2017-02-09 01:18:34 |
Taylor Raack |
description |
I've recently found that encfs converts absolute symlinks into relative symlinks, which isn't good.
To reproduce:
# remove old runs
rm -rf /tmp/source
fusermount -u /tmp/decrypted
fusermount -u /tmp/encrypted
# setup
mkdir -p /tmp/source /tmp/encrypted /tmp/decrypted
ln -s /etc/linkedfile /tmp/source/absolute-link
# encrypt /tmp/source into /tmp/encrypted
encfs --standard --reverse -o ro /tmp/source /tmp/encrypted
# decrypt /tmp/encrypted into /tmp/decrypted
ENCFS6_CONFIG=/tmp/source/.encfs6.xml encfs --standard /tmp/encrypted /tmp/decrypted
echo "Now see how the absolute symlink in the source directory (absolute-link -> /etc/linkedfile) has been turned into a relative symlink in the decrypted directory (absolute-link -> /etc/linkedfile)..."
echo ""
echo "Source directory list (see symlink is absolute)"
ls -al /tmp/source
echo ""
echo "Encrypted directory list"
ls -al /tmp/encrypted
echo ""
echo "Decrypted directory list (see symlink has been mangled into a relative link, rather than an absolute link)"
ls -al /tmp/decrypted
This will show:
Creating new encrypted volume.
Standard configuration selected.
--reverse specified, not using unique/chained IV
Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 3:0:2
Filename encoding: "nameio/block", version 3:0:1
Key Size: 192 bits
Block Size: 1024 bytes
File holes passed through to ciphertext.
Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.
New Encfs Password:
Verify Encfs Password:
EncFS Password:
Now see how the absolute symlink in the source directory (absolute-link -> /etc/linkedfile) has been turned into a relative symlink in the decrypted directory (absolute-link -> /etc/linkedfile)...
Source directory list (see symlink is absolute)
total 2160
drwx------ 2 traack dialout 4096 Jan 23 21:03 .
drwxrwxrwt 18 root root 2199552 Jan 23 21:03 ..
lrwxrwxrwx 1 traack dialout 15 Jan 23 21:03 absolute-link -> /etc/linkedfile
-rw------- 1 traack dialout 1078 Jan 23 21:03 .encfs6.xml
Encrypted directory list
ls: /tmp/encrypted/F1eFQbB,bUUGPNt3WInPxLmu: No such file or directory
total 2160
drwx------ 2 traack dialout 4096 Jan 23 21:03 .
drwxrwxrwt 18 root root 2199552 Jan 23 21:03 ..
lrwxrwxrwx 1 traack dialout 49 Jan 23 21:03 F1eFQbB,bUUGPNt3WInPxLmu -> w4VeHU6C9a23mKMup7sCS7rW/ZFJ1rQnkGjx,FD-nkHTx5ZYP
-rw------- 1 traack dialout 1078 Jan 23 21:03 OdLgnM7TBEPG0naHpgxKJLvE
Decrypted directory list (see symlink has been mangled into a relative link, rather than an absolute link)
ls: /tmp/decrypted/absolute-link: No such file or directory
total 2160
drwx------ 2 traack dialout 4096 Jan 23 21:03 .
drwxrwxrwt 18 root root 2199552 Jan 23 21:03 ..
lrwxrwxrwx 1 traack dialout 14 Jan 23 21:03 absolute-link -> etc/linkedfile
-rw------- 1 traack dialout 1078 Jan 23 21:03 .encfs6.xml
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: encfs 1.7.4-2.4ubuntu2
ProcVersionSignature: Ubuntu 3.13.0-108.155-generic 3.13.11-ckt39
Uname: Linux 3.13.0-108-generic i686
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.14.1-0ubuntu3.23
Architecture: i386
CurrentDesktop: Unity
Date: Wed Feb 8 17:10:15 2017
EcryptfsInUse: Yes
InstallationDate: Installed on 2010-07-26 (2389 days ago)
InstallationMedia: Ubuntu-Netbook 10.04 "Lucid Lynx" - Release i386 (20100429.4)
SourcePackage: encfs
UpgradeStatus: Upgraded to trusty on 2014-09-08 (885 days ago) |
I've recently found that encfs converts absolute symlinks into relative symlinks, which isn't good.
[Impact]
All users using encfs to encrypt and decrypt absolute symlinks will work correctly, and will not fail silently.
[Test Case]
# remove old runs
rm -rf /tmp/source
fusermount -u /tmp/decrypted
fusermount -u /tmp/encrypted
# setup
mkdir -p /tmp/source /tmp/encrypted /tmp/decrypted
ln -s /etc/linkedfile /tmp/source/absolute-link
# encrypt /tmp/source into /tmp/encrypted
encfs --standard --reverse -o ro /tmp/source /tmp/encrypted
# decrypt /tmp/encrypted into /tmp/decrypted
ENCFS6_CONFIG=/tmp/source/.encfs6.xml encfs --standard /tmp/encrypted /tmp/decrypted
echo "Now see how the absolute symlink in the source directory (absolute-link -> /etc/linkedfile) has been turned into a relative symlink in the decrypted directory (absolute-link -> /etc/linkedfile)..."
echo ""
echo "Source directory list (see symlink is absolute)"
ls -al /tmp/source
echo ""
echo "Encrypted directory list"
ls -al /tmp/encrypted
echo ""
echo "Decrypted directory list (see symlink has been mangled into a relative link, rather than an absolute link)"
ls -al /tmp/decrypted
This will show:
Creating new encrypted volume.
Standard configuration selected.
--reverse specified, not using unique/chained IV
Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 3:0:2
Filename encoding: "nameio/block", version 3:0:1
Key Size: 192 bits
Block Size: 1024 bytes
File holes passed through to ciphertext.
Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.
New Encfs Password:
Verify Encfs Password:
EncFS Password:
Now see how the absolute symlink in the source directory (absolute-link -> /etc/linkedfile) has been turned into a relative symlink in the decrypted directory (absolute-link -> /etc/linkedfile)...
Source directory list (see symlink is absolute)
total 2160
drwx------ 2 traack dialout 4096 Jan 23 21:03 .
drwxrwxrwt 18 root root 2199552 Jan 23 21:03 ..
lrwxrwxrwx 1 traack dialout 15 Jan 23 21:03 absolute-link -> /etc/linkedfile
-rw------- 1 traack dialout 1078 Jan 23 21:03 .encfs6.xml
Encrypted directory list
ls: /tmp/encrypted/F1eFQbB,bUUGPNt3WInPxLmu: No such file or directory
total 2160
drwx------ 2 traack dialout 4096 Jan 23 21:03 .
drwxrwxrwt 18 root root 2199552 Jan 23 21:03 ..
lrwxrwxrwx 1 traack dialout 49 Jan 23 21:03 F1eFQbB,bUUGPNt3WInPxLmu -> w4VeHU6C9a23mKMup7sCS7rW/ZFJ1rQnkGjx,FD-nkHTx5ZYP
-rw------- 1 traack dialout 1078 Jan 23 21:03 OdLgnM7TBEPG0naHpgxKJLvE
Decrypted directory list (see symlink has been mangled into a relative link, rather than an absolute link)
ls: /tmp/decrypted/absolute-link: No such file or directory
total 2160
drwx------ 2 traack dialout 4096 Jan 23 21:03 .
drwxrwxrwt 18 root root 2199552 Jan 23 21:03 ..
lrwxrwxrwx 1 traack dialout 14 Jan 23 21:03 absolute-link -> etc/linkedfile
-rw------- 1 traack dialout 1078 Jan 23 21:03 .encfs6.xml
[Regression Potential]
Likely to be low
-----------------------------
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: encfs 1.7.4-2.4ubuntu2
ProcVersionSignature: Ubuntu 3.13.0-108.155-generic 3.13.11-ckt39
Uname: Linux 3.13.0-108-generic i686
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.14.1-0ubuntu3.23
Architecture: i386
CurrentDesktop: Unity
Date: Wed Feb 8 17:10:15 2017
EcryptfsInUse: Yes
InstallationDate: Installed on 2010-07-26 (2389 days ago)
InstallationMedia: Ubuntu-Netbook 10.04 "Lucid Lynx" - Release i386 (20100429.4)
SourcePackage: encfs
UpgradeStatus: Upgraded to trusty on 2014-09-08 (885 days ago) |
|