Description of problem: On a OpenVZ server I have mounted user home directories via fuse-encfs and this home directories are used by dovecot for IMAP folder storage Version-Release number of selected component (if applicable): fuse-encfs-1.9.2-3.el7 dovecot-2.2.10-7.el7.x86_64 How reproducible: Always after update Steps to Reproduce: 1. stop dovecot 2. update from fuse-encfs-1.9.1-2.el7 to 1.9.2-3.el7 (or even 1.9.2-1.el7) 3. start dovecot Actual results: IMAP no longer working following messages appearing frequently: Aug 31 11:17:54 st2 dovecot: imap($USER): Error: file_dotlock_create(/home/$USER/Maildir/.Trash/dovecot-uidlist) failed: Permission denied (euid=$UID($USER) egid=$GID($GROUP) UNIX perms appear ok (ACL/MAC wrong?)) Expected results: working as with 1.9.1 Additional info: after manual downgrade by fetching older version from koji it is working again Entry in /etc/fstab: /opt/encfs/bin/mount.encfs#/home/$USER.encrypt /home/$USER fuse auto 0 0 mount.encfs is finally executing: encfs --public --extpass="cat $pass_file" $*
Can you check that it is not selinux blocked or some other?
This OpenVZ guest has no SELinux at all running. I've ran more diagnostics on a KVM test system (same OS, SElinux set to permissive) and it looks like this new minor version blocks a different feature. My example from above is not matching my real setup... ...real setup is that particular home directories are encrypted at once, means /home/group.encrypted <- encrypted directory /home/group <- mounted via fuse inside /home/group several user directories are existing like /home/group/user1 /home/group/user2 /home/group/user3 ... effective mount options: encfs on /home/group type fuse.encfs (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other) and in this case it looks like that 1.9.2 will prevent any write now by normal user while it works still with 1.9.1 $ touch test123 touch: cannot touch ‘test123’: Permission denied (no wonder now why dovecot is claiming...) effective encfs process: encfs --public --extpass=cat /etc/opt/encfs/=home=group.encrypt.pass /home/group.encrypt /home/group -o rw,dev,suid checking with strace, the following lines look like: [pid 5461] <... setresgid resumed> ) = -1 EPERM (Operation not permitted) [pid 5458] <... rt_sigreturn resumed> ) = 202 [pid 5461] open("/home/group.encrypt/g9xbJePBJcxv84QVUpc3Zr1i/5oWBWnT4DJTD,,wXsn-OsUmX", O_WRONLY|O_CREAT|O_EXCL, 0100644 <unfinished ...> [pid 5458] futex(0x7ffd2827ee60, FUTEX_WAIT_PRIVATE, 0, NULL <unfinished ...> [pid 5461] <... open resumed> ) = -1 EACCES (Permission denied) [pid 5461] <... setresgid resumed> ) = -1 EPERM (Operation not permitted) [pid 5458] <... rt_sigreturn resumed> ) = 202 [pid 5461] open("/home/group.encrypt/g9xbJePBJcxv84QVUpc3Zr1i/5oWBWnT4DJTD,,wXsn-OsUmX", O_WRONLY|O_CREAT|O_EXCL, 0100644 <unfinished ...> [pid 5458] futex(0x7ffd2827ee60, FUTEX_WAIT_PRIVATE, 0, NULL <unfinished ...> [pid 5461] <... open resumed> ) = -1 EACCES (Permission denied) but directory exists and unix permissions are proper....and it works with 1.9.1
related: .encfs6.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE boost_serialization> <boost_serialization signature="serialization::archive" version="7"> <cfg class_id="0" tracking_level="0" version="20"> <version>20100713</version> <creator>EncFS 1.9.1</creator> <cipherAlg class_id="1" tracking_level="0" version="0"> <name>ssl/aes</name> <major>3</major> <minor>0</minor> </cipherAlg> <nameAlg> <name>nameio/block</name> <major>4</major> <minor>0</minor> </nameAlg> <keySize>192</keySize> <blockSize>1024</blockSize> <uniqueIV>1</uniqueIV> <chainedNameIV>1</chainedNameIV> <externalIVChaining>0</externalIVChaining> <blockMACBytes>0</blockMACBytes> <blockMACRandBytes>0</blockMACRandBytes> <allowHoles>1</allowHoles> <encodedKeySize>44</encodedKeySize> <encodedKeyData>***</encodedKeyData> <saltLen>20</saltLen> <saltData>***</saltData> <kdfIterations>269348</kdfIterations> <desiredKDFDuration>500</desiredKDFDuration> </cfg> </boost_serialization>
I'm not that good at this. Please create same bugreport in upstream bugtracker https://github.com/vgough/encfs/issues And I can create for testing rpm from upstream master if you wish test it.
Upstream bug filed: https://github.com/vgough/encfs/issues/398
Upstream here. I have just commited https://github.com/vgough/encfs/commit/f5d37d2c6581e874c8d4aedfe8a09339b3f8b03d which fixes the problem. This patch applies cleanly to v1.9.2 as well and should fix the problem there as well.
(In reply to jakobunt from comment #6) > Upstream here. I have just commited > https://github.com/vgough/encfs/commit/ > f5d37d2c6581e874c8d4aedfe8a09339b3f8b03d which fixes the problem. > This patch applies cleanly to v1.9.2 as well and should fix the problem > there as well. I can't apply patch cleanly: encfs ((v1.9.2))]$ patch -p1 -s --fuzz=0 --no-backup-if-mismatch <0001-Replace-linux-define-with-more-standard-__linux__.patch 1 out of 1 hunk FAILED -- saving rejects to file encfs/FileUtils.cpp.rej 1 out of 1 hunk FAILED -- saving rejects to file encfs/RawFileIO.cpp.rej 1 out of 1 hunk FAILED -- saving rejects to file encfs/encfs.cpp.rej
fuse-encfs-1.9.2-4.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-0932640627
fuse-encfs-1.9.2-4.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-452dd7c36e
fuse-encfs-1.9.2-4.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-06958f898f
fuse-encfs-1.9.2-4.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-6867f16795
fuse-encfs-1.9.2-4.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-0932640627
fuse-encfs-1.9.2-4.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6867f16795
fuse-encfs-1.9.2-4.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-452dd7c36e
fuse-encfs-1.9.2-4.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-06958f898f
fuse-encfs-1.9.2-4.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
fuse-encfs-1.9.2-4.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
fuse-encfs-1.9.2-4.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
fuse-encfs-1.9.2-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.