internal: introduce HasAccess, and use it

access(2) should check permissions of the caller UID/GID against file permissions. In loopback, this may not be delegated to an access syscall to the underlying file system, since that would use the UID/GID of the FUSE process.

internal: introduce HasAccess, and use it
access(2) should check permissions of the caller UID/GID against file permissions. In loopback, this may not be delegated to an access syscall to the underlying file system, since that would use the UID/GID of the FUSE process.
2f0b9acd · Han-Wen Nienhuys · 420b298b · 2f0b9acd · 2f0b9acd · 2f0b9acd
Commit 2f0b9acd authored Mar 09, 2019 by Han-Wen Nienhuys
Showing with 140 additions and 2 deletions

fuse/pathfs/loopback.go fuse/pathfs/loopback.go +11 -1

internal/access.go internal/access.go +56 -0

internal/access_test.go internal/access_test.go +72 -0

unionfs/unionfs_test.go unionfs/unionfs_test.go +1 -1

No files found.
--- a/fuse/pathfs/loopback.go
+++ b/fuse/pathfs/loopback.go
@@ -13,6 +13,7 @@ import (

 	"github.com/hanwen/go-fuse/fuse"
 	"github.com/hanwen/go-fuse/fuse/nodefs"
+	"github.com/hanwen/go-fuse/internal"
 )

 type loopbackFileSystem struct {
@@ -176,7 +177,16 @@ func (fs *loopbackFileSystem) Link(orig string, newName string, context *fuse.Co
 }

 func (fs *loopbackFileSystem) Access(name string, mode uint32, context *fuse.Context) (code fuse.Status) {
-	return fuse.ToStatus(syscall.Access(fs.GetPath(name), mode))
+	attr, status := fs.GetAttr(name, context)
+	if !status.Ok() {
+		return status
+
+	}
+	if !internal.HasAccess(context.Uid, context.Gid, attr.Uid, attr.Gid, attr.Mode, mode) {
+		return fuse.EACCES
+	}
+
+	return fuse.OK
 }

 func (fs *loopbackFileSystem) Create(path string, flags uint32, mode uint32, context *fuse.Context) (fuseFile nodefs.File, code fuse.Status) {

--- a/internal/access.go
+++ b/internal/access.go
+// Copyright 2019 the Go-FUSE Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package internal
+
+import (
+	"os/user"
+	"strconv"
+)
+
+// HasAccess tests if a caller can access a file with permissions
+// `perm` in mode `mask`
+func HasAccess(callerUid, callerGid, fileUid, fileGid uint32, perm uint32, mask uint32) bool {
+	mask = mask & 7
+	if mask == 0 {
+		return true
+	}
+
+	if callerUid == fileUid {
+		if perm&(mask<<6) != 0 {
+			return true
+		}
+	}
+	if callerGid == fileGid {
+		if perm&(mask<<3) != 0 {
+			return true
+		}
+	}
+	if perm&mask != 0 {
+		return true
+	}
+
+	// Check other groups.
+	if perm&(mask<<3) == 0 {
+		// avoid expensive lookup if it's not allowed anyway
+		return false
+	}
+
+	u, err := user.LookupId(strconv.Itoa(int(callerUid)))
+	if err != nil {
+		return false
+	}
+	gs, err := u.GroupIds()
+	if err != nil {
+		return false
+	}
+
+	fileGidStr := strconv.Itoa(int(fileGid))
+	for _, gidStr := range gs {
+		if gidStr == fileGidStr {
+			return true
+		}
+	}
+	return false
+}
--- a/internal/access_test.go
+++ b/internal/access_test.go
+// Copyright 2019 the Go-FUSE Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package internal
+
+import (
+	"os/user"
+	"strconv"
+	"testing"
+)
+
+func TestHasAccess(t *testing.T) {
+	type testcase struct {
+		uid, gid, fuid, fgid uint32
+		perm, mask           uint32
+		want                 bool
+	}
+
+	u, err := user.Current()
+	if err != nil {
+		t.Fatalf("user.Current: %v", err)
+	}
+
+	myIntId, _ := strconv.Atoi(u.Uid)
+	myUid := uint32(myIntId)
+	myIntGid, _ := strconv.Atoi(u.Gid)
+	myGid := uint32(myIntGid)
+
+	gids, err := u.GroupIds()
+	if err != nil {
+		t.Fatalf("user.GroupIds: %v", err)
+	}
+
+	var myOtherGid, notMyGid uint32
+	mygids := map[uint32]bool{}
+
+	for _, g := range gids {
+		gnum, _ := strconv.Atoi(g)
+		gnum32 := uint32(gnum)
+		mygids[gnum32] = true
+		if g != u.Gid {
+			myOtherGid = uint32(gnum)
+		}
+	}
+
+	for i := uint32(1); i < 1000; i++ {
+		if !mygids[i] {
+			notMyGid = i
+			break
+		}
+	}
+
+	_ = myOtherGid
+	_ = notMyGid
+	for i, tc := range []testcase{
+		{myUid, myGid, myUid, myGid, 0100, 01, true},
+		{myUid, myGid, myUid + 1, notMyGid, 0001, 0001, true},
+		{myUid, myGid, myUid + 1, notMyGid, 0000, 0001, false},
+		{myUid, myGid, myUid + 1, notMyGid, 0007, 0000, true},
+
+		{myUid, myGid, myUid + 1, myOtherGid, 0020, 002, true},
+		{myUid, myGid, myUid + 1, notMyGid, 0020, 002, false},
+		{myUid, myGid, myUid, myGid, 0000, 01, false},
+		{myUid, myGid, myUid, myGid, 0200, 01, false},
+	} {
+		got := HasAccess(tc.uid, tc.gid, tc.fuid, tc.fgid, tc.perm, tc.mask)
+		if got != tc.want {
+			t.Errorf("%d: accessCheck(%v): got %v, want %v", i, tc, got, tc.want)
+		}
+	}
+}
--- a/unionfs/unionfs_test.go
+++ b/unionfs/unionfs_test.go
@@ -373,7 +373,7 @@ func TestUnionFsBasic(t *testing.T) {
 	names = dirNames(t, wd+"/rw")
 	checkMapEq(t, names, map[string]bool{
 		testOpts.DeletionDirName: true,
-		"rw": true, "ro1": true,
+		"rw":                     true, "ro1": true,
 	})
 	names = dirNames(t, wd+"/rw/"+testOpts.DeletionDirName)
 	if len(names) != 0 {