| View previous topic :: View next topic |
| Author |
Message |
Jacobs
Apprentice
Joined: 29 Apr 2003
Posts: 174
Location: Czech republic
|
 Posted: Sun May 11, 2003 5:38 pm Post subject: crypto-loop mounting question |
 |
|
hi, i've a crypto-loop filesystem and i wonder if there is some way to allow only the user who mounted it to access it.
thanks for any idea |
|
| Back to top |
|
 |
joycea
Apprentice
Joined: 23 Jul 2002
Posts: 191
Location: Kingston, Canada
|
| Posted: Sun May 11, 2003 10:41 pm Post subject: |
|
|
| Not particularly familar with the cyrpto filesystem procedures but wouldn't the umask flag work for this? |
|
| Back to top |
|
|
Jacobs
Apprentice
Joined: 29 Apr 2003
Posts: 174
Location: Czech republic
|
| Posted: Mon May 12, 2003 7:14 am Post subject: |
|
|
I'm not sure it'd solve the problem. I want this: If user1 mounts /dev/loop0, than he and only he must have rwx access to the mounted fs (others shouldn't have any access at all). If user2 mounts it, than again, only user2 must have this access.
I'm not very familiar with umask, but I don't think there is some way how to set this via umask  , or is it? |
|
| Back to top |
|
|
joycea
Apprentice
Joined: 23 Jul 2002
Posts: 191
Location: Kingston, Canada
|
| Posted: Mon May 12, 2003 10:00 am Post subject: |
|
|
| man mount wrote: | umask=value
Set the umask (the bitmask of the permissions that are not
present). The default is the umask of the current process. The
value is given in octal.
|
Therefore umask=077 would do what you are asking. |
|
| Back to top |
|
|
Jacobs
Apprentice
Joined: 29 Apr 2003
Posts: 174
Location: Czech republic
|
| Posted: Mon May 12, 2003 10:30 am Post subject: |
|
|
ok, this may work! thanks.
but when I try it in real, something goes wrong. I have this in my /etc/fstab | Code: | | /path/to/crypto-loop-file /mnt/crypto ext3 user,defaults,noauto,loop,encryption=aes,keybits=256 0 0 |
but when I add umask=077 | Code: | | /path/to/crypto-loop-file /mnt/cryptofs ext3 user,umask=077,defaults,noauto,loop,encryption=aes,keybits=256 0 0 |
mounting doesn't work anymore. | Quote: | mount: wrong fs type, bad option, bad superblock on /dev/loop/1,
or too many mounted file systems |
which is the very same message that I get after entering the wrong password So is it possible, that there is some compatibility issue with crypto-loop and umask? |
|
| Back to top |
|
|
Jacobs
Apprentice
Joined: 29 Apr 2003
Posts: 174
Location: Czech republic
|
| Posted: Mon May 12, 2003 10:36 am Post subject: |
|
|
by the way there is this message in syslog related to the mount failure: | Quote: | | EXT3-fs: Unrecognized mount option umask |
any clue? |
|
| Back to top |
|
|
tojo
n00b
Joined: 09 Dec 2002
Posts: 72
|
| Posted: Mon May 12, 2003 2:06 pm Post subject: Re: crypto-loop mounting question |
|
|
| Jacobs wrote: | | hi, i've a crypto-loop filesystem and i wonder if there is some way to allow only the user who mounted it to access it. |
hmm.. why you don't use just UNIX permission's? chmod command?
like this you can remove rights from everybody else but the owner:
| Code: | | chmod og-rwx -R /path/to/mounted/directory |
umask is four setting default rights when you are creating new files and dirs. In mount man page the umask flag is for fat filesystem only. |
|
| Back to top |
|
|
Jacobs
Apprentice
Joined: 29 Apr 2003
Posts: 174
Location: Czech republic
|
| Posted: Mon May 12, 2003 6:41 pm Post subject: |
|
|
you don't understand - there is no way (at least I think so) how to specify in chmod the "user-who-mounted"
| Quote: | | like this you can remove rights from everybody else but the owner |
but I want only the "mounter" to be able to access the partition (ownership is a different subject) |
|
| Back to top |
|
|
tojo
n00b
Joined: 09 Dec 2002
Posts: 72
|
| Posted: Mon May 12, 2003 8:55 pm Post subject: |
|
|
Ok, now I see what are you looking for 
I think you have to change filesystem, more dummier fs i guess.
I made also these tests:
| Code: | $ dd if=/dev/zero of=loopfs.vfat bs=1M count=2
2+0 records in
2+0 records out
$ mkfs.vfat loopfs.vfat
mkfs.vfat 2.8 (28 Feb 2001)
$ mv loopfs.vfat /mnt |
added this line to /etc/fstab:
| Code: | | /mnt/loopfs.vfat /mnt/loopfs vfat defaults,loop,user,noauto,umask=077 0 0 |
Now, when any user mount this filesystem he gets full rights for it and no one else can't access to it. Is this what are you looking for? |
|
| Back to top |
|
|
Jacobs
Apprentice
Joined: 29 Apr 2003
Posts: 174
Location: Czech republic
|
| Posted: Mon May 12, 2003 9:11 pm Post subject: |
|
|
yeah you got it... thanks a lot.
just a try - is there some way how I can do this with ext3 or some other fs? (fat is a bit too dumb )
I'm starting to realize that if the filesystem supports file access management (or however it is called), it may be a bit tricky to do what I want, right? |
|
| Back to top |
|
|
joycea
Apprentice
Joined: 23 Jul 2002
Posts: 191
Location: Kingston, Canada
|
| Posted: Mon May 12, 2003 10:29 pm Post subject: |
|
|
I see where you are having the problems with the umask now and ext3, sorry for leading you down the wrong path.
In this case, why don't you just set the permissions on the root folder of the encrypted fs to match what you want to limit access to (i.e. chmod 700 ./) ? I think that should work for you. |
|
| Back to top |
|
|
tojo
n00b
Joined: 09 Dec 2002
Posts: 72
|
| Posted: Tue May 13, 2003 5:25 am Post subject: |
|
|
| Jacobs wrote: | | I'm starting to realize that if the filesystem supports file access management (or however it is called), it may be a bit tricky to do what I want, right? |
Yes, that is pretty tricky, because you can't override permission settings via mount command to these filesystems. Maybe you can write little mount script for setting right permissions to files when user mount this "device", but I think then there will be some kind of security risk. |
|
| Back to top |
|
|
Jacobs
Apprentice
Joined: 29 Apr 2003
Posts: 174
Location: Czech republic
|
| Posted: Tue May 13, 2003 8:25 am Post subject: |
|
|
hmm
but I don't have to override them - if the user who monted doesn't have file-base access to these files, it's ok for me. but I don't want anyone else to be allowed to access the partition (doesn't matter if he has some file-based access or not). so it's like two independent levels of access rights from which the effective rights are counted with logical AND (you mounted && you have file-based access = you can access the file).
but I think there is no support for this in linux mounting |
|
| Back to top |
|
|
|
Networking & Security
