From b0ba16510791428669aea6f54a5f8b263e159dee Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Wed, 8 Apr 2026 16:14:47 +0900
Subject: [PATCH] cmd/sharefs: group-accessible permission bits

This works around the race in vfs via supplementary group.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 cmd/sharefs/fuse-operations.h      |  4 +--
 test/interactive/configuration.nix |  5 +++-
 test/interactive/raceattr.nix      | 44 +++++++++++++++++-------------
 3 files changed, 31 insertions(+), 22 deletions(-)

diff --git a/cmd/sharefs/fuse-operations.h b/cmd/sharefs/fuse-operations.h
index da118c84..2150571a 100644
--- a/cmd/sharefs/fuse-operations.h
+++ b/cmd/sharefs/fuse-operations.h
@@ -7,8 +7,8 @@
 #endif
 
 #define SHAREFS_MEDIA_RW_ID (1 << 10) - 1 /* owning gid presented to userspace */
-#define SHAREFS_PERM_DIR 0700             /* permission bits for directories presented to userspace */
-#define SHAREFS_PERM_REG 0600             /* permission bits for regular files presented to userspace */
+#define SHAREFS_PERM_DIR 0770             /* permission bits for directories presented to userspace */
+#define SHAREFS_PERM_REG 0660             /* permission bits for regular files presented to userspace */
 #define SHAREFS_FORBIDDEN_FLAGS O_DIRECT  /* these open flags are cleared unconditionally */
 
 /* sharefs_private is populated by sharefs_init and contains process-wide context */
diff --git a/test/interactive/configuration.nix b/test/interactive/configuration.nix
index 9d1bddd8..c7765795 100644
--- a/test/interactive/configuration.nix
+++ b/test/interactive/configuration.nix
@@ -8,7 +8,10 @@
       description = "Alice Foobar";
       password = "foobar";
       uid = 1000;
-      extraGroups = [ "wheel" ];
+      extraGroups = [
+        "wheel"
+        "sharefs"
+      ];
     };
     untrusted = {
       isNormalUser = true;
diff --git a/test/interactive/raceattr.nix b/test/interactive/raceattr.nix
index 8140beb1..d94d7a7b 100644
--- a/test/interactive/raceattr.nix
+++ b/test/interactive/raceattr.nix
@@ -1,24 +1,30 @@
 { lib, pkgs, ... }:
-let
-  inherit (pkgs) buildGoModule;
-in
 {
-  environment.systemPackages = [
-    (buildGoModule rec {
-      name = "raceattr";
-      pname = name;
-      tags = [ "raceattr" ];
+  security.wrappers.raceattr =
+    let
+      inherit (pkgs) buildGoModule;
+    in
+    {
+      setuid = true;
+      owner = "root";
+      group = "root";
+      source = "${
+        (buildGoModule rec {
+          name = "raceattr";
+          pname = name;
+          tags = [ "raceattr" ];
 
-      src = builtins.path {
-        name = "${pname}-src";
-        path = lib.cleanSource ../../cmd/sharefs/test;
-        filter = path: type: (type == "directory") || (type == "regular" && lib.hasSuffix ".go" path);
-      };
-      vendorHash = null;
+          src = builtins.path {
+            name = "${pname}-src";
+            path = lib.cleanSource ../../cmd/sharefs/test;
+            filter = path: type: (type == "directory") || (type == "regular" && lib.hasSuffix ".go" path);
+          };
+          vendorHash = null;
 
-      preBuild = ''
-        go mod init hakurei.app/raceattr >& /dev/null
-      '';
-    })
-  ];
+          preBuild = ''
+            go mod init hakurei.app/raceattr >& /dev/null
+          '';
+        })
+      }/bin/raceattr";
+    };
 }