Mount USB drive with write permissions for everyone or specific user
Ultimately I need a perma-mount /dev/sdb2 to /home/storage with access right (rw) for the user media .
Using manual mount from command line.
server# sudo mount /dev/sdb2 /home/storage It mounts but the /home/storage receives root as owner and group and doesn’t allow media user to write there.
If I use mount command without sudo as the user media — i’m not allowed. Says only root can use mount.
If I use mount with options: server# sudo mount /dev/sdb2 /home/storage -o umask=000 I get what I need. A bit overdone of course, since the storage folder becomes writable for everyone. BUT — that is manually mounted — now i need it to remount on every reboot.
Remounting on reboot — using fstab **
So I thought I’ll be fine if I use fstab to mount this partition ( /dev/sdb2 ) every time i reboot. The fstab line I added:
UUID=8C52-C1CD /home/storage auto user,umask=000,utf8,noauto 0 0 Got uuid with blkid . The fs type auto I changed a few times. I tried vfat too, but always on the reboot Ubuntu stops when processing fstab (I think) with the message (took from the log):
fsck from util-linux 2.20.1 /dev/sda5: clean, 120559/10969088 files, 19960144/43861504 blocks mount: unknown filesystem type 'static' mountall: mount /etc/fstab: [772] terminated with status 32 mountall: Filesystem could not be mounted: /etc/fstab: Skipping /etc/fstab: at user request And also — sudo mount -a never really does anything.
What am I doing wrong? I do suspect I messed up something:)
It seems fstab should hold only mounts for static drives, not any sort of usb stuff. I’m puzzled how then this works with all the people posting on the net their success stories.
However. if this is not possible — I would like to know how to remount my USB after every reboot. if not with fstab — then how? 🙂
How to allow non-superusers to mount any filesystem?
Is it possible to allow some particular users (e.g. members of a group) to mount any filesystem without superuser privileges on Linux? Another question might have been «in what ways a user can harm a system by mounting filesystems?»
10 Answers 10
There are a couple approaches, some of them mostly secure, others not at all.
The insecure way
Let any use run mount , e.g., through sudo. You might as well give them root; it’s the same thing. The user could mount a filesystem with a suid root copy of bash —running that instantly gives root (likely without any logging, beyond the fact that mount was run).
Alternatively, a user could mount his own filesystem on top of /etc , containing his/her own copy of /etc/shadow or /etc/sudoers , then obtain root with either su or sudo . Or possibly bind-mount ( mount —bind ) over one of those two files. Or a new file into /etc/sudoers.d .
Similar attacks could be pulled off over /etc/pam.d and many other places.
Remember that filesystems need not even be on a device, -o loop will mount a file which is owned (and thus modifiable) by the user.
The mostly secure way: udisks or similar
The various desktop environments have actually already built solutions to this, to allow users to mount removable media. They work by mounting in a subdirectory of /media only and by turning off set-user/group-id support via kernel options. Options here include udisks , udisks2 , pmount , usbmount ,
If you must, you could write your own script to do something similar, and invoke it through sudo—but you have to be really careful writing this script to not leave root exploits. If you don’t want your users to have to remember sudo, you can do something like this in a script:
#!/bin/bash if [ $UID -ne 0 ]; then # or `id -u` exec sudo -- "$0" "$@" fi # rest of script goes here The will-be-secure someday way: user namespaces
Linux namespaces are a very lightweight form of virtualization (containers, to be more specific). In particular, with user namespaces, any user on the system can create their own environment in which they are root. This would allow them to mount filesystems, except that has been explicitly blocked except for a few virtual filesystems. Eventually, FUSE filesystems will probably be allowed, but the most recent patches I could find don’t cover block devices, only things like sshfs.
Further, many distro kernels have (for security reasons) defaulted to not allowing unprivileged users to use user namespaces; for example Debian has a kernel.unprivileged_userns_clone that defaults to 0. Other distros have similar settings, though often with slightly different names.
The best documentation I know of about user namespaces is an LWN article Namespaces in operation, part 5: User namespaces.
For now, I’d go with udisks2.
Mount device with specific user rights
How can I mount a device with specific user rights on start up? I still have some problems figuring it out. I would like to mount the divide with uid=1000 and gid=1000 . My current entry to the /etc/fstab/ file looks like this:
dev /var/www vboxsf rw, suid, dev, exec, auto, nouser, async, uid=1000 @skub: The owner of /var/www/ is root. dev /var/www vboxsf rw, suid, dev, exec, auto, nouser, async, uid=1000 gui=1000 didin’t work so well (Ubuntu removed the entry after a failed restart).
@skub: It’s a VirtualBox shared folder, so /dev is is right. I figured it out by now, sudo mount -t vboxsf -o umask=0022,gid=33,uid=33 dev /var/www works just fine.
I’ve been messing around with this problem in vbox for a while now too. From what I’ve gathered, the correct solution (to the question you aren’t asking) is to add your user into the vboxsf group, and then it doesn’t matter who the owner of the files are — you will have permission to edit them. alcobrov.blogspot.com/2012/06/…
1 Answer 1
To mount a device with certain rights, you can use the -o Option directive while mounting the device. To mount the device you described, run:
mount -t deviceFileFormat -o umask=filePermissions,gid=ownerGroupID,uid=ownerID /device /mountpoint For example mounting a VirtualBox shared folder to /var/www with www-data as owner would look like this:
mount -t vboxsf -o umask=0022,gid=33,uid=33 dev /var/www If you want to mount the device on startup, you can add the following entry to your /etc/fstab file:
/device /mountpoint deviceFileFormat umask=filePermissions,gid=ownerGroupID,uid=ownerUserID Again, with the same example the entry to the /etc/fstab file would look like this:
dev /var/www vboxsf umask=0022,gid=33,uid=33 For filesystems that does not support mounting as a specific user (like ext4) the above will give the error
Unrecognized mount option "uid=33" or missing value to change the owner of an ext4 mount simply run
chown username /mountpoint after it has been mounted.