txt
No error

Proof that the file was really created
$ ls -al ag
total 20
drwxrws--- 3 ag parents 4096 oct. 31 22:04 .
drwxrws--- 7 pi famille 4096 oct. 31 22:04 ..
-rw-rw-r-- 1 ag parents 0 oct. 30 18:35 fichier_ag_20191030.txt
-rw-rw---- 1 ag parents 18 oct. 22 21:40 fichier_ag.txt
-rw-rw---- 1 louis parents 0 oct. 31 22:04 fichier_louis.txt
-rw-rw-r-- 1 ag parents 27 oct. 31 09:34 fichier_maman.txt
drwxrws--- 2 ag parents 4096 oct. 30 18:35 sous-rep_ag

As you can see, the file is created and its ownership is enforced accordingly.

Creation of a sub-directory by user louis in the same "ag" directory:
$ mkdir ag/sub-directory_made_by_louis
$ ls -al ag
total 24
drwxrws--- 4 ag parents 4096 oct. 31 22:12 .
drwxrws--- 7 pi famille 4096 oct. 31 22:04 ..
-rw-rw-r-- 1 ag parents 0 oct. 30 18:35 fichier_ag_20191030.txt
-rw-rw---- 1 ag parents 18 oct. 22 21:40 fichier_ag.txt
-rw-rw---- 1 louis parents 0 oct. 31 22:04 fichier_louis.txt
-rw-rw-r-- 1 ag parents 27 oct. 31 09:34 fichier_maman.txt
drwxrws--- 2 ag parents 4096 oct. 30 18:35 sous-rep_ag
drwxrws--- 2 louis parents 4096 oct. 31 22:12 sub-directory_made_by_louis

One again, permission/ownership are enforced accordingly (thanks to the stickybit for the group ownership).

I did not find any clue so far. I thought at first that the permissions of the encrypted tree mattered (location where encfs stores/creates the encrypted files : .coffre2 in my case). Yet, it has the same permissions as my plain directory "test_nature".
root@raspnas:/NAS/TEST# ls -al /NAS
total 60
drwxr-xrwx 11 root root 4096 oct. 31 21:58 .
drwxr-xr-x 23 root root 4096 mai 12 21:40 ..
drwxrws--- 7 pi famille 4096 oct. 22 22:25 .coffre2

This is really confusing

[benrubson]

As a test, try removing group sticky bit on your folders ?

[Mamak2000]

This does not make any difference. A also tried to remove the stickybit on the parent folder. Same result. :)

removal of the stickybit on the directory
pi@raspnas:/NAS/VISIBLE/donnes_dechiffres2 $ sudo chmod g-s ag/

pi@raspnas:/NAS/VISIBLE/donnes_dechiffres2 $ sudo ls -al
total 40
drwxrws--- 7 pi famille 4096 oct. 22 22:25 .
drwxr-xr-x 8 root root 4096 oct. 29 21:44 ..
drwxrwx--- 3 ag parents 4096 oct. 30 18:35 ag
drwxrws--- 2 eleonore eleonore 4096 oct. 22 21:55 eleonore
drwxrws--- 2 eleonore enfants 4096 oct. 30 18:27 enfants
-rw-rw---- 1 ag famille 17 oct. 22 21:34 fichier_ag.txt
-rw-rw---- 1 eleonore famille 5 oct. 22 21:31 fichier_eleonore.txt
-rw-rw---- 1 louis famille 3 oct. 22 21:30 lkkllk.txt
drwxrws--- 2 louis parents 4096 oct. 31 16:58 louis
drwxrws--- 2 louis parents 4096 oct. 22 21:34 parents

Attempt to create a new file
$ id
uid=1002(louis) gid=1001(famille) groupes=1001(famille),46(plugdev),1002(parents),1003(enfants),1006(eleonore),1007(apolline)

$ touch /NAS/VISIBLE/donnes_dechiffres2/ag/file_without_stickybit_louis.txt
touch: impossible de faire un touch '/NAS/VISIBLE/donnes_dechiffres2/ag/file_without_stickybit_louis.txt': Permission non accordée

Log failures
2019-11-01 08:29:41,523 VERBOSE fs block size = 1024, macBytes = 8, randBytes = 0 [MACFileIO.cpp:70]
2019-11-01 08:29:41,524 VERBOSE created FileNode for /NAS/.coffre2/ [DirNode.cpp:717]
2019-11-01 08:29:41,524 VERBOSE op: getattr : /NAS/.coffre2/ [encfs.cpp:156]
2019-11-01 08:29:41,525 VERBOSE fs block size = 1024, macBytes = 8, randBytes = 0 [MACFileIO.cpp:70]
2019-11-01 08:29:41,525 VERBOSE created FileNode for /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD [DirNode.cpp:717]
2019-11-01 08:29:41,525 VERBOSE op: getattr : /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD [encfs.cpp:156]
2019-11-01 08:29:41,525 VERBOSE fs block size = 1024, macBytes = 8, randBytes = 0 [MACFileIO.cpp:70]
2019-11-01 08:29:41,525 DEBUG getAttr error on /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD/9vdnmQd6ox3UpsnVz3jLsB8xfa-80zHesHi3pGpbZujx5OPPRuACcOOjsww6XslpYi6: Aucun fichier ou dossier de ce type [RawFileIO.cpp:177]
2019-11-01 08:29:41,526 VERBOSE in setIV, current IV = 0, new IV = 14804645751742193187, fileIV = 0 [CipherFileIO.cpp:88]
2019-11-01 08:29:41,526 VERBOSE created FileNode for /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD/9vdnmQd6ox3UpsnVz3jLsB8xfa-80zHesHi3pGpbZujx5OPPRuACcOOjsww6XslpYi6 [DirNode.cpp:717]
2019-11-01 08:29:41,526 VERBOSE op: getattr : /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD/9vdnmQd6ox3UpsnVz3jLsB8xfa-80zHesHi3pGpbZujx5OPPRuACcOOjsww6XslpYi6 [encfs.cpp:156]
2019-11-01 08:29:41,526 DEBUG getAttr error on /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD/9vdnmQd6ox3UpsnVz3jLsB8xfa-80zHesHi3pGpbZujx5OPPRuACcOOjsww6XslpYi6: Aucun fichier ou dossier de ce type [RawFileIO.cpp:177]
2019-11-01 08:29:41,526 DEBUG op: getattr error: Aucun fichier ou dossier de ce type [encfs.cpp:186]
2019-11-01 08:29:41,526 VERBOSE fs block size = 1024, macBytes = 8, randBytes = 0 [MACFileIO.cpp:70]
2019-11-01 08:29:41,527 DEBUG getAttr error on /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD/9vdnmQd6ox3UpsnVz3jLsB8xfa-80zHesHi3pGpbZujx5OPPRuACcOOjsww6XslpYi6: Aucun fichier ou dossier de ce type [RawFileIO.cpp:177]
2019-11-01 08:29:41,527 VERBOSE in setIV, current IV = 0, new IV = 14804645751742193187, fileIV = 0 [CipherFileIO.cpp:88]
2019-11-01 08:29:41,527 VERBOSE created FileNode for /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD/9vdnmQd6ox3UpsnVz3jLsB8xfa-80zHesHi3pGpbZujx5OPPRuACcOOjsww6XslpYi6 [DirNode.cpp:717]
2019-11-01 08:29:41,527 VERBOSE mknod on /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD/9vdnmQd6ox3UpsnVz3jLsB8xfa-80zHesHi3pGpbZujx5OPPRuACcOOjsww6XslpYi6, mode 33200, dev 0 [encfs.cpp:308]
2019-11-01 08:29:41,527 VERBOSE mknod error: Permission non accordée [FileNode.cpp:192]
2019-11-01 08:29:41,527 VERBOSE trying public filesystem workaround for /ag [encfs.cpp:323]
2019-11-01 08:29:41,527 VERBOSE fs block size = 1024, macBytes = 8, randBytes = 0 [MACFileIO.cpp:70]
2019-11-01 08:29:41,527 VERBOSE created FileNode for /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD [DirNode.cpp:717]
2019-11-01 08:29:41,527 VERBOSE mknod error: Permission non accordée [FileNode.cpp:192]
2019-11-01 08:29:41,528 VERBOSE fs block size = 1024, macBytes = 8, randBytes = 0 [MACFileIO.cpp:70]
2019-11-01 08:29:41,528 DEBUG getAttr error on /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD/9vdnmQd6ox3UpsnVz3jLsB8xfa-80zHesHi3pGpbZujx5OPPRuACcOOjsww6XslpYi6: Aucun fichier ou dossier de ce type [RawFileIO.cpp:177]
2019-11-01 08:29:41,528 VERBOSE in setIV, current IV = 0, new IV = 14804645751742193187, fileIV = 0 [CipherFileIO.cpp:88]
2019-11-01 08:29:41,528 VERBOSE created FileNode for /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD/9vdnmQd6ox3UpsnVz3jLsB8xfa-80zHesHi3pGpbZujx5OPPRuACcOOjsww6XslpYi6 [DirNode.cpp:717]
2019-11-01 08:29:41,528 VERBOSE op: getattr : /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD/9vdnmQd6ox3UpsnVz3jLsB8xfa-80zHesHi3pGpbZujx5OPPRuACcOOjsww6XslpYi6 [encfs.cpp:156]
2019-11-01 08:29:41,528 DEBUG getAttr error on /NAS/.coffre2/LdYx8Yq9kAejV6SmqunnwFXD/9vdnmQd6ox3UpsnVz3jLsB8xfa-80zHesHi3pGpbZujx5OPPRuACcOOjsww6XslpYi6: Aucun fichier ou dossier de ce type [RawFileIO.cpp:177]
2019-11-01 08:29:41,528 DEBUG op: getattr error: Aucun fichier ou dossier de ce type [encfs.cpp:186]

[slackner]

The problem is that encfs does not properly handle supplementary groups yet. See rfjakob/gocryptfs#394 for a discussion on how this was solved in gocryptfs.

[Mamak2000]

Thank you for your answer in the gocryptfs thread. So I migrated to gocryptfs instead of encfs for I understand there is little chance that this gets solved in encfs in a near future :)