weixin_40001634
weixin_40001634
2020-11-28 22:46

In SMB+EncFS changing owner to non-root does not work correctly

I am trying to use EncFS on top of SMB. As per my understanding, in SMB there is only one client side uid associated with the mount. (As per File And Directory Ownership And Permissions in https://linux.die.net/man/8/mount.cifs page). Changing the owner of the file returns success but does not actually change the owner. However SMB also supports noperm option that allows us to ignore the permission checks. But with introduction of EncFS on top, the permission checks do happen. Thus attempt to open any file by any other user that was not specified at mount time gets denied

Here are the series of steps I followed


# Step1: SMB mount  (Note: the uid gid 0 and noperm option)
root-vshpere-260b7178:~# mount -t cifs  //172.27.16.90/public/ketan-test /tmp/smbmnt/
-o username=someuser,workgroup=WORKGROUP,password=somepassword,uid=0,
      forceuid,gid=0,forcegid,noperm,nosetuids

# Step2: EncFS mount
root-vshpere-260b7178:~# echo SomeOtherPassword  | 
    encfs --public --verbose --standard -S /tmp/smbmnt /tmp/decrypted
17:11:58 (main.cpp:523) Root directory: /tmp/smbmnt/
17:11:58 (main.cpp:524) Fuse arguments: (daemon) (threaded) (keyCheck) 
(ownerCreate) (useStdin) encfs /tmp/decrypted -o allow_other -s -o use_ino -o default_permissions
Creating new encrypted volume.
Standard configuration selected.
17:11:58 (SSL_Cipher.cpp:370) allocated cipher ssl/aes, keySize 24, ivlength 16
17:11:58 (FileUtils.cpp:1123) Using cipher AES, key size 192, block size 1024

Configuration finished.  The filesystem to be created has
the following properties:
17:11:58 (Interface.cpp:165) checking if ssl/aes(3:0:2) implements ssl/aes(3:0:2)
17:11:58 (SSL_Cipher.cpp:370) allocated cipher ssl/aes, keySize 24, ivlength 16
Filesystem cipher: "ssl/aes", version 3:0:2
17:11:58 (Interface.cpp:165) checking if nameio/block(3:0:1) implements nameio/block(3:0:1)
Filename encoding: "nameio/block", version 3:0:1
17:11:58 (Interface.cpp:165) checking if ssl/aes(3:0:2) implements ssl/aes(3:0:2)
17:11:58 (SSL_Cipher.cpp:370) allocated cipher ssl/aes, keySize 24, ivlength 16
Key Size: 192 bits
Block Size: 1024 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File holes passed through to ciphertext.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism.  However, the password can be changed
later using encfsctl.

17:11:58 (openssl.cpp:48) Allocating 41 locks for OpenSSL
17:11:58 (FileUtils.cpp:1180) useStdin: 1
17:11:58 (Interface.cpp:165) checking if ssl/aes(3:0:2) implements ssl/aes(3:0:2)
17:11:58 (SSL_Cipher.cpp:370) allocated cipher ssl/aes, keySize 24, ivlength 16
17:11:59 (Interface.cpp:165) checking if nameio/block(3:0:1) implements nameio/block(3:0:1)
root-vshpere-260b7178:~# cd /tmp/decrypted/
root-vshpere-260b7178:/tmp/decrypted# touch f1
root-vshpere-260b7178:/tmp/decrypted# ls -altr
total 4
drwxrwxrwt 5 root root 4096 Jun 13 17:05 ..
drwxrwxrwx 2 root root    0 Jun 13 17:11 .
-rw-r--r-- 1 root root    0 Jun 13 17:12 f1

# Step3:  Changing the owner from root to ubuntu
root-vshpere-260b7178:/tmp/decrypted# chown ubuntu f1; echo $?
0
# There was no error still it did not change the worker.
root-vshpere-260b7178:/tmp/decrypted# ls -altr
total 4
drwxrwxrwt 5 root root 4096 Jun 13 17:05 ..
drwxrwxrwx 2 root root    0 Jun 13 17:11 .
-rw-r--r-- 1 root root    0 Jun 13 17:12 f1
root-vshpere-260b7178:/tmp/decrypted# exit
exit

# Step 4: Try to touch the file as ubuntu it fails.
ubuntu-vshpere-260b7178:~$ echo "Some text" > /tmp/decrypted/f1
-bash: /tmp/decrypted/f1: Permission denied

My EncFS version is


ubuntu-vshpere-260b7178:~$ encfs --version
encfs version 1.7.4

Thus my question is, is there any way around it through EncFS (to disable permission checks perhaps)?

该提问来源于开源项目:vgough/encfs

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

7条回答

  • weixin_39733232 weixin_39733232 4月前

    "Stupid" question, but did you deleted f1 file created by root before touching it with ubuntu user ? Did you try to directly mount your EncFS directory using ubuntu user ?

    点赞 评论 复制链接分享
  • weixin_40001634 weixin_40001634 4月前

    I did not delete the file created by root as it is not the scenario I am interested in. I did try mounting directly as ubuntu user and it did work.
    But in my situation I do not know before hand what user will use the mount. I am using EncFS to provide persistent storage encryption for containers (in my company Apcera's container platform) And it is not possible to know if the container will change ownership and run it as some other user.

    I may be wrong but I think the fundamental issue here is mismatch between SMB and FUSE+EncFS semantics, SMB by design allows just one client side user per mount (Hence allows noperm option) But EncFS still does permission checks based on actually attr stored in the underlying SMB filesystem.

    Also I was also interested if anyone else had such a requirement.

    (Actually I was using it with Redis Docker image and for some reason and the non-root user was redis in the test) Now the current directory here is created by the root user which is created before the container starts with root The problematic lines were

    
           [stdout][81f0a73f]   chown -R redis .
           [stdout][81f0a73f]   exec gosu redis "$0" "$@"
    

    It tries to recursively change ownership of the directory created and then runs as redis user.

    点赞 评论 复制链接分享
  • weixin_39733232 weixin_39733232 4月前

    Instead of --public, which is -o allow_other -o default_permissions, try to only use -o allow_other ? I think this is what you need.

    点赞 评论 复制链接分享
  • weixin_40001634 weixin_40001634 4月前

    Sorry for the late reply I tried the same, but it does not change the ownership and still gives the same error Permission denied

    点赞 评论 复制链接分享
  • weixin_39733232 weixin_39733232 4月前

    -o default_permissions is activated by default with EncFS 1.7.4. You should try : encfs --no-default-flags -o allow_other

    点赞 评论 复制链接分享
  • weixin_40001634 weixin_40001634 4月前

    It does work!! Thanks so much for the help..

    
    root-vshpere-355e2e35:/home/ubuntu# mount -t cifs  //172.27.16.90/public/ketan-test /tmp/smbmnt/ -o username=someuser,workgroup=WORKGROUP,password=somepassword,uid=0,forceuid,gid=0,forcegid,noperm,nosetuids
    root-vshpere-355e2e35:/home/ubuntu# echo SomeOtherPassword  | encfs --no-default-flags --verbose -o allow_other  --standard -S /tmp/smbmnt /tmp/decrypted
    22:53:24 (main.cpp:523) Root directory: /tmp/smbmnt/
    22:53:24 (main.cpp:524) Fuse arguments: (daemon) (threaded) (keyCheck) (useStdin) encfs /tmp/decrypted -o allow_other -s
    22:53:24 (FileUtils.cpp:177) version = 20
    22:53:24 (FileUtils.cpp:181) found new serialization format
    22:53:24 (FileUtils.cpp:199) subVersion = 20100713
    22:53:24 (Interface.cpp:165) checking if ssl/aes(3:0:2) implements ssl/aes(3:0:0)
    22:53:24 (SSL_Cipher.cpp:370) allocated cipher ssl/aes, keySize 24, ivlength 16
    22:53:24 (Interface.cpp:165) checking if ssl/aes(3:0:2) implements ssl/aes(3:0:0)
    22:53:24 (SSL_Cipher.cpp:370) allocated cipher ssl/aes, keySize 24, ivlength 16
    22:53:24 (FileUtils.cpp:1620) useStdin: 1
    22:53:24 (Interface.cpp:165) checking if ssl/aes(3:0:2) implements ssl/aes(3:0:0)
    22:53:24 (SSL_Cipher.cpp:370) allocated cipher ssl/aes, keySize 24, ivlength 16
    22:53:24 (FileUtils.cpp:1628) cipher key size = 44
    22:53:24 (Interface.cpp:165) checking if nameio/block(3:0:1) implements nameio/block(3:0:0)
    root-vshpere-355e2e35:/home/ubuntu# cd /tmp/decrypted/
    root-vshpere-355e2e35:/tmp/decrypted# ls
    f1
    root-vshpere-355e2e35:/tmp/decrypted# touch f2
    root-vshpere-355e2e35:/tmp/decrypted# ls -altr
    total 4
    -rw-r--r-- 1 root root    0 Jun 20 22:24 f1
    drwxrwxrwt 6 root root 4096 Jun 26 22:50 ..
    drwxrwxrwx 2 root root    0 Jun 26 22:53 .
    -rw-r--r-- 1 root root    0 Jun 26 22:53 f2
    root-vshpere-355e2e35:/tmp/decrypted# chown ubuntu f2; echo $?
    0
    root-vshpere-355e2e35:/tmp/decrypted# ls -altr
    total 4
    -rw-r--r-- 1 root root    0 Jun 20 22:24 f1
    drwxrwxrwt 6 root root 4096 Jun 26 22:50 ..
    drwxrwxrwx 2 root root    0 Jun 26 22:53 .
    -rw-r--r-- 1 root root    0 Jun 26 22:53 f2
    root-vshpere-355e2e35:/tmp/decrypted# exit
    exit
    ubuntu-vshpere-355e2e35:~$ echo "Some text" > /tmp/decrypted/f2
    ubuntu-vshpere-355e2e35:~$ cat /tmp/decrypted/f2
    Some text
    ubuntu-vshpere-355e2e35:~$
    
    点赞 评论 复制链接分享
  • weixin_39733232 weixin_39733232 4月前

    U're welcome 👍 You may want to also use -o use_ino as it has been removed by --no-default-flags. (feel free to close this ticket as it is now solved !)

    点赞 评论 复制链接分享

为你推荐