fix permissions for share jail

cs3org · Jul 30, 2021 · fb1efe4 · fb1efe4
1 parent fcb7a30
commit fb1efe4
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 2 deletions.
diff --git a/changelog/unreleased/fix-share-jail-perms b/changelog/unreleased/fix-share-jail-perms
@@ -0,0 +1,5 @@
+Bugfix: fix the share jail permissions in the decomposedfs
+
+The share jail should be not writable
+
+https://github.com/cs3org/reva/pull/1939
diff --git a/pkg/storage/utils/decomposedfs/lookup.go b/pkg/storage/utils/decomposedfs/lookup.go
@@ -168,3 +168,8 @@ func (lu *Lookup) mustGetUserLayout(ctx context.Context) string {
 	u := user.ContextMustGetUser(ctx)
 	return templates.WithUser(u, lu.Options.UserLayout)
 }
+
+// ShareFolder returns the internal storage root directory
+func (lu *Lookup) ShareFolder() string {
+	return lu.Options.ShareFolder
+}
diff --git a/pkg/storage/utils/decomposedfs/node/node.go b/pkg/storage/utils/decomposedfs/node/node.go
@@ -84,6 +84,7 @@ type PathLookup interface {
 	InternalRoot() string
 	InternalPath(ID string) string
 	Path(ctx context.Context, n *Node) (path string, err error)
+	ShareFolder() string
 }
 
 // New returns a new instance of Node

diff --git a/pkg/storage/utils/decomposedfs/node/permissions.go b/pkg/storage/utils/decomposedfs/node/permissions.go
@@ -32,14 +32,21 @@ import (
 	"github.com/pkg/xattr"
 )
 
-// NoPermissions represents an empty set of permssions
+// NoPermissions represents an empty set of permissions
 var NoPermissions *provider.ResourcePermissions = &provider.ResourcePermissions{}
 
 // NoOwnerPermissions defines permissions for nodes that don't have an owner set, eg the root node
 var NoOwnerPermissions *provider.ResourcePermissions = &provider.ResourcePermissions{
 	Stat: true,
 }
 
+// ShareFolderPermissions defines permissions for the shared jail
+var ShareFolderPermissions *provider.ResourcePermissions = &provider.ResourcePermissions{
+	// read permissions
+	ListContainer:        true,
+	Stat:                 true,
+}
+
 // OwnerPermissions defines permissions for nodes owned by the user
 var OwnerPermissions *provider.ResourcePermissions = &provider.ResourcePermissions{
 	// all permissions
@@ -95,10 +102,14 @@ func (p *Permissions) AssemblePermissions(ctx context.Context, n *Node) (ap *pro
 		return NoOwnerPermissions, nil
 	}
 	if isSameUserID(u.Id, o) {
+		lp, err := n.lu.Path(ctx, n)
+		if err == nil && lp == n.lu.ShareFolder() {
+			perms := *ShareFolderPermissions
+			return &perms, nil
+		}
 		appctx.GetLogger(ctx).Debug().Interface("node", n).Msg("user is owner, returning owner permissions")
 		return OwnerPermissions, nil
 	}
-
 	// determine root
 	var rn *Node
 	if rn, err = p.lu.RootNode(ctx); err != nil {

diff --git a/pkg/storage/utils/decomposedfs/tree/tree.go b/pkg/storage/utils/decomposedfs/tree/tree.go
@@ -61,6 +61,7 @@ type PathLookup interface {
 	InternalRoot() string
 	InternalPath(ID string) string
 	Path(ctx context.Context, n *node.Node) (path string, err error)
+	ShareFolder() string
 }
 
 // Tree manages a hierarchical tree