encfs icon indicating copy to clipboard operation
encfs copied to clipboard
verified publisher icon vgough

Unexpected permission resolution when used with `--public`

Open Schuwi opened this issue 3 years ago • 0 comments

My directory structure kind of looks like this

/home [root:root drwxr-xr-x]
  /schuwi [schuwi:schuwi drwx------]
    /subdir [schuwi:schuwi drwxrwxr-x]
      /encrypted [user-x:group-x drwxrwxr-x]
        /.encfs6.xml [schuwi:schuwi -rw-rw----]
      /decrypted (encfs mounts here)

I am running EncFS 1.9.5 with sudo encfs --public /home/schuwi/subdir/encrypted /home/schuwi/subdir/decrypted.

If I now switch to user-x while inside /home/schuwi/subdir I can create files in ./encrypted (for the purpose of demonstration):

[user-x@localhost subdir]$ touch encrypted/test
[user-x@localhost subdir]$

but I cannot create files in ./decrypted:

[user-x@localhost subdir]$ touch decrypted/test
touch: cannot touch '/home/schuwi/subdir/decrypted/test': Permission denied
[user-x@localhost subdir]$

When running encfs with strace the problem appears to be that EncFS uses the absolute path (/home/schuwi/subdir/encrypted/eNcRyPtIoNnOiSeS) to create the underlying file in the encrypted directory which fails because of the missing execute permission for user-x in /home/schuwi while using a relative path starting from pwd=/home/schuwi/subdir works fine because it doesn't have to pass through /home/schuwi.

Cropped output of sudo strace -f encfs -vf --public /home/schuwi/containers/matrix/data /home/schuwi/containers/matrix/.decrypted while running sudo setpriv --reuid=100 --regid=82 --clear-groups touch .decrypted/conduit/test in /home/schuwi/containers/matrix:

[pid 74783] write(2, "2022-02-01 12:51:34,630 VERBOSE "..., 1622022-02-01 12:51:34,630 VERBOSE mknod on /home/schuwi/containers/matrix/data/yRt6TErwzE3Fzt8vJhGErmJS/Exg2Q5hv2Z340ssD557O6umF, mode 33188, dev 0 [encfs.cpp:308]
) = 162
[pid 74783] setfsgid(82)                = 0
[pid 74783] setfsuid(100)               = 0
[pid 74783] openat(AT_FDCWD, "/home/schuwi/containers/matrix/data/yRt6TErwzE3Fzt8vJhGErmJS/Exg2Q5hv2Z340ssD557O6umF", O_WRONLY|O_CREAT|O_EXCL, 0100644) = -1 EACCES (Permission denied)
[pid 74783] write(2, "2022-02-01 12:51:34,630 VERBOSE "..., 822022-02-01 12:51:34,630 VERBOSE mknod error: Permission denied [FileNode.cpp:192]
) = 82
[pid 74783] setfsuid(0)                 = 100
[pid 74783] setfsgid(0)                 = 82
[pid 74783] write(2, "2022-02-01 12:51:34,630 VERBOSE "..., 972022-02-01 12:51:34,630 VERBOSE trying public filesystem workaround for /conduit [encfs.cpp:323]
) = 97

Why would I even want to switch to another user in my home directory? In my case I am running docker containers which internally don't run their code as root but which I would like to mount inside my home directory.

Schuwi avatar Feb 01 '22 13:02 Schuwi