fusefrontend: -allow_other: Use OpenatUser in Create FUSE call.

Revert commit b22cc03. Instead of manually adjusting the user and mode after creating the file, adjust effective permissions and let the kernel deal with it. Related to #338.

Author: slackner

internal/fusefrontend/fs.go

@@ -238,15 +238,11 @@ func (fs *FS) Create(path string, flags uint32, mode uint32, context *fuse.Conte
 returnnil, fuse.ToStatus(err)
  }
 defersyscall.Close(dirfd)
-// Don't set full mode before we have set the correct owner. Files with SUID/SGID
-// mode belonging to the wrong owner would be a security risk. Even for other
-// modes, we don't want anyone else to open the file in the meantime: the fd would
-// stay open and could later be used to read the file.
-origMode:=mode
-iffs.args.PreserveOwner {
-mode=0000
- }
 fd:=-1
+// Make sure context is nil if we don't want to preserve the owner
+if!fs.args.PreserveOwner {
+context=nil
+ }
 // Handle long file name
 if!fs.args.PlaintextNames&&nametransform.IsLongContent(cName) {
 // Create ".name"
@@ -255,14 +251,14 @@ func (fs *FS) Create(path string, flags uint32, mode uint32, context *fuse.Conte
 returnnil, fuse.ToStatus(err)
  }
 // Create content
-fd, err=syscallcompat.Openat(dirfd, cName, newFlags|os.O_CREATE|os.O_EXCL, mode)
+fd, err=syscallcompat.OpenatUser(dirfd, cName, newFlags|os.O_CREATE|os.O_EXCL, mode, context)
 iferr!=nil {
 nametransform.DeleteLongNameAt(dirfd, cName)
 returnnil, fuse.ToStatus(err)
  }
  } else {
 // Create content, normal (short) file name
-fd, err=syscallcompat.Openat(dirfd, cName, newFlags|syscall.O_CREAT|syscall.O_EXCL, mode)
+fd, err=syscallcompat.OpenatUser(dirfd, cName, newFlags|syscall.O_CREAT|syscall.O_EXCL, mode, context)
 iferr!=nil {
 // xfstests generic/488 triggers this
 iferr==syscall.EMFILE {
@@ -273,24 +269,6 @@ func (fs *FS) Create(path string, flags uint32, mode uint32, context *fuse.Conte
 returnnil, fuse.ToStatus(err)
  }
  }
-// Set owner
-iffs.args.PreserveOwner {
-err=syscall.Fchown(fd, int(context.Owner.Uid), int(context.Owner.Gid))
-iferr!=nil {
-tlog.Warn.Printf("Create %q: Fchown %d:%d failed: %v", cName, context.Owner.Uid, context.Owner.Gid, err)
-// In case of a failure, we don't want to proceed setting more
-// permissive modes.
-syscall.Close(fd)
-returnnil, fuse.ToStatus(err)
- }
- }
-// Set mode
-ifmode!=origMode {
-err=syscall.Fchmod(fd, origMode)
-iferr!=nil {
-tlog.Warn.Printf("Create %q: Fchmod %#o -> %#o failed: %v", cName, mode, origMode, err)
- }
- }
 f:=os.NewFile(uintptr(fd), cName)
 returnNewFile(f, fs)
 }

internal/syscallcompat/sys_darwin.go

@@ -46,6 +46,11 @@ func Openat(dirfd int, path string, flags int, mode uint32) (fd int, err error)
 returnemulateOpenat(dirfd, path, flags, mode)
 }
 
+funcOpenatUser(dirfdint, pathstring, flagsint, modeuint32, context*fuse.Context) (fdint, errerror) {
+// FIXME: take into account context.Owner
+returnOpenat(dirfd, path, flags, mode)
+}
+
 funcRenameat(olddirfdint, oldpathstring, newdirfdint, newpathstring) (errerror) {
 returnemulateRenameat(olddirfd, oldpath, newdirfd, newpath)
 }

internal/syscallcompat/sys_linux.go

@@ -3,6 +3,7 @@ package syscallcompat
 
 import (
 "fmt"
+"runtime"
 "sync"
 "syscall"
 
@@ -75,6 +76,28 @@ func Openat(dirfd int, path string, flags int, mode uint32) (fd int, err error)
 returnsyscall.Openat(dirfd, path, flags, mode)
 }
 
+// OpenatUser runs the Openat syscall in the context of a different user.
+funcOpenatUser(dirfdint, pathstring, flagsint, modeuint32, context*fuse.Context) (fdint, errerror) {
+ifcontext!=nil {
+runtime.LockOSThread()
+deferruntime.UnlockOSThread()
+
+err=syscall.Setregid(-1, int(context.Owner.Gid))
+iferr!=nil {
+return-1, err
+ }
+defersyscall.Setregid(-1, 0)
+
+err=syscall.Setreuid(-1, int(context.Owner.Uid))
+iferr!=nil {
+return-1, err
+ }
+defersyscall.Setreuid(-1, 0)
+ }
+
+returnOpenat(dirfd, path, flags, mode)
+}
+
 // Renameat wraps the Renameat syscall.
 funcRenameat(olddirfdint, oldpathstring, newdirfdint, newpathstring) (errerror) {
 returnsyscall.Renameat(olddirfd, oldpath, newdirfd, newpath)