diff --git a/changelog/unreleased/fix-share-jail-perms b/changelog/unreleased/fix-share-jail-perms new file mode 100644 index 00000000000..44279fcd1d6 --- /dev/null +++ b/changelog/unreleased/fix-share-jail-perms @@ -0,0 +1,5 @@ +Bugfix: fix the share jail permissions in the decomposedfs + +The share jail should be not writable + +https://github.com/cs3org/reva/pull/1939 diff --git a/pkg/storage/utils/decomposedfs/lookup.go b/pkg/storage/utils/decomposedfs/lookup.go index fe1fc315bca..ade953423ac 100644 --- a/pkg/storage/utils/decomposedfs/lookup.go +++ b/pkg/storage/utils/decomposedfs/lookup.go @@ -168,3 +168,8 @@ func (lu *Lookup) mustGetUserLayout(ctx context.Context) string { u := user.ContextMustGetUser(ctx) return templates.WithUser(u, lu.Options.UserLayout) } + +// ShareFolder returns the internal storage root directory +func (lu *Lookup) ShareFolder() string { + return lu.Options.ShareFolder +} diff --git a/pkg/storage/utils/decomposedfs/node/node.go b/pkg/storage/utils/decomposedfs/node/node.go index 4b8a1f9f18d..1d655588716 100644 --- a/pkg/storage/utils/decomposedfs/node/node.go +++ b/pkg/storage/utils/decomposedfs/node/node.go @@ -84,6 +84,7 @@ type PathLookup interface { InternalRoot() string InternalPath(ID string) string Path(ctx context.Context, n *Node) (path string, err error) + ShareFolder() string } // New returns a new instance of Node diff --git a/pkg/storage/utils/decomposedfs/node/permissions.go b/pkg/storage/utils/decomposedfs/node/permissions.go index ea3e5cae9dc..bd358125158 100644 --- a/pkg/storage/utils/decomposedfs/node/permissions.go +++ b/pkg/storage/utils/decomposedfs/node/permissions.go @@ -32,7 +32,7 @@ import ( "github.com/pkg/xattr" ) -// NoPermissions represents an empty set of permssions +// NoPermissions represents an empty set of permissions var NoPermissions *provider.ResourcePermissions = &provider.ResourcePermissions{} // NoOwnerPermissions defines permissions for nodes that don't have an owner set, eg the root node @@ -63,6 +63,19 @@ var OwnerPermissions *provider.ResourcePermissions = &provider.ResourcePermissio UpdateGrant: true, } +// ShareFolderPermissions defines permissions for the shared jail +func ShareFolderPermissions() provider.ResourcePermissions { + return provider.ResourcePermissions{ + // read permissions + ListContainer: true, + Stat: true, + InitiateFileDownload: true, + GetPath: true, + GetQuota: true, + ListFileVersions: true, + } +} + // Permissions implements permission checks type Permissions struct { lu PathLookup @@ -95,10 +108,14 @@ func (p *Permissions) AssemblePermissions(ctx context.Context, n *Node) (ap *pro return NoOwnerPermissions, nil } if isSameUserID(u.Id, o) { + lp, err := n.lu.Path(ctx, n) + if err == nil && lp == n.lu.ShareFolder() { + perms := ShareFolderPermissions() + return &perms, nil + } appctx.GetLogger(ctx).Debug().Interface("node", n).Msg("user is owner, returning owner permissions") return OwnerPermissions, nil } - // determine root var rn *Node if rn, err = p.lu.RootNode(ctx); err != nil { diff --git a/pkg/storage/utils/decomposedfs/tree/tree.go b/pkg/storage/utils/decomposedfs/tree/tree.go index 934799f9e19..c7211fc882c 100644 --- a/pkg/storage/utils/decomposedfs/tree/tree.go +++ b/pkg/storage/utils/decomposedfs/tree/tree.go @@ -61,6 +61,7 @@ type PathLookup interface { InternalRoot() string InternalPath(ID string) string Path(ctx context.Context, n *node.Node) (path string, err error) + ShareFolder() string } // Tree manages a hierarchical tree