How to mount a USB device in read only mode?
I wish to securely copy files from a USB external drive such that no files on that drive may be modified spuriously. Would someone tell me in relatively simple wording how to accomplish this please? The simple wording is due to the fact that I am a recent Linux user and solely an Ubuntu Linux user.
3 Answers 3
When you plug in your USB, it will be automatically mounted with some name in the /media folder.
Open a Terminal ( Ctrl + Alt + T ). Type the following command:
You will see a result something like this:
/dev/sda7 on / type ext4 (rw,errors=remount-ro) proc on /proc type proc (rw,noexec,nosuid,nodev) sysfs on /sys type sysfs (rw,noexec,nosuid,nodev) none on /sys/kernel/debug type debugfs (rw) devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620) tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755) none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880) none on /run/shm type tmpfs (rw,nosuid,nodev) /dev/sda5 on /home type ext4 (rw) /dev/sdb1 on /media/84CD-D8C7 type vfat (rw,nosuid,nodev,uid=1000,gid=1000,shortname=mixed,dmask=0077,utf8=1,showexec,uhelper=udisks)
Look at the last line in my example: /dev/sdb1 on /media/84CD-D8C7 type vfat plus some other output. Your clue is that its folder begins with /media ; in this case, /media/84CD-D8C7 .
You can now tell the system to remount it read-only with the following command:
sudo mount --options=remount,ro /media/84CD-D8C7
Of course, you would replace 84CD-D8C7 with the actual name that you have. To check that it worked, you can reissue the mount command. See how mine has changed — look for the ro after the parenthesis ( ro stands for «read-only», rw stands for «read-write»).
/dev/sdb1 on /media/84CD-D8C7 type vfat (ro,nosuid,nodev,uid=1000,gid=1000,shortname=mixed,dmask=0077,utf8=1,showexec,uhelper=udisks)
Explanation (if you are interested):
- sudo means to authorise this command (i.e. run it as «root»), because the «mount» command is not available to all users. This will ask for your password.
- mount tells the system to «mount» the device, i.e. attach it to your computer and give it a folder name. In this case, it has already been done; we are using the command to change the way the device was mounted.
- —options tells the mount command that we are going to specify some options.
- remount means just that: mount the device again, with exactly the same settings unless you tell it otherwise.
- ro says to remount as read-only. This is the only change that we are making to the mount.
- /media/84CD-D8C7 specifies where it is already mounted.
How can I create a udev rule to mount a USB drive read only?
I’m trying to set a particular USB drive to always mount read only. If I plug it in, it is seen as sdb with a single partition, sdb1 . Here are some relevant udevadm lines (not the entire output of course):
$ udevadm info -a -n /dev/sdb1 looking at device '/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.4/2-1.4:1.0/host21/target21:0:0/21:0:0:0/block/sdb/sdb1': KERNEL=="sdb1" SUBSYSTEM=="block" DRIVER=="" ATTR=="0" ATTR=="976768002" ATTR==" 473 30586 33938 3460 5 0 40 1624 0 2268 5084" ATTR=="1"
SUBSYSTEM=="block", ATTR=="976768002", MODE="0555"
According to this, using size should be enough but I have also tried other permutations. In any case, the rule does seem to be read (again, selected output lines, you can see the entire output here:
$ udevadm test $(udevadm info -q path -n /dev/sdb1) 2>&1 [. ] read rules file: /etc/udev/rules.d/10-usbdisk.rules [. ] MODE 0555 /etc/udev/rules.d/10-usbdisk.rules:4
So, it looks like the rule should be applied and it looks like the MODE=»0555″ is the correct syntax. However, when I actually plug the disk in, I can happily create/delete files on it. OS: Debian testing (LMDE)
So, what am I doing wrong? How can I mount a particular USB drive as read only automatically using udev 1 ? 1 I know how to do this with fstab but fstab settings are ignored by gvfs. My objective is to have this mounted automatically as read only in the GUI. Presumably this will have to be done via udev or gvfs somehow.
3 Answers 3
Ok, the summary is that Nautilus uses GVFS and you need to tell udev to use GVFS too when reading the fstab entries, you can do this using:
/dev/block-device /mount/point auto x-gvfs-show,ro 0 0
x-gvfs-show will tell udev and anyone interested to use the GVFS helper to mount the filesystem, so gvfs has all the control mounting, umounting, moving mount points, etc.
Lets see if we understand how are drives mounted in modern Linux systems with GUI’s (specifically Nautilus):
Nautilus uses GVFS as backend to mount FTP, SMB, block devices, among other things into the file system. The tool that GNOME designed for such proposes is called called Disks is the one that modify the behavior of GVFS. Now here comes the fun.
Nautilus ignores anything that it wasn’t mounted using GVFS (like using fstab) and gives you a very rudimentary control over this using udev (Nautilus doesn’t ask GVFS to unmount or mount devices that were not manipulated using GVFS, that includes udev, fstab, mount and any other blob) such as just unmount and mount. Using the permissions and options stored in fstab/udev you can use these filesystems accordingly but you can’t modify the behavior using GVFS. If something was mounted using sudo mount -o rw /dev/sda3 , nautilus tells udev that it doesn’t have permissions to modify the mount point, so it pass the responsibility to udev which in turn ask polkit for permissions. If you had used GVFS, nautilus itself unmount the device without permissions, nor dialogs, etc.
Mount USB drive with write permissions for everyone or specific user
Ultimately I need a perma-mount /dev/sdb2 to /home/storage with access right (rw) for the user media .
Using manual mount from command line.
server# sudo mount /dev/sdb2 /home/storage
It mounts but the /home/storage receives root as owner and group and doesn’t allow media user to write there.
If I use mount command without sudo as the user media — i’m not allowed. Says only root can use mount.
If I use mount with options: server# sudo mount /dev/sdb2 /home/storage -o umask=000 I get what I need. A bit overdone of course, since the storage folder becomes writable for everyone. BUT — that is manually mounted — now i need it to remount on every reboot.
Remounting on reboot — using fstab **
So I thought I’ll be fine if I use fstab to mount this partition ( /dev/sdb2 ) every time i reboot. The fstab line I added:
UUID=8C52-C1CD /home/storage auto user,umask=000,utf8,noauto 0 0
Got uuid with blkid . The fs type auto I changed a few times. I tried vfat too, but always on the reboot Ubuntu stops when processing fstab (I think) with the message (took from the log):
fsck from util-linux 2.20.1 /dev/sda5: clean, 120559/10969088 files, 19960144/43861504 blocks mount: unknown filesystem type 'static' mountall: mount /etc/fstab: [772] terminated with status 32 mountall: Filesystem could not be mounted: /etc/fstab: Skipping /etc/fstab: at user request
And also — sudo mount -a never really does anything.
What am I doing wrong? I do suspect I messed up something:)
It seems fstab should hold only mounts for static drives, not any sort of usb stuff. I’m puzzled how then this works with all the people posting on the net their success stories.
However. if this is not possible — I would like to know how to remount my USB after every reboot. if not with fstab — then how? 🙂
How can I automatically set write permissions on mounting a usb drive in linux?
When I mount an external usb drive on linux (CentOs4), the permissions are by default set to read-only. Since there are multiple users on the computer who need to use the external drive, I want everybody to have rw permission for the entire drive. I also want them to be able to mount the drive if the computer has accidentially been shut down. They can use sudo mount to mount the drive, but this will only give them read permission, and I obviously don’t want to allow sudo chmod . Is there a default setting that I can change so that every new external usb disk automatically gets rw permissions?
3 Answers 3
To enable everyone rw access, the key is umask=0 option to mount command.
sudo mount -o umask=0,uid=nobody,gid=nobody /dev/something /mnt/somewhere
umask=0 is enough, uid and gid just for sake of clarity, so you don’t see more ‘root’ owners than necessarily.
@Tom’s answer (writing /etc/fstab entry) will allow you to skip sudo and if you write umask=0 as additional option there, you’ll get best of both worlds:
/dev/something /mnt/somewhere auto users,noatime,umask=0 0 0
and everyone has access to all files.
Here’s technical note, if you wish to know details:
As man mount says, ‘umask=0’ will ensure that no additional rules apply to files access mode. For FAT filesystems (which are most widely used on USB disks), there’s no access mode stored. But your current process has some umask value set, you can see it if you run just umask in terminal. mount uses that as default and removes access mode of your umask value from all files on mounted disk. Most widely used umask values are (octal) 022 — no group and other write, and 027 — no group write, no any other access.
I get an error with ‘bad option’ if I add umask=0 0 0 as an entry in fstab. Does the umask -entry need to be the last entry? What does the managed=0 0 0 entry do that is currently last?
FWIW, the umask option is a VFAT-only option, i.e. the solution helps as long as the USB memory is uses the VFAT filesystem (which did not happen to be my case).
Thank you. But I had to alter it in order to make it work: sudo mount -o umask=0,uid=nobody /dev/something /mnt/somewhere It only works without setting the gid-parameter.
Add an entry to /etc/fstab. Here is an entry that I added just a few hours ago for my Seagate USB drive:
UUID=4ACC734ECC733375 /media/Linux ext3 errors=remount-ro,defaults,users,noatime,nodiratime 0 0
The key here is the «users» entry that allows users to mount and unmount the drive.
Edit: this works for specific drives — I don’t know if it can be enabled for all drives with one entry.
Type mount . This will give the current place it is at. Here is my output.
rick@rick-Main ~ $ mount /dev/sda4 on / type ext4 (rw,errors=remount-ro) proc on /proc type proc (rw,noexec,nosuid,nodev) sysfs on /sys type sysfs (rw,noexec,nosuid,nodev) none on /sys/fs/cgroup type tmpfs (rw) none on /sys/fs/fuse/connections type fusectl (rw) none on /sys/kernel/debug type debugfs (rw) none on /sys/kernel/security type securityfs (rw) udev on /dev type devtmpfs (rw,mode=0755) devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620) tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755) none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880) none on /run/shm type tmpfs (rw,nosuid,nodev) none on /run/user type tmpfs (rw,noexec,nosuid,nodev,size=104857600,mode=0755) none on /sys/fs/pstore type pstore (rw) /dev/sda6 on /media/DATA1 type vfat (rw,uid=1000,utf8,umask=077) binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,noexec,nosuid,nodev) systemd on /sys/fs/cgroup/systemd type cgroup (rw,noexec,nosuid,nodev,none,name=systemd) gvfsd-fuse on /run/user/1000/gvfs type fuse.gvfsd-fuse (rw,nosuid,nodev,user=rick) /dev/sdf1 on /media/usb0 type vfat (rw,noexec,nodev,sync,noatime,nodiratime)
The last is my usb drive automouunted by Linux Mint.
sudo mount -t vfat /dev/sdf1 /media/usb0 -o rw,users,umask=0