You are not logged in.
Hello. First of all, I not asking to do the homework for me, rather is someone can help me understand why I can't get this work.
I spent the last night trying to figure how mount an USB drive as a regular user, using ntfs-3g. I read the related wiki entries and researched quite a lot in the forums. I came up with this:
fstab:
#
# /etc/fstab: static file system information
#
# <file system> <dir> <type> <options> <dump> <pass>
devpts /dev/pts devpts defaults 0 0
shm /dev/shm tmpfs nodev,nosuid 0 0
#/dev/cdrom /media/cd auto ro,user,noauto,unhide 0 0
#/dev/dvd /media/dvd auto ro,user,noauto,unhide 0 0
#/dev/fd0 /media/fl auto user,noauto 0 0
/dev/sda1 / ext3 defaults,noatime 0 1
/dev/sda2 /home ext3 defaults,noatime 0 2
/dev/sda3 swap swap defaults 0 0
/dev/sdb1 /mnt/usb ntfs-3g noauto,uid=0,gid=0,noatime,umask=000, 0 0
I created a ntfsuser group, added my user to that group and trim permissions to the ntfd-3g executable (link in this post). That allows me mount the partition as root and read/write as regular user. It works, so (i think) not big deal here.
However if I add user to the mount options the following error shows up:
Mount is denied because setuid and setgid root ntfs-3g is insecure with the
external FUSE library. Either remove the setuid/setgid bit from the binary
or rebuild NTFS-3G with integrated FUSE support and make it setuid root.
Please see more information at http://ntfs-3g.org/support.html#unprivileged
What bugs me the most is I don't understand why I can't mount as regular user when the user option is set in the fstab. Shouldn't that allow regular users to mount and unmount? Is not like that I'm mounting and dismounting USB drives every 5', but I would like to get this done because I know it can be done
Sorry for asking such trivial question, but I sense that I'm missing something really stupid and I just can't figure what it is
Sorry for my English. Feel free to point out my errors.
Offline
Offline
I'm sorry, I didn't realize earlier of your reply.
My $UID seems to be 1000 and my umask 1000. Is this my user ID? I wonder because the idea is that everyone not-root could be able to mount the usp drive.
Sorry for my English. Feel free to point out my errors.
Offline
FYI: 1000 is usually the user id for the first created normal user. 0 is always the user id for root.
Offline
Good to know. I read somewhere (while I was researching on this matter), that 0 was like a wildcard, hence the 0 in my fstab.
If I understood this right, should I remove the uid parameter, leaving only gid=users to allow everyone mount this?
Sorry for my English. Feel free to point out my errors.
Offline
AFAIK, the only parameter needed to mount it as a normal user is user, although I'm not sure I've ever succeeded at this.
Offline
For me addin user to fstab didn't work. Still have to mount as root. If somehow I solve this, I'll update the thread with my findings
Sorry for my English. Feel free to point out my errors.
Offline
Hello, as far as I know this is a security measure hard-coded into ntfs-3g by the developers. If you want to fix this you'll have to re-compile ntfs-3g with integrated fuse support. Apparently, using an external fuse library and allowing 'unprivileged' users to mount ntfs-3g volumes leads to "unwanted privilege escalation."
However, you probably don't really have to compile it yourself, because it appears to already be in AUR, here (package ID: 37647), although it didn't build right the last time I tried it.
If you install this, don't forget to first remove fuse (and ntfs-3g) using pacman, unless you need fuse for something else.
At the moment, I've just settled with "sudo mount /path/to/ntfs-mountpoint/"; users are allowed to unmount volumes even with the regular ntfs-3g implementation with the right permissions.
Sometimes, I mean what I post.
Offline
Beware of the double post! (+1)
Ok, I decided I'd get this to work, although the method and the implications it could have might not seem pretty to some. There are certain conditions for a user to mount any ntfs volume with ntfs-3g, I will name them here:
1. ntfs-3g with integrated fuse support. You'll get this by:
1A. Removing ntfs-3g and fuse from your system if you have them installed as separate packages, so do this as root:
pacman -Rn ntfs-3g
pacman -Rn fuse
Now you can install the new package.
1B. Getting a modified version of the PKGBUILD found in that AUR link previously mentioned by me, here's mine:
# Maintainer: Gula <gulanito.archlinux.org>
# Slightly modified by anderfs
# Don't forget to setuid-root for the ntfs-3g binary after you install this
pkgname=ntfs-3g-fuse-internal
pkgver=2010.5.16
pkgrel=1
pkgdesc="Stable read and write NTFS driver (whit internal fuse suport)"
url="http://www.tuxera.com"
arch=('i686' 'x86_64')
license=('GPL2')
depends=('glibc')
conflicts=('ntfs-3g')
makedepends=('pkgconfig')
options=('!libtool')
source=(http://www.tuxera.com/opensource/ntfs-3g-${pkgver}.tgz
http://aur.archlinux.org/packages/ntfs-3g-fuse-internal/ntfs-3g-fuse-internal/25-ntfs-config-write-policy.fdi)
sha1sums=('895da556ad974743841f743c49b734132b2a7cbc'
'200029f2999a2c284fd30ae25734abf6459c3501')
build() {
cd "${srcdir}/ntfs-3g-${pkgver}"
ac_cv_path_LDCONFIG=/bin/true ./configure --prefix=/usr \
--with-fuse=internal --disable-static || return 1
make || return 1
}
package() {
cd "${srcdir}/ntfs-3g-${pkgver}"
make DESTDIR="${pkgdir}" install || return 1
ln -s /bin/ntfs-3g "${pkgdir}/sbin/mount.ntfs" || return 1
install -m755 -d "${pkgdir}/usr/share/hal/fdi/policy/10osvendor"
install -m644 "${srcdir}/25-ntfs-config-write-policy.fdi" "${pkgdir}/usr/share/hal/fdi/policy/10osvendor/" || return 1
}
Save this as PKGBUILD, preferrably in an empty directory so it doesn't clutter things up when you build it.
1C. Now go to the directory where you saved it and do this as a regular user:
makepkg PKGBUILD
After that's done, you'll get a package called ntfs-3g-fuse-internal-2010.5.16-1-i686.pkg.tar.xz, or something similar.
1D. Install that package as root:
pacman -U ntfs-3g-fuse-internal-2010.5.16-1-i686.pkg.tar.xz
If all went well you now have ntfs-3g compiled with integrated fuse support.
2. The ntfs-3g version must be higher than 1.2506, this is already covered, the package installed from AUR matches this requirement.
3. The ntfs-3g binary must be set to setuid-root, to accomplish this you shall do the following as root:
chown root $(which ntfs-3g)
chmod 4755 $(which ntfs-3g)
I used 4750 instad of 4755, I guess that last bit can be a matter of personal taste as long as it isn't something obnoxious like "7".
4. The user must have the right access to the volume. Okay, this is the ugly part, volumes are owned by root and managed by the disk group with permissions brw-rw----, this means you have to add any users you want mounting this volume to the disk group.
4A. So, do this as root:
gpasswd -a [user] disk
Where [user] is obviously the name of whichever user you're adding to the disk group, do this for any user you want mounting this volume.
Any users currently logged in will have to log out and back in for these change to take effect, this most likely includes you.
4B. Now that you logged back in, try this:
groups
One of the groups listed should be disk, if it's not there you didn't completely log out of all open sessions.
5. The user must have the right permissions/access to the mount point. For a user to be able to mount something to a mount point, that user needs to have read permission (pretty self-explanatory), write permission (so the user can make any changes to the sub-structure of the mount point), and execute permission (so the user can change-dir to that mount point) to it. Mount points can be anywhere, so this really depends where you're mounting.
In my case, I'm mounting these volumes on certain directories under /mnt/, for example /mnt/example. If you're mounting stuff there, you might as well take advantage of the fact your "mounting user" is already in the group disk, and do the following as root:
chgrp disk /mnt/example
chmod 774 /mnt/example
Now users in the disk group will be able to manage these mount points.
6. Mount it. That's it, you should now be able to mount ntfs volumes as an "unpriveleged enough" user. Here's an example of what you'd have to put in /etc/fstab:
UUID=XXXXYYYYXXXXYYYY /mnt/example ntfs-3g noauto,noatime,user,uid=0,gid=6,fmask=137,dmask=027,rw 0 0
uid=0 means root will be the owner of this mount-point and anything in it after it's mounted. This is due to the fact that even though users might own their mountpoints and have rwx permissions on them, you might still not want them to write to the mounted ntfs volumes. Remove this if you want them to be able to write to the volume.
gid=6 means this will be managed by the disk group in my system. Perhaps the disk group has a different id in your system, run "id root" to find out, as root usually is part of this group.
fmask = 137 means the owner (root) can do anything with files in this volume except executing files. Group members (disk) can only read files here, not create or execute them. And other users can't do anything in this volume.
dmask = 027 means the owner can do anything with directories (execute here is needed to chdir), users can't write directories but they can read or execute in them (once again, needed by 'cd'), and finally other users still don't have any access.
You can use whichever fmask and dmask makes sense to you, or use an umask instead.
Last edited by anderfs (2010-07-15 11:34:48)
Sometimes, I mean what I post.
Offline
anderfs, beautiful post man. Great detail. Thanks for the information.
Setting Up a Scripting Environment | Proud donor to wikipedia - link
Offline
Gen2ly,
FYI, Look at the age of the thread
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline