> This is not exactly a solution. The trace file name changes based on > mount directory path. So I'd have to do this every time I try a new > mount point, which is impractical.
I tried something drastic. I modified perfused source code to use /tmp as the directory to save trace file which non root users have access to. It's a workaround because it does not exactly disable trace file and requires replacing default binary. It does work, but IMO it's not practical to let users go through this much for a minor thing like this. It might also have security implications, I'm not sure. I'm on NetBSD 10.1, so I downloaded: <https://cdn.netbsd.org/pub/NetBSD/NetBSD-release-10/tar_files/src/usr.sbin.tar.gz> Ran sha1 usr.bin.tar.gz and checked output with: <https://cdn.netbsd.org/pub/NetBSD/NetBSD-release-10/tar_files/src/usr.sbin.tar.gz.SHA1> Same goes for lib.tar.gz $ tar -xvf usr.sbin.tar.gz $ tar -xvf lib.tar.gz $ cd src/usr.sbin/perfused $ sed -i.orig -e 's|var\/run|tmp|' perfused.h $ make $ file ./perfused ./perfused: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /usr/libexec/ld.elf_so, for NetBSD 10.1, with debug_info, not stripped We can now replace the system's perfused binary with our modified one: $ ls -la /usr/sbin/perfused -r-xr-xr-x 1 root wheel 40752 Dec 16 2024 /usr/sbin/perfused $ doas cp /usr/sbin/perfused /usr/sbin/perfused.orig # backup $ doas cp ./perfused /usr/sbin/perfused With this binary cryfs works as non root user: $ cd /tmp $ doas rm -rf {plain,secret} $ env PERFUSE_BUFSIZE=$((132 * 1024)) cryfs secret plain CryFS Version 1.0.1 Could not find base directory. Do you want to create it? Your choice [y/n]: y Could not find mount directory. Do you want to create it? Your choice [y/n]: y Use default settings? Your choice [y/n]: y Generating secure encryption key. This can take some time...done Password: Confirm Password: Deriving encryption key (this can take some time)...done The filesystem id in the config file is different to the last time we loaded a filesystem from this basedir. This can be genuine if you replaced the filesystem with a different one. If you didn't do that, it is possible that an attacker did. Do you want to continue loading the file system? Your choice [y/n]: y ---------------------------------------------------- Filesystem configuration: ---------------------------------------------------- - Filesystem format version: 0.10 - Created with: CryFS 1.0.1 - Last opened with: CryFS 1.0.1 - Cipher: xchacha20-poly1305 - Blocksize: 16384 bytes - Filesystem Id: 057467938DDD387B5F51A3E5CD4E0322 ---------------------------------------------------- Mounting filesystem. To unmount, call: $ cryfs-unmount "/tmp/plain" $ doas chown -R $(id -un):$(id -gn) plain $ echo test > plain/test.txt $ cat plain/test.txt test This is not a real solution. Being able to disable trace on default setup would be a better solution IMO.
