Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unexpected permission resolution when used with --public #646

Open
Schuwi opened this issue Feb 1, 2022 · 0 comments
Open

Unexpected permission resolution when used with --public #646

Schuwi opened this issue Feb 1, 2022 · 0 comments

Comments

@Schuwi
Copy link

Schuwi commented Feb 1, 2022

My directory structure kind of looks like this

/home [root:root drwxr-xr-x]
  /schuwi [schuwi:schuwi drwx------]
    /subdir [schuwi:schuwi drwxrwxr-x]
      /encrypted [user-x:group-x drwxrwxr-x]
        /.encfs6.xml [schuwi:schuwi -rw-rw----]
      /decrypted (encfs mounts here)

I am running EncFS 1.9.5 with sudo encfs --public /home/schuwi/subdir/encrypted /home/schuwi/subdir/decrypted.

If I now switch to user-x while inside /home/schuwi/subdir I can create files in ./encrypted (for the purpose of demonstration):

[user-x@localhost subdir]$ touch encrypted/test
[user-x@localhost subdir]$

but I cannot create files in ./decrypted:

[user-x@localhost subdir]$ touch decrypted/test
touch: cannot touch '/home/schuwi/subdir/decrypted/test': Permission denied
[user-x@localhost subdir]$

When running encfs with strace the problem appears to be that EncFS uses the absolute path (/home/schuwi/subdir/encrypted/eNcRyPtIoNnOiSeS) to create the underlying file in the encrypted directory which fails because of the missing execute permission for user-x in /home/schuwi while using a relative path starting from pwd=/home/schuwi/subdir works fine because it doesn't have to pass through /home/schuwi.

Cropped output of sudo strace -f encfs -vf --public /home/schuwi/containers/matrix/data /home/schuwi/containers/matrix/.decrypted while running sudo setpriv --reuid=100 --regid=82 --clear-groups touch .decrypted/conduit/test in /home/schuwi/containers/matrix:

[pid 74783] write(2, "2022-02-01 12:51:34,630 VERBOSE "..., 1622022-02-01 12:51:34,630 VERBOSE mknod on /home/schuwi/containers/matrix/data/yRt6TErwzE3Fzt8vJhGErmJS/Exg2Q5hv2Z340ssD557O6umF, mode 33188, dev 0 [encfs.cpp:308]
) = 162
[pid 74783] setfsgid(82)                = 0
[pid 74783] setfsuid(100)               = 0
[pid 74783] openat(AT_FDCWD, "/home/schuwi/containers/matrix/data/yRt6TErwzE3Fzt8vJhGErmJS/Exg2Q5hv2Z340ssD557O6umF", O_WRONLY|O_CREAT|O_EXCL, 0100644) = -1 EACCES (Permission denied)
[pid 74783] write(2, "2022-02-01 12:51:34,630 VERBOSE "..., 822022-02-01 12:51:34,630 VERBOSE mknod error: Permission denied [FileNode.cpp:192]
) = 82
[pid 74783] setfsuid(0)                 = 100
[pid 74783] setfsgid(0)                 = 82
[pid 74783] write(2, "2022-02-01 12:51:34,630 VERBOSE "..., 972022-02-01 12:51:34,630 VERBOSE trying public filesystem workaround for /conduit [encfs.cpp:323]
) = 97

Why would I even want to switch to another user in my home directory? In my case I am running docker containers which internally don't run their code as root but which I would like to mount inside my home directory.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Schuwi