cmd/sharefs: group-accessible permission bits

This works around the race in vfs via supplementary group.

Signed-off-by: Ophestra <cat@gensokyo.uk>

cmd/sharefs/fuse-operations.h

@@ -7,8 +7,8 @@
 #endif
 
 #define SHAREFS_MEDIA_RW_ID (1 << 10) - 1 /* owning gid presented to userspace */
-#define SHAREFS_PERM_DIR 0700             /* permission bits for directories presented to userspace */
+#define SHAREFS_PERM_DIR 0770             /* permission bits for directories presented to userspace */
-#define SHAREFS_PERM_REG 0600             /* permission bits for regular files presented to userspace */
+#define SHAREFS_PERM_REG 0660             /* permission bits for regular files presented to userspace */
 #define SHAREFS_FORBIDDEN_FLAGS O_DIRECT  /* these open flags are cleared unconditionally */
 
 /* sharefs_private is populated by sharefs_init and contains process-wide context */

test/interactive/configuration.nix

@@ -8,7 +8,10 @@
       description = "Alice Foobar";
       password = "foobar";
       uid = 1000;
-      extraGroups = [ "wheel" ];
+      extraGroups = [
+        "wheel"
+        "sharefs"
+      ];
     };
     untrusted = {
       isNormalUser = true;

test/interactive/raceattr.nix

@@ -1,9 +1,14 @@
 { lib, pkgs, ... }:
-let
-  inherit (pkgs) buildGoModule;
-in
 {
-  environment.systemPackages = [
+  security.wrappers.raceattr =
+    let
+      inherit (pkgs) buildGoModule;
+    in
+    {
+      setuid = true;
+      owner = "root";
+      group = "root";
+      source = "${
         (buildGoModule rec {
           name = "raceattr";
           pname = name;
@@ -20,5 +25,6 @@ in
             go mod init hakurei.app/raceattr >& /dev/null
           '';
         })
-  ];
+      }/bin/raceattr";
+    };
 }