When extents are needed to store the runlist of the MFT, the first one
must be located in record 15 so that its location can be determined from
the part in the base extent. As this record is always marked in use,
determining whether it is not really in use requires a specific logic.
When trying a resize in "no action" (read-only) mode, and the MFT runlist
has to be reorganized to take its new fragmentation into account, the updated
runlist cannot be read from the device while updating the runlist of
normal files. To avoid having to read the updated runlist, the update
is delayed so that the original runlist is used. As a consequence the test
of reorganizing the runlists is only an approximation of what would happen
in a real resize.
Newer versions of Windows 10 use several reparse tags for files which
are synchronized to OneDrive cloud storage (0x9000301a, 0x9000601a,
0x9000701a, ...). identify them as IO_REPARSE_TAG_CLOUD and use a
single plugin to process them.
Since its 2017 edition, Windows 10 has stopped mirroring $MFT to the
full size of $MFTMirr leading to mounts of partitions with big clusters
to be rejected because of mismatches. With this patch, only 16 records
are checked, though mirroring is still done for all records in $MFTMirr.
Document an earlier update which forced read-only mode when mounting
a partition which has been left by Windows in an inconsistent state
through hibernation or fast restarting.
Object ids can be used to locate files which have been move to another
volume. This is only possible when the birth ids are recorded, but in most
cases files reside on their birth volume and their birth ids are not set.
The patch enables setting a file id without changing its birth id, by
setting an extended attribute "system.ntfs_object_id" limited to 16
bytes.
At least when there is a shortage of space on the target device, several
redo actions are associated to undoing a CompensationlogRecord, and they
should be redone upon recovery.
Under some circumstances, the temporary log file blocks are not the
latest ones, so check whether there are more recent ones.
Only done for log version 1.x, as log version 2.x follow a different
logic.
The struct members for the time fields in struct stat vary depending on
platform, so introduce #ifdefs using the config.h-supplied definitions
for determining which stat time definition is appropriate.
When the ntfs image is unclean, usually because it was not unmounted
properly from Windows, mounting read-write is denied and falls back
to read-only. Log this situation in the syslog, so that users mounting
through /etc/fstab can more easily know what is going on. Also remove
the "rw" option if it was stated.
Windows 10 brought a new type of reparse point for directories (0x80000018),
so add opendir() and readdir() to the plugin interface to take directories
into account. The interface for releasedir() is merged with release() as
the plugins can discriminate them if needed.
Windows 10 brought security descriptors which contain ACE's related to
new ways of accessing files or directories. These ACE are now accepted
with minimal consistency checks. They are still ignored for translating
permissions and for Windows-type inheritance.
The logic for determining where the actions SetIndexEntryVcnRoot and
SetIndexEntryVcnAllocation had to insert a new vcn was unclear and was
wrong in some situations. This is to fix the logic as determined by new
evidence.
When a file is partially truncated, the highest_vcn has to be recomputed
before the file size is adjusted. As a consequence the unmapped run
inserted at the end of runlist to match the file size should not be taken
into account when determining the higest_vcn.
When the fast restart mode of Windows 8 (or later) is activated, the
log file format is different (version 2.0 instead of 1.1), having 32
temporaty blocks instead of 2. This patch upgrades ntfsrecover to take
the new format into account.
When using option --ignore-fs-check in ntfsclone, doubly allocated cluster
still lead to aborting the process. Bypassing the error is useful for
creating a metadata image intended for debugging, for example when the
partition was not closed properly and the logfile has to be applied to
restore the integrity of metadata.
The computing of replacement bytes for overwriting undeletable files
uses random values and standard ones instead of the values provided in
option --bytes. Fix the mixup between both logics, mention the difference
in the documentation and reject defining both options --bytes and --undel.
The license for using the boot loader which used to be inserted by mkntfs
is unclear, so remove it, and only keep the boot sector restricted to
what is needed for having it recognized as such. The space for a loader
is still reserved so that an operating system being installed can insert
its own loader.
When setting a security descriptor on an NTFS v1.2 format file in an
NTFS v3.0+ volume, NTFS-3G would migrate $STANDARD_INFORMATION to the
new format, which requires extending its size from 48 to 72 bytes. If
this happened while the file's MFT record was almost full, and none of
the file's attributes could be made non-resident, and the file did not
have an attribute list attribute, then the operation would unexpectedly
fail with ENOENT. Fix this by adding an attribute list to the file in
this situation.
(contributed by Eric Biggers)
Windows places filenames with a trailing dot or space in the Win32
namespace and allows setting DOS names on such files. This is true even
though on Windows such filenames can only be created and accessed using
WinNT-style paths and will confuse most Windows software. Regardless,
because libntfs-3g did not allow setting DOS names on such files, in
some cases it was impossible to correctly restore, using libntfs-3g, a
directory structure that was created under Windows.
Update ntfs_set_ntfs_dos_name() to permit operating on a file that has a
long name with a trailing dot or space. But continue to forbid creating
such names on a filesystem FUSE-mounted with the windows_name option.
Additionally, continue to forbid a trailing a dot or space in DOS names;
this matches the Windows behavior.
(contributed by Eric Biggers)
Following a recent patch to the fuse kernel, the Posix ACL checks can
be done within the kernel instead of having to be done in the file
system, provided lowntfs-3g is used.
This mode is still not used by default until the fuse patch is
released by distributions.
Now that the size of the reparse point attribute is no longer used by
the FUSE drivers to populate st_size for symlinks and junctions, it no
longer needs to be returned by ntfs_make_symlink().
(contributed by Eric Biggers)
Made ntfs-3f conform to the standard POSIX convention of setting st_size
to the length of the symlink target without a terminating null.
(contributed by Eric Biggers)
valid_reparse_data() would read past the end of the reparse point buffer
if it was passed a malformed reparse point that had the tag for a
mountpoint or a symlink but had a data buffer smaller than expected.
Fix this by validating the buffer size.
(contributed by Eric Biggers)
If an output buffer was provided, ntfs_utf16_to_utf8() limited the
output string length without the terminating null to 'outs_len'. This
was incorrect because a terminating null was always added to the string,
causing a buffer overrun if the output string happened to have exactly
the maximum length. This was a longstanding bug. Fix it by leaving
space for a terminating null.
(contributed by Eric Biggers)
utf16_to_utf8_size() was not guaranteed to fail with ENAMETOOLONG if the
computed length was greater than @outs_len. This could cause a buffer
overrun in ntfs_utf16_to_utf8().
(contributed by Eric Biggers)
The plugins are enabled by default, and the can be disabled by the
configure option --disable-plugins, but the option --enable-plugins
also led to disabling them.
Both fusermount.c and mount_util.c use _PATH_MOUNTED, so they should
include <paths.h>, which provides this definition.
This is required for building with the musl C library.
Contributed by Thomas Petazzoni