As similar reparse tags are being used for accessing OneDrive files
and directories, a similar policy has to be used for accessing them.
Until giving full access to OneDrive files with a local copy is
mature enough to have it processed internally, it is safer to have
it delegated to an external plugin. This reverts [4f450a]
When permissions are enabled and setxattr() is rejected, an error
must be returned even though the option silent is set. This is needed
for "cp -p" to know it has to try setting the permissions again and use
chmod().
When the bit 28 of a reparse tag is set on a directory, the reparse
information should be ignored and the directory should be accessed
the usual way (this setting is new to Windows 10). In such a situation
access to the directory through an internal plugin rather than through
an external one.
The same policy applies to REPARSE_TAG_WCI which had been defined
earlier without the bit 28 being set.
When the ntfs image is unclean, usually because it was not unmounted
properly from Windows, mounting read-write is denied and falls back
to read-only. Log this situation in the syslog, so that users mounting
through /etc/fstab can more easily know what is going on. Also remove
the "rw" option if it was stated.
Windows 10 brought a new type of reparse point for directories (0x80000018),
so add opendir() and readdir() to the plugin interface to take directories
into account. The interface for releasedir() is merged with release() as
the plugins can discriminate them if needed.
Windows places filenames with a trailing dot or space in the Win32
namespace and allows setting DOS names on such files. This is true even
though on Windows such filenames can only be created and accessed using
WinNT-style paths and will confuse most Windows software. Regardless,
because libntfs-3g did not allow setting DOS names on such files, in
some cases it was impossible to correctly restore, using libntfs-3g, a
directory structure that was created under Windows.
Update ntfs_set_ntfs_dos_name() to permit operating on a file that has a
long name with a trailing dot or space. But continue to forbid creating
such names on a filesystem FUSE-mounted with the windows_name option.
Additionally, continue to forbid a trailing a dot or space in DOS names;
this matches the Windows behavior.
(contributed by Eric Biggers)
Following a recent patch to the fuse kernel, the Posix ACL checks can
be done within the kernel instead of having to be done in the file
system, provided lowntfs-3g is used.
This mode is still not used by default until the fuse patch is
released by distributions.
Now that the size of the reparse point attribute is no longer used by
the FUSE drivers to populate st_size for symlinks and junctions, it no
longer needs to be returned by ntfs_make_symlink().
(contributed by Eric Biggers)
Made ntfs-3f conform to the standard POSIX convention of setting st_size
to the length of the symlink target without a terminating null.
(contributed by Eric Biggers)
$Extend is a directory reserved for metadata specific to Windows.
Inserting other files or directories there leads to problems with
some Windows versions.
GCC 6 reports a warning in ntfs_allowed_dir_access() because the code has
misleading indentation. Fix by adding braces. There is no actual change
in behavior because of the '(allowed == 2)' condition.
Signed-off-by: Eric Biggers <ebiggers3@gmail.com>
Currently, applications that wish to access security descriptors have to
explicitly open the volume's security descriptor index ("$Secure") using
ntfs_open_secure(). Applications are also responsible for closing the
index when done with it. However, the cleanup function for doing,
ntfs_close_secure(), cannot be called easily by all applications because
it requires a SECURITY_CONTEXT argument, not simply the ntfs_volume.
Some applications therefore have to close the inode and index contexts
manually in order to clean up properly.
This proposal updates libntfs-3g to open $Secure unconditonally as part
of ntfs_mount(), so that applications do not have to worry about it.
This proposal updates libntfs-3g to open $Secure unconditonally as part
of ntfs_mount(), so that applications do not have to worry about it.
ntfs_close_secure() is updated to take in a ntfs_volume for internal use,
and ntfs_destroy_security_context() is now the function to call to free
memory associated with a SECURITY_CONTEXT rather than a ntfs_volume.
Some memory leaks in error paths of ntfs_open_secure() are also fixed.
Signed-off-by: Eric Biggers <ebiggers3@gmail.com>
Switch to the standard autoconf AC_HEADER_MAJOR macro which takes care
of the ugly details like when to use mkdev.h and when to use sysmacros.h.
(requires <sys/types.h> to be included)
Also include these in all files that use major/minor/makedev funcs.
(Contributed by Mike Frysinger)
If the remove_hiberfile mount option is present, explicitly disallow
the library from switching to a read-only mount. This is only to avoid
confusion, as the remove_hiberfile is processed before taking the
decision to fall back to read-only.
User extended attributes should only be set on files and directories,
not on symlinks, sockets, devices, etc. For safety they are also
forbidden on metadata files, but should be allowed on the root
directory. For files based on reparse points, requests are made
to the plugin to determine the type.
The new "system compression" files used by Windows 10 make use of reparse
points to record the compression parameters, and a specific named data
stream is used to store the compressed data. With this patch, processing
of reparse points can be done by an external plugin only loaded as needed.
Junctions and symlinks, which are also based on reparse points, are now
processed by "internal plugins".
fuse-lite announces a FUSE_VERSION which may not always match the exact
capabilities of the library. Hence we add a special case for 'ioctl',
which we know exists in fuse-lite regardless of the version number
published.
The capability actually appeared in FUSE 2.9, not 2.8. However in order
to maintain similarity to earlier #ifdef:s, we simpy check if
FUSE_CAP_IOCTL_DIR is defined rather than checking the FUSE version.
fstrim(8) discards unused blocks on a mounted filesystem. It is useful for
solid-state drives (SSDs) and thinly-provisioned storage.
Only trimming the full device (with no option) is supported.
Contributed by Richard W.M. Jones
When Posix ACLs are used, the umask is ignored and the initial permissions
of created files are taken for the parent directory. However the umask
should still be used when the Posix ACLs are not enabled in the mount
options.
When permissions are used, umask(2) is supposed to be active and the
umask mount option is supposed to be ignored, but it was still wrongly
applied. This caused permission restrictions when an external disk was
automatically mounted with standard options.
chmod/chown/setfacl can only define permissions according to Linux rules
with references to owner and group. Windows rules are more general and
propagated through inheritance, and chmod/chown/setfacl may create unwanted
deviations from these rules. Ignoring them prevents text editors from
creating such deviations when updating a file and creating a backup one.
If a readdir operation returned a file name larger than 255 bytes,
Solaris/Illumos would return I/O error from the readdir operation.
Fixed by truncating the file name returned in the readdir operation.
In ntfs_fuse_parse_path(), it's possible that strdup() succeeds but
ntfs_mbstoucs() returns a negative value. In such a case the callers
just treat it as an error and ignores the allocated path buffer
that results in a memory leak.
It fixes the warnings
src/ntfs-3g.c: In function 'ntfs_fuse_readlink':
src/ntfs-3g.c:987:6: warning: 'path' may be used uninitialized in this function [-Wmaybe-uninitialized]
src/ntfs-3g.c: In function 'ntfs_fuse_create':
src/ntfs-3g.c:1765:6: warning: 'path' may be used uninitialized in this function [-Wmaybe-uninitialized]
Windows applies legacy restrictions to file names, so when the option
windows_names is applied, reject the same reserved names, which are
CON, PRN, AUX, NUL, COM1..COM9, and LPT1..LPT9
When issuing an utimensat as a consequence of utime(2) or utimensat(2),
fuse had temporarily defined a flag utime_omit_ok to identify whether
the file system supports the values UTIME_OMIT and UTIME_NOW to mean
specific timestamp updatings. The flag has been obsoleted and all
file system are now supposed to comply with the convention.
The MS_* flags originated from system constants. However the flags
passed to ntfs_mount were really unrelated to the system constants and
many new MS_* flags had to be introduced as different features were
added to the library. Those flags had no counterparts in any system
APIs, so using the same naming scheme is inappropriate.
Instead, let's namespace these flags similarly to what has already been
done in ntfsprogs/libntfs earlier. This avoids any possible conflicts
with system constants.
The values of the flags themselves are kept the same as earlier, so
backward compatibility is retained.
External devices, such as USB keys, may have a switch to make them
temporarily unwriteable. When such a device is plugged in, mount it
as read-only by default.
The type of special files (symlinks, fifos, etc.) was not returned in
readdir() and they appeared wrongly in the field d_type of "struct dirent".
This prevented some applications which relied on d_type (which does
not exist in Solaris) from navigating in an NTFS tree.
Use of UTIME_NOW and UTIME_OMIT had been temporarily removed when using
external fuse, because early versions of external fuse 2.9 did not
support them. They can now be restored as they are supported by released
versions of fuse 2.9
Special files (FIFOs, SOCKETs, etc.) are not allowed to have user extended
attributes. When listing their extended attributes, return none without
checking whether the calling process is allowed to access these files.
So far the set-group-id flag could be set in a chmod. This patch enables
the inheritance of the group to files and subdirectories, and the
inheritance of the set-group-id flag to subdirectories.
The suggestion to use option remove_hiberfile was displayed in the
standard help and when a volume is found dirty. As this option may
lead to loss of data, only mention it in the manual, with a proper
warning.
Jean-Pierre André
Jean-Pierre André
Erik Larsson
Jean-Pierre André
Chih-Wei Huang