nametransform: move permission constants to perms.go

Prep for #539

internal/nametransform/diriv.go

@@ -62,14 +62,6 @@ func fdReadDirIV(fd *os.File) (iv []byte, err error) {
 // This function is exported because it is used from fusefrontend, main,
 // and also the automated tests.
 func WriteDirIVAt(dirfd int) error {
-	// It makes sense to have the diriv files group-readable so the FS can
-	// be mounted from several users from a network drive (see
-	// https://github.com/rfjakob/gocryptfs/issues/387 ).
-	//
-	// Note that gocryptfs.conf is still created with 0400 permissions so the
-	// owner must explicitly chmod it to permit access.
-	const dirivPerms = 0440
-
 	iv := cryptocore.RandBytes(DirIVLen)
 	// 0400 permissions: gocryptfs.diriv should never be modified after creation.
 	// Don't use "ioutil.WriteFile", it causes trouble on NFS:

internal/nametransform/longnames.go

@@ -136,7 +136,7 @@ func (n *NameTransform) WriteLongNameAt(dirfd int, hashName string, plainName st
 
 	// Write the encrypted name into hashName.name
 	fdRaw, err := syscallcompat.Openat(dirfd, hashName+LongNameSuffix,
-		syscall.O_WRONLY|syscall.O_CREAT|syscall.O_EXCL, 0400)
+		syscall.O_WRONLY|syscall.O_CREAT|syscall.O_EXCL, namePerms)
 	if err != nil {
 		// Don't warn if the file already exists - this is allowed for renames
 		// and should be handled by the caller.

internal/nametransform/perms.go

@@ -0,0 +1,16 @@
+package nametransform
+
+const (
+	// Permissions for gocryptfs.diriv files
+	//
+	// It makes sense to have the diriv files group-readable so the FS can
+	// be mounted from several users from a network drive (see
+	// https://github.com/rfjakob/gocryptfs/issues/387 ).
+	//
+	// Note that gocryptfs.conf is still created with 0400 permissions so the
+	// owner must explicitly chmod it to permit access.
+	dirivPerms = 0440
+
+	// Permissions for gocryptfs.longname.[sha256].name files
+	namePerms = 0400
+)