search

rfjakob / gocryptfs

Encrypted overlay filesystem written in Go
https://nuetzlich.net/gocryptfs/
MIT License
3.47k stars 247 forks source link

chown fails #638

Closed balupton closed 2 years ago

balupton commented 2 years ago

Recently, I'm not sure since which head version, I've noticed that any chmod or chown command inside a the following gocryptfs mount fails with Operation not permitted

gocryptfs --rw --noprealloc --allow_other --force_owner 1001:1002 /mnt/tank/TankCipher /media/TankSecure

Originally posted by @balupton in https://github.com/rfjakob/gocryptfs/issues/629#issuecomment-1009145874 which did not resolve the issue.

balupton commented 2 years ago

With some debugging, this seems this is actually intentional and desired behaviour:

> cd /media/TankSecure/
> mkdir test-dir
> cd test-dir/

> ls -la
total 0
drwxrwxr-x 1 user-share-liturgy group-share-liturgy  74 Jan 11 03:30 .
drwxrwxr-x 1 user-share-liturgy group-share-liturgy 586 Jan 11 03:30 ..
-rw-rw-r-- 1 user-share-liturgy group-share-liturgy   0 Jan 11 03:30 a.txt

Chowns fail, even to the same user and group as the forced owner, which is fine:

> chown --recursive --changes user-share-liturgy:group-share-liturgy .
chown: changing ownership of './a.txt': Operation not permitted
chown: changing ownership of '.': Operation not permitted

> sudo chown --recursive --changes user-share-liturgy:group-share-liturgy .
chown: changing ownership of './a.txt': Operation not permitted
chown: changing ownership of '.': Operation not permitted

> sudo  --user=user-share-liturgy --group=group-share-liturgy -- chown --recursive --changes user-share-liturgy:group-share-liturgy .
chown: changing ownership of './a.txt': Operation not permitted
chown: changing ownership of '.': Operation not permitted

Chmods fail, but sudo works:

> chmod 755 a.txt 
chmod: changing permissions of 'a.txt': Operation not permitted

> sudo chmod 755 a.txt

> sudo  --user=user-share-liturgy --group=group-share-liturgy -- chmod 766 a.txt

I'll need to update my helper scripts accordingly.

Perhaps it would be good for chowns to not fail if set to the same owner/group as the forced one.

balupton commented 2 years ago

Hrmmm, even without force owner, chowns are failing:

> gocryptfs --rw --noprealloc --allow_other /mnt/tank/TankCipher /media/TankSecure
> cd /media/TankSecure/test-dir/
> ls -la
total 0
drwxrwxr-x 1 user-share-liturgy group-share-liturgy  74 Jan 11 03:30 .
drwxrwxr-x 1 user-share-liturgy group-share-liturgy 586 Jan 11 03:30 ..
-rwxrwxrw- 1 user-share-liturgy group-share-liturgy   0 Jan 11 03:30 a.txt

>  chown --recursive --changes user-share-liturgy:group-share-liturgy .
chown: changing ownership of './a.txt': Operation not permitted
chown: changing ownership of '.': Operation not permitted

>  sudo chown --recursive --changes user-share-liturgy:group-share-liturgy .
chown: changing ownership of './a.txt': Operation not permitted
chown: changing ownership of '.': Operation not permitted

> sudo  --user=user-share-liturgy --group=group-share-liturgy -- chown --recursive --changes user-share-liturgy:group-share-liturgy .
chown: changing ownership of './a.txt': Operation not permitted
chown: changing ownership of '.': Operation not permitted
balupton commented 2 years ago

Perhaps it is due to user error from:

https://github.com/rfjakob/gocryptfs/issues/451#issuecomment-592735687

Would this be a better approach?

sudo  --user=user-share-liturgy --group=group-share-liturgy -- gocryptfs --rw --noprealloc --allow_other /mnt/tank/TankCipher /media/TankSecure

^ has no effect on changing permissions from one user to another, but no longer fails when attempting to change permissions from --user=user-share-liturgy --group=group-share-liturgy to itself.

Tested the suggestions.

What worked was:

sudo  -- gocryptfs --rw --noprealloc --allow_other /mnt/tank/TankCipher /media/TankSecure

As well as:

sudo -- gocryptfs --rw --noprealloc --allow_other --force_owner 1001:1002 /mnt/tank/TankCipher /media/TankSecure