FAQ SearchLogin
Tuxera Home
View unanswered posts | View active topics It is currently Thu May 13, 2021 20:54



Post new topic Reply to topic  [ 6 posts ] 
Problem to read xattr on encrypted files 
Author Message

Joined: Tue Jan 20, 2009 09:48
Posts: 19
Post Problem to read xattr on encrypted files
Hi,

I have created several text files on a Windows XP NTFS disk and I have encrypted these files from Windows explorer. For some obscure reason, Windows creates a stream called "user.{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}" on these files (it's always the same UUID) which seems to always be empty.

The problem is that ntfs-3g fails to read this stream. I am using "ntfs-3g 2010.5.16 integrated FUSE 27" on Fedora 12 x64 (Linux fedora 2.6.32.14-127.fc12.x86_64) but I have the same error with old ntfs-3g releases as well.

I don't know if that problem only happens with encrypted files, but I don't see this stream on normal text files. Is that a bug or is there a solution to this problem ?

Thanks for your help

Code:
# ntfs-3g /dev/sdb3 /mnt/windows -o efs_raw -o ro -o streams_interface=xattr
# cd /mnt/windows
# getfattr -P -d -R -h -m . /mnt/windows/test1-crypt/empty_0.txt
getfattr: Removing leading '/' from absolute path names
# file: mnt/windows/test1-crypt/empty_0.txt
user.ntfs.efsinfo=0sGAIAAAAAAAACAAAAAAAAABL+gfm1ByBAoYh2vRmUbW0A
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFQAAAAAAAAAAAA
AAAAAAAAAAAAAAQAAALwBAAAUAAAAgAAAADwBAAAAAAAAKAEAABwAAA
ADAAAA8AAAADgAAAAAAAAAAAAAAAEFAAAAAAAFFQAAAM18QWapMUNAK
tA3XOsDAAAUAAAAFAAAACgAAAByAAAAyAAAAKYWzE62u6zGFyEqT40MS5f
mCjODZQA0ADcAMAAzAGYANgA4AC0AYQBkAGQAMwAtADQAYQBjADEALQ
BhADQAYQA1AC0AMgBkAGMAMgBiADAAZABjAGMAZABkADcAAABNAGkAY
wByAG8AcwBvAGYAdAAgAEIAYQBzAGUAIABDAHIAeQBwAHQAbwBnAHIAYQ
BwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByACAAdgAxAC4AMAAAAGEAZA
BtAGkAbgAoAGEAZABtAGkAbgBAAEsAVgBNAFcASQBOACkAAACkUUlQXQqT
3um0vGpImeR65Yr77AHa0aPljNmKxrRaHewn2k+Pdvtm0CjQWuLr/wlIhQTyy9xIn
kYnuYHGkdCpNnqTYXNIpN9bte2F9TBWA3hOa/uj9Lf7od0Npbwlm2/sZLXpUoryBKWmmENS83ux4QeszR4wa4ujW576a9b2RgAAAAA=
/mnt/windows/test1-crypt/empty_0.txt: user.{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}: Input/output error

# getfattr -P -d -R -h -m . /mnt/windows/test1-crypt/eula_29338.txt
getfattr: Removing leading '/' from absolute path names
# file: mnt/windows/test1-crypt/eula_29338.txt
user.ntfs.efsinfo=0sGAIAAAAAAAACAAAAAAAAAGLw/Ax58l9Ikg6AfT/loiYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFQAAAAAAAA
AAAAAAAAAAAAAAAAAAQAAALwBAAAUAAAAgAAAADwBAAAAAAAAKAEAA
BwAAAADAAAA8AAAADgAAAAAAAAAAAAAAAEFAAAAAAAFFQAAAM18QWa
pMUNAKtA3XOsDAAAUAAAAFAAAACgAAAByAAAAyAAAAKYWzE62u6zGFyE
qT40MS5fmCjODZQA0ADcAMAAzAGYANgA4AC0AYQBkAGQAMwAtADQAYQ
BjADEALQBhADQAYQA1AC0AMgBkAGMAMgBiADAAZABjAGMAZABkADcAAA
BNAGkAYwByAG8AcwBvAGYAdAAgAEIAYQBzAGUAIABDAHIAeQBwAHQAbw
BnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByACAAdgAxAC4AMA
AAAGEAZABtAGkAbgAoAGEAZABtAGkAbgBAAEsAVgBNAFcASQBOACkAAA
CsFxzTIS0uz8GSglg7c5WHoIydHq1/8FEcT7Uq90KEaLbjcNpYxcDAfnQc/r9aGhasEGX89OHiDN6XHpvuyMDEEZ/qmiwcBYSfHKY8uT8QQPdswiuG/CP1g1+ALfS6BPFoPUW1dr3p7mvTPp+yPxFSxMZISMoLhKIGoqAffjwgcgAAAAA=
/mnt/windows/test1-crypt/eula_29338.txt: user.{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}: Input/output error

# uname -a
Linux fedora 2.6.32.14-127.fc12.x86_64 #1 SMP Fri May 28 04:30:39 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux

# ntfs-3g -V
ntfs-3g 2010.5.16 integrated FUSE 27


Sat Jun 26, 2010 23:17
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Problem to read xattr on encrypted files
Hi,

Quote:
I have created several text files on a Windows XP NTFS disk and I have encrypted these files from Windows explorer. For some obscure reason, Windows creates a stream called "user.{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}" on these files (it's always the same UUID) which seems to always be empty.

The problem is that ntfs-3g fails to read this stream.


I confirm there is a bug when adding an empty extended attribute to an encrypted file. So far I did not find any when reading. Was your example based on a file fully created by Windows, or was the empty extended attribute created by ntfs-3g ?

Can you please indicate which Windows version you are using, I have not heard of the mentioned attribute so far.

To fix the creation of an empty extended attribute, I need to know exactly how Windows creates them, and, as I have no access to a professional Windows version with encryption enabled, could you please dump the empty attribute of a sample encrypted file created on Windows : create a sample encrypted file, get its inode number by "ls -li sample-file" then dump the attributes by "ntfsinfo -vi <inode-number>" and extract from the output the equivalent of the following, for the attribute user.{4c8 etc.}, so that you do not leak any encryption information :

Code:
Dumping attribute $DATA (0x80) from mft record 590 (0x24e)                     
        Attribute length:        96 (0x60)                                     
        Resident:                No
        Name length:             10 (0xa)
        Name offset:             64 (0x40)
        Attribute name:          'user.{4c8cc155 etc. }'
        Attribute flags:         0x4000   
        Attribute instance:      4 (0x4)
        Lowest VCN               0 (0x0)   
        Highest VCN:             -1 (0xffffffffffffffff)
        Mapping pairs offset:    88 (0x58)
        Compression unit:        0 (0x0) 
        Data size:               0 (0x0)
        Allocated size:          0 (0x0)
        Initialized size:        0 (0x0) 
        Runlist:        VCN             LCN             Length


I will post a fixed version for you to check, when I know the target.

Regards

Jean-Pierre


Tue Jun 29, 2010 15:58
Profile

Joined: Tue Jan 20, 2009 09:48
Posts: 19
Post Re: Problem to read xattr on encrypted files
Hi jpa,

Thanks for your reply. Here are more details about the problem:

1) I am using Windows XP Pro SP3 English
2) The ntfs partition has been formatted from Windows with blocksize=4096
3) All files have been created from windows by coping a random txt files to that disk
4) I have uploaded the inode dump here:
http://s149207753.onlinehome.fr/ntfs-inode.txt
5) I have uploaded a compressed DD of the entire 512 MB filesystem here:
http://s149207753.onlinehome.fr/ntfs-volume.dd.bz2
6) I was able to encrpyt another text file without creating the bogous attribute on windows
7) The bogous attribute is created by Windows when we play with the "Summary" tab in the file properties in explorer. It happened on encrypted file but I don't know if that can also happen on a non-encrypted file as well.
8) Sometime this attribute can be created and it does not produce the I/O Error.

Many thanks
fd64


Tue Jun 29, 2010 20:47
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Problem to read xattr on encrypted files
Hi,

Could you please test the fix in http://pagesperso-orange.fr/b.andre/ntf ... 22AA.3.tgz ?

*edit*

Oops, buggy ! Please test the following instead :
http://pagesperso-orange.fr/b.andre/ntf ... 22AA.4.tgz

Regards

Jean-Pierre


Thu Jul 01, 2010 10:47
Profile

Joined: Tue Jan 20, 2009 09:48
Posts: 19
Post Re: Problem to read xattr on encrypted files
Many thanks for this new version. I have tested ntfs-3g-2010.5.22AA.4.tgz and I
can confirm it now works ok. Is there a patch for ntfs-3g-2010.5.22 or do you know
when the next stable version with that fix will be released ?

I have a question regarding encrypted files when "-o efs_raw" is used. The file size
returned by "stat -c%s <encrypted-file>" may be different from the number of bytes
that we can read from that encrypted file. For instance if I encrypt an empty file,
the size will be 2 (which is normal since efs_raw considers the encryption overhead
as normal data). But 0 bytes are returned when I read that file. It sounds that
it considers the size of the original data before encryption at that stage. I wonder
if this is a bug or is that what we expect ? This is what happens with
"/test1-crypt/empty_0.txt" on the same filesystem (cf previous post)

Thanks for your help
fd64


Fri Jul 02, 2010 00:39
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Problem to read xattr on encrypted files
Hi,

Quote:
Many thanks for this new version. I have tested ntfs-3g-2010.5.22AA.4.tgz and I can confirm it now works ok.

Fine.
Quote:
Is there a patch for ntfs-3g-2010.5.22 or do you know when the next stable version with that fix will be released ?

This had to be a big change, unreasonable to distribute as a patch. It is not planned either for the next stable version based on the release candidate released yesterday. A new advanced version with the fix is to be released shortly, it should be very similar to the one you have tested.
Quote:
I have a question regarding encrypted files when "-o efs_raw" is used. The file size returned by "stat -c%s <encrypted-file>" may be different from the number of bytes that we can read from that encrypted file. For instance if I encrypt an empty file, the size will be 2 (which is normal since efs_raw considers the encryption overhead as normal data). But 0 bytes are returned when I read that file. It sounds that it considers the size of the original data before encryption at that stage.

Good point !

Encryption is based on blocks of 512 bytes, so the encrypted data normally overflows from actual data size. To cope with that, two more bytes are added to record the number of overflowing bytes when efs_raw is set (so a file of 200 bytes will appear as 514 bytes). Of course these extra bytes are removed when the file is written (a file of 514 bytes will be written as 512 encrypted bytes and shown as 200 bytes).
However (and this was part of the purpose of the patch), there is no need to add anything when there is no data. An empty file should appear as 0 bytes, not as 2 bytes. I will fix that (cannot do it right now).

Thank you for reporting and testing.

Regards

Jean-Pierre


Fri Jul 02, 2010 08:54
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Original forum style by Vjacheslav Trushkin.