From a35a24b8b4f7d57c95be45c479a54e0310d63443 Mon Sep 17 00:00:00 2001 From: Kyle Lacy Date: Tue, 2 Oct 2018 21:34:28 -0700 Subject: [PATCH 1/4] mount: Enable "DefaultPermissions" FUSE option by default This enforces the Unix permissions of the snapshot files within the mounted filesystem, which will only allow users to access snapshot files if they had access to the file outside of the snapshot. --- cmd/restic/cmd_mount.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cmd/restic/cmd_mount.go b/cmd/restic/cmd_mount.go index 3e6382192..2e8406357 100644 --- a/cmd/restic/cmd_mount.go +++ b/cmd/restic/cmd_mount.go @@ -120,6 +120,8 @@ func mount(opts MountOptions, gopts GlobalOptions, mountpoint string) error { mountOptions = append(mountOptions, systemFuse.AllowOther()) } + mountOptions = append(mountOptions, systemFuse.DefaultPermissions()) + c, err := systemFuse.Mount(mountpoint, mountOptions...) if err != nil { return err From cf0883e16cf675bdb871601a3169ede18e05a7a6 Mon Sep 17 00:00:00 2001 From: Kyle Lacy Date: Mon, 26 Nov 2018 21:06:47 -0800 Subject: [PATCH 2/4] mount: Add "no-default-permissions" option This option restores the previous behavior of `mount` by disabling the "DefaultPermissions" FUSE option. This allows any user that can access the mountpoint to read any file from the snapshot. Normal FUSE rules apply, so `allow-root` or `allow-other` can be used to allow users besides the mounting user to access these files. --- cmd/restic/cmd_mount.go | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/cmd/restic/cmd_mount.go b/cmd/restic/cmd_mount.go index 2e8406357..e8c862392 100644 --- a/cmd/restic/cmd_mount.go +++ b/cmd/restic/cmd_mount.go @@ -53,13 +53,14 @@ For details please see the documentation for time.Format() at: // MountOptions collects all options for the mount command. type MountOptions struct { - OwnerRoot bool - AllowRoot bool - AllowOther bool - Host string - Tags restic.TagLists - Paths []string - SnapshotTemplate string + OwnerRoot bool + AllowRoot bool + AllowOther bool + NoDefaultPermissions bool + Host string + Tags restic.TagLists + Paths []string + SnapshotTemplate string } var mountOptions MountOptions @@ -71,6 +72,7 @@ func init() { mountFlags.BoolVar(&mountOptions.OwnerRoot, "owner-root", false, "use 'root' as the owner of files and dirs") mountFlags.BoolVar(&mountOptions.AllowRoot, "allow-root", false, "allow root user to access the data in the mounted directory") mountFlags.BoolVar(&mountOptions.AllowOther, "allow-other", false, "allow other users to access the data in the mounted directory") + mountFlags.BoolVar(&mountOptions.NoDefaultPermissions, "no-default-permissions", false, "for 'allow-other', ignore Unix permissions and allow users to read all snapshot files") mountFlags.StringVarP(&mountOptions.Host, "host", "H", "", `only consider snapshots for this host`) mountFlags.Var(&mountOptions.Tags, "tag", "only consider snapshots which include this `taglist`") @@ -120,7 +122,9 @@ func mount(opts MountOptions, gopts GlobalOptions, mountpoint string) error { mountOptions = append(mountOptions, systemFuse.AllowOther()) } - mountOptions = append(mountOptions, systemFuse.DefaultPermissions()) + if !opts.NoDefaultPermissions { + mountOptions = append(mountOptions, systemFuse.DefaultPermissions()) + } c, err := systemFuse.Mount(mountpoint, mountOptions...) if err != nil { From d4ff5b6bf4f324b9b2ac8ef29289ea98b2019686 Mon Sep 17 00:00:00 2001 From: Kyle Lacy Date: Tue, 2 Oct 2018 23:17:39 -0700 Subject: [PATCH 3/4] Add changelog entry about "DefaultPermissions" change --- changelog/unreleased/pull-2017 | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 changelog/unreleased/pull-2017 diff --git a/changelog/unreleased/pull-2017 b/changelog/unreleased/pull-2017 new file mode 100644 index 000000000..b5b16365e --- /dev/null +++ b/changelog/unreleased/pull-2017 @@ -0,0 +1,12 @@ +Enhancement: mount: Enforce FUSE Unix permissions by default + +By default, `mount` will now respect the Unix permissions of the files within +snapshots (this is done through the "DefaultPermissions" FUSE option). + +To restore the old behavior, we've added the `--no-default-permissions` option. +This allows alll users that have access to the mountpoint to access all +files within the snapshots. Normal FUSE rules apply, so `--allow-root` +or `--allow-other` can be used to allow users besides the mounting user to +access the mountpoint. + +https://github.com/restic/restic/pull/2017 From 830511460a6c1f7109eed0c320799f2e2d966a12 Mon Sep 17 00:00:00 2001 From: Alexander Neumann Date: Sun, 6 Jan 2019 20:55:49 +0100 Subject: [PATCH 4/4] mount: Turn on DefaultPermissions for --allow-other` This commit changes the logic slightly: checking the permissions in the fuse mount when nobody else besides the current user can access the fuse mount does not sense. The current user has access to the repo files in addition to the password, so they can access all data regardless of what the fuse mount does. Enabling `--allow-root` allows the root user to access the files in the fuse mount, for this user no permission checks will be done anyway. The code now enables `DefaultPermissions` automatically when `--allow-other` is set, it can be disabled with `--no-default-permissions` to restore the old behavior. --- changelog/unreleased/pull-2017 | 13 ++++++------- cmd/restic/cmd_mount.go | 7 ++++--- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/changelog/unreleased/pull-2017 b/changelog/unreleased/pull-2017 index b5b16365e..44afba625 100644 --- a/changelog/unreleased/pull-2017 +++ b/changelog/unreleased/pull-2017 @@ -1,12 +1,11 @@ -Enhancement: mount: Enforce FUSE Unix permissions by default +Enhancement: mount: Enforce FUSE Unix permissions with allow-other -By default, `mount` will now respect the Unix permissions of the files within -snapshots (this is done through the "DefaultPermissions" FUSE option). +The fuse mount (`restic mount`) now lets the kernel check the permissions of +the files within snapshots (this is done through the `DefaultPermissions` FUSE +option) when the option `--allow-other` is specified. To restore the old behavior, we've added the `--no-default-permissions` option. -This allows alll users that have access to the mountpoint to access all -files within the snapshots. Normal FUSE rules apply, so `--allow-root` -or `--allow-other` can be used to allow users besides the mounting user to -access the mountpoint. +This allows all users that have access to the mount point to access all +files within the snapshots. https://github.com/restic/restic/pull/2017 diff --git a/cmd/restic/cmd_mount.go b/cmd/restic/cmd_mount.go index e8c862392..39ff1a144 100644 --- a/cmd/restic/cmd_mount.go +++ b/cmd/restic/cmd_mount.go @@ -120,10 +120,11 @@ func mount(opts MountOptions, gopts GlobalOptions, mountpoint string) error { if opts.AllowOther { mountOptions = append(mountOptions, systemFuse.AllowOther()) - } - if !opts.NoDefaultPermissions { - mountOptions = append(mountOptions, systemFuse.DefaultPermissions()) + // let the kernel check permissions unless it is explicitly disabled + if !opts.NoDefaultPermissions { + mountOptions = append(mountOptions, systemFuse.DefaultPermissions()) + } } c, err := systemFuse.Mount(mountpoint, mountOptions...)