Issue #15, the encodeName functions fail to verify buffer length can
store encoded filenames
For good measure and interface consistency, also check decodeName fnc
Since commit 82ceb88998 has removed
libfuse permissions checking, this function has caused read-only
files to writeable.
There seems to be no valid use case for writing to a read-only file (anymore?),
remove the function.
Fixes issue 112.
It's possible to mount this filesystem in a descendant of the real
(source) filesystem. For instance, one could do this:
encfs --reverse / /home/encrypted/rootfs
At that point, all files in `/` (like `/root/.bashrc`) are also in
`/home/encrypted/rootfs` (like `/home/encrypted/rootfs/root/.bashrc`).
This can be useful when you want to export an encrypted copy of the
filesystem: the remote backup machine can fetch any file, but all files
will be encrypted.
However, the mountpoint itself is also there:
/home/encrypted/rootfs/home/encrypted/rootfs
This would cause a `find /` of the filesystem to take infinite time. And
what's worse; trying to read files from there would cause the filesystem
to lock up:
cat /home/encrypted/rootfs/home/encrypted/rootfs/root/.bashrc
(infinite hang)
This patch adds an extra check so the filesystem refuses to descend into
itself.
This patch implements the workaround proposed by
https://defuse.ca/audits/encfs.htm to create a --require-macs command
line argument. If this argument is passed, encfs will refuse to mount
with MACs disabled. When creating a filesystem, encfs will force MACs to
be enabled.
Addressed CR comments, and added docs.
It is only needed when "-o allow_other" is specified.
"-o default_permissions" causes libfuse to check file access
in userspace. This costs CPU cycles and causes additional
stat() calls - libfuse has to walk up the whole path to check
for "x" permissions on directories.
This improves "make benchmark-reverse" performance
by 30% when caching is disabled. It also gives a slight
improvement with caches on.
Before:
tests/benchmark-reverse.pl /var/tmp
* rsync 1 (initial copy)... 12179 ms
* rsync 2 (no changes)... 1840 ms
cleaning up... done
tests/benchmark-reverse.pl /var/tmp --nocache
* rsync 1 (initial copy)... 30696 ms
* rsync 2 (no changes)... 10552 ms
cleaning up... done
After:
tests/benchmark-reverse.pl /var/tmp
* rsync 1 (initial copy)... 12095 ms
* rsync 2 (no changes)... 1693 ms
cleaning up... done
tests/benchmark-reverse.pl /var/tmp --nocache
* rsync 1 (initial copy)... 21266 ms
* rsync 2 (no changes)... 6486 ms
cleaning up... done
Commit 76424a58cb enabled unique IV
for reverse mode by default, to get more testing and to increase
security of reverse mode.
The downside is that all IVs change when the inode numbers change,
which means that all of the ciphertext changes.
This may bite people who copied the plaintext to a new filesystem
- they will find out that they have to rsync everything again.
This commit disables unique IV for reverse mode by default. It can
still be enabled through expert mode.
Disabling the kernel cache make sure the encrypted view is always
up-to-date, however, it causes a factor 3 slowdown.
Please use --nocache manually if you want to disable caching.
Closes#60.
Also replaces the magic identifiers 513 and 514 by proper defines.
This removes the need for a translated prompt. Fixes issue #20.
Also,
* merge boolDefaultNo() and boolDefaultYes() into boolDefault()
* do not accept arbitrary answers, but prompt again
In reverse mode, this caused symlinks pointing to the absolute
plaintext directory to be stripped. This is what the test in
commit
tests: reverse: symlink absolute path inside the plaintext dir
checks for.
Ignoring encfsctl, plainPath() is only called from encfs.cpp, in
_do_readlink() and _do_getattr(). Both functions get the path passed in from
FUSE. Paths from FUSE are always anchored at the mountpoint (they start with
"/", and "/" means the root of the mount). This suggests that the check can
never trigger - I have verified that it does not trigger when running the
test suite.
With this patch, the full test suite passes.
Writing to the ciphertext files can rewrite the header. This
would mean we had to re-encrypt the whole file with the new IV.
This could be made more fine-grained, for example allowing
writes to everywhere but the header. However, this is
something that needs a lot of testing to ensure correctness.
Writing to the ciphertext is a niche use case of the niche
use case of using reverse mode, so it is unlikely it would
get the test coverage it needs.
To be safe, we deny all modifications of the ciphertext with
read-only filesystem error (EROFS) if uniqueIV is enabled.
Reverse mode with uniqueIV disabled still supports writing,
if somebody really needs it. This use case is not covered
by the test suite at the moment.
For now, the IVs are constant. This is fixed in a later commit.
They are enabled by default to make testing easier.
The whole thing passes the test suite on x86 and x86_64.
Disable block cache (in EncFS) and stat cache (in kernel).
This is needed if the backing files may be modified
behind the back of EncFS (for example, when you mount
an encrypted filesystem exported by encfs --reverse).
The reverse grow tests fail when this option is not passed to the
decrypting mount.
By default, the kernel caches file metadata for one second.
This is fine for EncFS' normal mode, but for --reverse, this
means that the encrypted view will be up to one second out of
date.
This causes the reverse grow tests to fail because stale stat()
data is returned.
This is something that should really not happen, it makes
sense to have the user examine the situation himself.
Behavoir was:
23:00:42 (FileUtils.cpp:379) Archive exception: XML start/end tag mismatch - uniqueIV
23:00:42 (FileUtils.cpp:337) Found config file /tmp/a/ciphertext/.encfs6.xml, but failed to load
Creating new encrypted volume.
Please choose from one of the following options:
...
Now it exits with:
23:13:04 (FileUtils.cpp:337) Found config file /tmp/a/ciphertext/.encfs6.xml, but failed to load - exiting
Use "make test" or "make test-verbose" to run.
Note that "make test" seems to be more common than "make tests", hence the
change.
Also, use a new clean directory directory as a working area for each run
Created using mkdtemp and deleted in cleanup()
Used to fail with
Unsuccessful stat on filename containing newline at tests.t line 196.
umount: /tmp/crypt-11388: Permission denied
not ok 44 - unmount ok, mount point removed
# Failed test 'unmount ok, mount point removed'
# at tests.t line 205
now all tests pass.
Error was:
/usr/bin/pod2man --section=1 --release=1.7.5 --center="Encrypted Filesystem" encfsctl.pod encfsctl.1
encfsctl.pod around line 1: =cut found outside a pod block. Skipping to next block.
POD document had syntax errors at /usr/bin/pod2man line 69.
make[2]: *** [encfsctl.1] Error 255