Skip to content

Commit

Permalink
Allow multiple -extpass arguments
Browse files Browse the repository at this point in the history
To support arguments containing spaces, -extpass can now
be passed multiple times.

#289
  • Loading branch information
rfjakob committed Mar 3, 2019
1 parent 61940a9 commit cf27037
Show file tree
Hide file tree
Showing 11 changed files with 79 additions and 25 deletions.
15 changes: 13 additions & 2 deletions Documentation/MANPAGE.md
Original file line number Diff line number Diff line change
Expand Up @@ -89,8 +89,19 @@ Enable (`-exec`) or disable (`-noexec`) executables in a gocryptfs mount
#### -extpass string
Use an external program (like ssh-askpass) for the password prompt.
The program should return the password on stdout, a trailing newline is
stripped by gocryptfs. Using something like "cat /mypassword.txt" allows
one to mount the gocryptfs filesystem without user interaction.
stripped by gocryptfs. If you just want to read from a password file, see `-passfile`.

When `-extpass` is specified once, the string argument will be split on spaces.
For example, `-extpass "md5sum my password.txt"` will be executed as
`"md5sum" "my" "password.txt"`, which is NOT what you want.

Specify `-extpass` twice or more to use the string arguments as-is.
For example, you DO want to call `md5sum` like this:
`-extpass "md5sum" -extpass "my password.txt"`.

If you want to prevent splitting on spaces but don't want to pass arguments
to your program, use `"--"`, which is accepted by most programs:
`-extpass "my program" -extpass "--"`

#### -fg, -f
Stay in the foreground instead of forking away. Implies "-nosyslog".
Expand Down
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,8 @@ v1.7, in progress (v1.7-beta1: 2019-01-03, v1.7-rc1: 2019-01-04)
([#320](https://github.com/rfjakob/gocryptfs/issues/320)).
Prevents trouble in the unlikely case that gocryptfs is called with
stdin,stdout and/or stderr closed.
* `-extpass` now can be specified multiple times to support arguments containing spaces
([#289](https://github.com/rfjakob/gocryptfs/issues/289))

v1.6.1, 2018-12-12
* Fix "Operation not supported" chmod errors on Go 1.11
Expand Down
20 changes: 14 additions & 6 deletions cli_args.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,11 @@ type argContainer struct {
sharedstorage, devrandom, fsck, trezor bool
// Mount options with opposites
dev, nodev, suid, nosuid, exec, noexec, rw, ro bool
masterkey, mountpoint, cipherdir, cpuprofile, extpass,
masterkey, mountpoint, cipherdir, cpuprofile,
memprofile, ko, passfile, ctlsock, fsname, force_owner, trace string
// For reverse mode, --exclude is available. It can be specified multiple times.
// -extpass can be passed multiple times
extpass multipleStrings
// For reverse mode, -exclude is available. It can be specified multiple times.
exclude multipleStrings
// Configuration file name override
config string
Expand Down Expand Up @@ -62,6 +64,11 @@ func (s *multipleStrings) Set(val string) error {
return nil
}

func (s *multipleStrings) Empty() bool {
s2 := []string(*s)
return len(s2) == 0
}

var flagSet *flag.FlagSet

// prefixOArgs transform options passed via "-o foo,bar" into regular options
Expand Down Expand Up @@ -179,7 +186,6 @@ func parseCliOpts() (args argContainer) {
flagSet.StringVar(&args.cpuprofile, "cpuprofile", "", "Write cpu profile to specified file")
flagSet.StringVar(&args.memprofile, "memprofile", "", "Write memory profile to specified file")
flagSet.StringVar(&args.config, "config", "", "Use specified config file instead of CIPHERDIR/gocryptfs.conf")
flagSet.StringVar(&args.extpass, "extpass", "", "Use external program for the password prompt")
flagSet.StringVar(&args.passfile, "passfile", "", "Read password from file")
flagSet.StringVar(&args.ko, "ko", "", "Pass additional options directly to the kernel, comma-separated list")
flagSet.StringVar(&args.ctlsock, "ctlsock", "", "Create control socket at specified path")
Expand All @@ -190,6 +196,8 @@ func parseCliOpts() (args argContainer) {
// -e, --exclude
flagSet.Var(&args.exclude, "e", "Alias for -exclude")
flagSet.Var(&args.exclude, "exclude", "Exclude relative path from reverse view")
// -extpass
flagSet.Var(&args.extpass, "extpass", "Use external program for the password prompt")

flagSet.IntVar(&args.notifypid, "notifypid", 0, "Send USR1 to the specified process after "+
"successful mount - used internally for daemonization")
Expand Down Expand Up @@ -248,19 +256,19 @@ func parseCliOpts() (args argContainer) {
args.allow_other = false
args.ko = "noexec"
}
if args.extpass != "" && args.passfile != "" {
if !args.extpass.Empty() && args.passfile != "" {
tlog.Fatal.Printf("The options -extpass and -passfile cannot be used at the same time")
os.Exit(exitcodes.Usage)
}
if args.passfile != "" && args.masterkey != "" {
tlog.Fatal.Printf("The options -passfile and -masterkey cannot be used at the same time")
os.Exit(exitcodes.Usage)
}
if args.extpass != "" && args.masterkey != "" {
if !args.extpass.Empty() && args.masterkey != "" {
tlog.Fatal.Printf("The options -extpass and -masterkey cannot be used at the same time")
os.Exit(exitcodes.Usage)
}
if args.extpass != "" && args.trezor {
if !args.extpass.Empty() && args.trezor {
tlog.Fatal.Printf("The options -extpass and -trezor cannot be used at the same time")
os.Exit(exitcodes.Usage)
}
Expand Down
2 changes: 1 addition & 1 deletion gocryptfs-xray/xray_main.go
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ func main() {

func dumpMasterKey(fn string) {
tlog.Info.Enabled = false
pw := readpassword.Once("", "", "")
pw := readpassword.Once(nil, "", "")
masterkey, _, err := configfile.LoadAndDecrypt(fn, pw)
if err != nil {
fmt.Fprintln(os.Stderr, err)
Expand Down
4 changes: 2 additions & 2 deletions init_dir.go
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ func initDir(args *argContainer) {
}
}
// Choose password for config file
if args.extpass == "" {
if args.extpass.Empty() {
tlog.Info.Printf("Choose a password for protecting your files.")
}
{
Expand All @@ -80,7 +80,7 @@ func initDir(args *argContainer) {
password = readpassword.Trezor(trezorPayload)
} else {
// Normal password entry
password = readpassword.Twice(args.extpass, args.passfile)
password = readpassword.Twice([]string(args.extpass), args.passfile)
readpassword.CheckTrailingGarbage()
}
creator := tlog.ProgramName + " " + GitVersion
Expand Down
34 changes: 30 additions & 4 deletions internal/readpassword/extpass_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,23 +18,49 @@ func TestMain(m *testing.M) {

func TestExtpass(t *testing.T) {
p1 := "ads2q4tw41reg52"
p2 := string(readPasswordExtpass("echo " + p1))
p2 := string(readPasswordExtpass([]string{"echo " + p1}))
if p1 != p2 {
t.Errorf("p1=%q != p2=%q", p1, p2)
}
}

func TestOnceExtpass(t *testing.T) {
p1 := "lkadsf0923rdfi48rqwhdsf"
p2 := string(Once("echo "+p1, "", ""))
p2 := string(Once([]string{"echo " + p1}, "", ""))
if p1 != p2 {
t.Errorf("p1=%q != p2=%q", p1, p2)
}
}

// extpass with two arguments
func TestOnceExtpass2(t *testing.T) {
p1 := "foo"
p2 := string(Once([]string{"echo", p1}, "", ""))
if p1 != p2 {
t.Errorf("p1=%q != p2=%q", p1, p2)
}
}

// extpass with three arguments
func TestOnceExtpass3(t *testing.T) {
p1 := "foo bar baz"
p2 := string(Once([]string{"echo", "foo", "bar", "baz"}, "", ""))
if p1 != p2 {
t.Errorf("p1=%q != p2=%q", p1, p2)
}
}

func TestOnceExtpassSpaces(t *testing.T) {
p1 := "mypassword"
p2 := string(Once([]string{"cat", "passfile_test_files/file with spaces.txt"}, "", ""))
if p1 != p2 {
t.Errorf("p1=%q != p2=%q", p1, p2)
}
}

func TestTwiceExtpass(t *testing.T) {
p1 := "w5w44t3wfe45srz434"
p2 := string(Once("echo "+p1, "", ""))
p2 := string(Once([]string{"echo " + p1}, "", ""))
if p1 != p2 {
t.Errorf("p1=%q != p2=%q", p1, p2)
}
Expand All @@ -46,7 +72,7 @@ func TestTwiceExtpass(t *testing.T) {
// https://talks.golang.org/2014/testing.slide#23 .
func TestExtpassEmpty(t *testing.T) {
if os.Getenv("TEST_SLAVE") == "1" {
readPasswordExtpass("echo")
readPasswordExtpass([]string{"echo"})
return
}
cmd := exec.Command(os.Args[0], "-test.run=TestExtpassEmpty$")
Expand Down
1 change: 1 addition & 0 deletions internal/readpassword/passfile_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ func TestPassfile(t *testing.T) {
{"mypassword.txt", "mypassword"},
{"mypassword_garbage.txt", "mypassword"},
{"mypassword_missing_newline.txt", "mypassword"},
{"file with spaces.txt", "mypassword"},
}
for _, tc := range testcases {
pw := readPassFile("passfile_test_files/" + tc.file)
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
mypassword
19 changes: 12 additions & 7 deletions internal/readpassword/read.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,11 @@ const (

// Once tries to get a password from the user, either from the terminal, extpass
// or stdin. Leave "prompt" empty to use the default "Password: " prompt.
func Once(extpass string, passfile string, prompt string) []byte {
func Once(extpass []string, passfile string, prompt string) []byte {
if passfile != "" {
return readPassFile(passfile)
}
if extpass != "" {
if len(extpass) != 0 {
return readPasswordExtpass(extpass)
}
if prompt == "" {
Expand All @@ -42,11 +42,11 @@ func Once(extpass string, passfile string, prompt string) []byte {

// Twice is the same as Once but will prompt twice if we get the password from
// the terminal.
func Twice(extpass string, passfile string) []byte {
func Twice(extpass []string, passfile string) []byte {
if passfile != "" {
return readPassFile(passfile)
}
if extpass != "" {
if len(extpass) != 0 {
return readPasswordExtpass(extpass)
}
if !terminal.IsTerminal(int(os.Stdin.Fd())) {
Expand Down Expand Up @@ -99,9 +99,14 @@ func readPasswordStdin(prompt string) []byte {
// readPasswordExtpass executes the "extpass" program and returns the first line
// of the output.
// Exits on read error or empty result.
func readPasswordExtpass(extpass string) []byte {
tlog.Info.Println("Reading password from extpass program")
parts := strings.Split(extpass, " ")
func readPasswordExtpass(extpass []string) []byte {
var parts []string
if len(extpass) == 1 {
parts = strings.Split(extpass[0], " ")
} else {
parts = extpass
}
tlog.Info.Printf("Reading password from extpass program %q, arguments: %q\n", parts[0], parts[1:])
cmd := exec.Command(parts[0], parts[1:]...)
cmd.Stderr = os.Stderr
pipe, err := cmd.StdoutPipe()
Expand Down
4 changes: 2 additions & 2 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ func loadConfig(args *argContainer) (masterkey []byte, cf *configfile.ConfFile,
pw = readpassword.Trezor(cf.TrezorPayload)
} else {
// Normal password entry
pw = readpassword.Once(args.extpass, args.passfile, "")
pw = readpassword.Once([]string(args.extpass), args.passfile, "")
}
tlog.Info.Println("Decrypting master key")
masterkey, err = cf.DecryptMasterKey(pw)
Expand Down Expand Up @@ -93,7 +93,7 @@ func changePassword(args *argContainer) {
log.Panic("empty masterkey")
}
tlog.Info.Println("Please enter your new password.")
newPw := readpassword.Twice(args.extpass, args.passfile)
newPw := readpassword.Twice([]string(args.extpass), args.passfile)
readpassword.CheckTrailingGarbage()
confFile.EncryptKey(masterkey, newPw, confFile.ScryptObject.LogN())
for i := range newPw {
Expand Down
2 changes: 1 addition & 1 deletion masterkey.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ func getMasterKey(args *argContainer) (masterkey []byte, confFile *configfile.Co
masterkeyFromStdin := false
// "-masterkey=stdin"
if args.masterkey == "stdin" {
args.masterkey = string(readpassword.Once("", "", "Masterkey"))
args.masterkey = string(readpassword.Once(nil, "", "Masterkey"))
masterkeyFromStdin = true
}
// "-masterkey=941a6029-3adc6a1c-..."
Expand Down

0 comments on commit cf27037

Please sign in to comment.