rfjakob
Reverse mount with exclude-wildcard gives errors accessing .conf and .name virtual files
I'm setting up an encrypted backup using gocryptfs in reverse mode using rsync on a remote system. Since I need to backup just some of the directory in the backup area, I use the exclude wildcard option, but I get several error from rsync and I find myself with a non-working/non-forward mountable copy of my original data.
With several tests I tracked down the issue to be related to the initial '*' excluding pattern acting also on the .conf and .name files that gocryptfs generates in the encrypted filesystem. An explicit inclusion of the unencrypted version of the missing files is a possible workaround. This is quite easy for the gocryptfs.conf file (just force inclusion of '/.gocryptfs.reverse.conf'), but is not a viable solution for the long named files, since they don't have a specific name pattern to match.
Steps to reproduce
Test setup:
~/gocryptfs# ./gocryptfs -version
gocryptfs v2.3 without_openssl; go-fuse v2.1.1-0.20211219085202-934a183ed914; 2022-08-28 go1.19 linux/amd64
~/gocryptfs# tree test-plain
test-plain
├── dir1
│ ├── dir11
│ │ └── file11
│ ├── file1
│ └── verylongfilename01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789
└── file
2 directories, 4 files
Create the reverse config:
~/gocryptfs# ./gocryptfs -init -reverse -deterministic-names test-plain
Choose a password for protecting your files.
Password:
Repeat:
[...]
The gocryptfs-reverse filesystem has been created successfully.
You can now mount it using: gocryptfs -reverse test-plain MOUNTPOINT
~/gocryptfs# cat test-plain/.gocryptfs.reverse.conf
{
"Creator": "gocryptfs v2.3",
"EncryptedKey": "...",
"ScryptObject": {
"Salt": "...",
"N": 65536,
"R": 8,
"P": 1,
"KeyLen": 32
},
"Version": 2,
"FeatureFlags": [
"HKDF",
"GCMIV128",
"EMENames",
"LongNames",
"Raw64",
"AESSIV"
]
}
Mount and check the encrypted view:
~/gocryptfs# ./gocryptfs -reverse test-plain test-enc
Password:
Decrypting master key
Filesystem mounted and ready.
~/gocryptfs# tree test-enc
test-enc
├── gocryptfs.conf
├── sVjuCC08FJ0SchCYko6X6w
│ ├── 6nHXRbN15Cv32xD5Hn4xcA
│ │ └── xX9ByX2IV_Bo52Ze-PeRiA
│ ├── gocryptfs.longname.rRG_aah_pGZaOxb73sCZWh_YmtUIK8jjtpGCJXDi7Mg
│ ├── gocryptfs.longname.rRG_aah_pGZaOxb73sCZWh_YmtUIK8jjtpGCJXDi7Mg.name
│ └── kK9v-XKfJhf4y1gIWz2QlA
└── wUiJGXoKI4fX5xmeIXr3QQ
2 directories, 6 files
So far so good. Now I want to view only the 'dir1' directory, so I mount with the exclude-wildcard option:
~/gocryptfs# fusermount -u test-enc
~/gocryptfs# ./gocryptfs -reverse -ew '*' -ew '!/dir1' test-plain test-enc
Password:
Decrypting master key
Filesystem mounted and ready.
And things start going weird:
~/gocryptfs# tree test-enc
test-enc
└── sVjuCC08FJ0SchCYko6X6w
├── 6nHXRbN15Cv32xD5Hn4xcA
│ └── xX9ByX2IV_Bo52Ze-PeRiA
├── gocryptfs.longname.rRG_aah_pGZaOxb73sCZWh_YmtUIK8jjtpGCJXDi7Mg
└── kK9v-XKfJhf4y1gIWz2QlA
2 directories, 3 files
The gocryptfs.conf file is missing in the directory listing but it is actually there:
~/gocryptfs# ls -la test-enc
total 4
drwxr-xr-x 3 root root 4096 Sep 1 02:47 sVjuCC08FJ0SchCYko6X6w
~/gocryptfs# stat test-enc/gocryptfs.conf
File: test-enc/gocryptfs.conf
Size: 385 Blocks: 8 IO Block: 4096 regular file
Device: 2bh/43d Inode: 787182 Links: 1
Access: (0400/-r--------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2022-09-01 02:18:36.320950194 +0200
Modify: 2022-09-01 02:18:36.320950194 +0200
Change: 2022-09-01 02:18:36.320950194 +0200
Birth: -
~/gocryptfs# cat test-enc/gocryptfs.conf
{
"Creator": "gocryptfs v2.3",
[...]
}
The .name files associated with long filenames are present in the dir listing but not accessible:
~/gocryptfs# ls -la test-enc/sVjuCC08FJ0SchCYko6X6w
ls: cannot access 'test-enc/sVjuCC08FJ0SchCYko6X6w/gocryptfs.longname.rRG_aah_pGZaOxb73sCZWh_YmtUIK8jjtpGCJXDi7Mg.name': Operation not permitted
total 12
drwxr-xr-x 2 root root 4096 Aug 24 12:07 6nHXRbN15Cv32xD5Hn4xcA
-rw-r--r-- 1 root root 76 Sep 1 02:45 gocryptfs.longname.rRG_aah_pGZaOxb73sCZWh_YmtUIK8jjtpGCJXDi7Mg
-????????? ? ? ? ? ? gocryptfs.longname.rRG_aah_pGZaOxb73sCZWh_YmtUIK8jjtpGCJXDi7Mg.name
-rw-r--r-- 1 root root 56 Aug 24 12:06 kK9v-XKfJhf4y1gIWz2QlA
~/gocryptfs# cat test-enc/sVjuCC08FJ0SchCYko6X6w/gocryptfs.longname.rRG_aah_pGZaOxb73sCZWh_YmtUIK8jjtpGCJXDi7Mg.name
cat: test-enc/sVjuCC08FJ0SchCYko6X6w/gocryptfs.longname.rRG_aah_pGZaOxb73sCZWh_YmtUIK8jjtpGCJXDi7Mg.name: Operation not permitted
Explicitly adding exclusion for the conf and the long named file works as a workaround:
~/gocryptfs# fusermount -u test-enc
~/gocryptfs# ./gocryptfs -reverse -ew '*' -ew '!/dir1' -ew '!/.gocryptfs.reverse.conf' -ew '!verylong*' test-plain test-enc
Password:
Decrypting master key
Filesystem mounted and ready.
Now everything seems as expected:
~/gocryptfs# tree test-enc
test-enc
├── gocryptfs.conf
└── sVjuCC08FJ0SchCYko6X6w
├── 6nHXRbN15Cv32xD5Hn4xcA
│ └── xX9ByX2IV_Bo52Ze-PeRiA
├── gocryptfs.longname.rRG_aah_pGZaOxb73sCZWh_YmtUIK8jjtpGCJXDi7Mg
├── gocryptfs.longname.rRG_aah_pGZaOxb73sCZWh_YmtUIK8jjtpGCJXDi7Mg.name
└── kK9v-XKfJhf4y1gIWz2QlA
2 directories, 5 files
~/gocryptfs# ls -la test-enc
total 8
-r-------- 1 root root 385 Sep 1 02:18 gocryptfs.conf
drwxr-xr-x 3 root root 4096 Sep 1 02:47 sVjuCC08FJ0SchCYko6X6w
~/gocryptfs# cat test-enc/sVjuCC08FJ0SchCYko6X6w/gocryptfs.longname.rRG_aah_pGZaOxb73sCZWh_YmtUIK8jjtpGCJXDi7Mg.name
j4i_LytAOc8i3MFfzpPz4XcJBgfM4SG0nTeR7f9mvf4uxlhRS2nW4tlBz3fW4zNGu4jRYBWePJKwNAyCBguM6K2qSRGGfUB5N98CRxiYyZGil8iqzQwCA0LObcHC3Ee-lqwuwG6PWmTxtWiMn4bhC0RSu5e5RqhLtxxzvrw7DuhTfplVFlTtlm2B1LWHMjLnRc9V13aBDf3BUFmL0S_09ybgHO97yY2hiNJzM1hvLULypWitcuY22pnd4b-yditw
Is there any update on this issue? I have ran to a similar problem while creating a backup and sadly just ignoring long file names isn't something I can easily do...
