You are not logged in.

#1 2010-05-17 22:31:13

rb
Member
From: Argentina
Registered: 2010-05-07
Posts: 143

Mounting USB drive as regular user (with ntfs-3g)

Hello. First of all, I not asking to do the homework for me, rather is someone can help me understand why I can't get this work.

I spent the last night trying to figure how mount an USB drive as a regular user, using ntfs-3g. I read the related wiki entries and researched quite a lot in the forums. I came up with this:

fstab:

# 
# /etc/fstab: static file system information
# 
# <file system>  <dir>        <type>  <options>          <dump> <pass>
devpts           /dev/pts     devpts  defaults                0      0
shm              /dev/shm     tmpfs   nodev,nosuid            0      0

#/dev/cdrom      /media/cd    auto    ro,user,noauto,unhide   0      0
#/dev/dvd        /media/dvd   auto    ro,user,noauto,unhide   0      0
#/dev/fd0        /media/fl    auto    user,noauto             0      0

/dev/sda1        /            ext3    defaults,noatime        0      1    
/dev/sda2        /home        ext3    defaults,noatime        0      2 
/dev/sda3        swap         swap    defaults                0      0
/dev/sdb1        /mnt/usb     ntfs-3g    noauto,uid=0,gid=0,noatime,umask=000, 0 0

I created a ntfsuser group, added my user to that group and trim permissions to the ntfd-3g executable (link in this post). That allows me mount the partition as root and read/write as regular user. It works, so (i think) not big deal here.

However if I add user to the mount options the following error shows up:

Mount is denied because setuid and setgid root ntfs-3g is insecure with the
external FUSE library. Either remove the setuid/setgid bit from the binary
or rebuild NTFS-3G with integrated FUSE support and make it setuid root.
Please see more information at http://ntfs-3g.org/support.html#unprivileged

What bugs me the most is I don't understand why I can't mount as regular user when the user option is set in the fstab. Shouldn't that allow regular users to mount and unmount? Is not like that I'm mounting and dismounting USB drives every 5', but I would like to get this done because I know it can be done

Sorry for asking such trivial question, but I sense that I'm missing something really stupid and I just can't figure what it is


Sorry for my English. Feel free to point out my errors.

Offline

#2 2010-05-19 00:46:02

evil
Member
From: Indianapolis, IN
Registered: 2010-03-06
Posts: 41
Website

Re: Mounting USB drive as regular user (with ntfs-3g)

Perhaps the umask and the uid aren't correct. In a terminal, type this:

echo $UID

this will return your user id

umask

this will return the umask

my uid was 1000 and umask was 0022


Site | Blog | Freenode Nick: i686

Offline

#3 2010-06-01 13:33:14

rb
Member
From: Argentina
Registered: 2010-05-07
Posts: 143

Re: Mounting USB drive as regular user (with ntfs-3g)

I'm sorry, I didn't realize earlier of your reply.

My $UID seems to be 1000 and my umask 1000. Is this my user ID? I wonder because the idea is that everyone not-root could be able to mount the usp drive.


Sorry for my English. Feel free to point out my errors.

Offline

#4 2010-06-01 13:51:36

Surgat_
Member
Registered: 2007-08-08
Posts: 317

Re: Mounting USB drive as regular user (with ntfs-3g)

FYI: 1000 is usually the user id for the first created normal user. 0 is always the user id for root.

Offline

#5 2010-06-01 14:02:19

rb
Member
From: Argentina
Registered: 2010-05-07
Posts: 143

Re: Mounting USB drive as regular user (with ntfs-3g)

Good to know. I read somewhere (while I was researching on this matter), that 0 was like a wildcard, hence the 0 in my fstab.

If I understood this right, should I remove the uid parameter, leaving only gid=users to allow everyone mount this?


Sorry for my English. Feel free to point out my errors.

Offline

#6 2010-06-01 20:58:14

Surgat_
Member
Registered: 2007-08-08
Posts: 317

Re: Mounting USB drive as regular user (with ntfs-3g)

AFAIK, the only parameter needed to mount it as a normal user is user, although I'm not sure I've ever succeeded at this.

Offline

#7 2010-06-02 13:39:55

rb
Member
From: Argentina
Registered: 2010-05-07
Posts: 143

Re: Mounting USB drive as regular user (with ntfs-3g)

For me addin user to fstab didn't work. Still have to mount as root. If somehow I solve this, I'll update the thread with my findings


Sorry for my English. Feel free to point out my errors.

Offline

#8 2010-07-15 09:37:12

anderfs
Member
Registered: 2010-07-10
Posts: 9

Re: Mounting USB drive as regular user (with ntfs-3g)

Hello, as far as I know this is a security measure hard-coded into ntfs-3g by the developers. If you want to fix this you'll have to re-compile ntfs-3g with integrated fuse support. Apparently, using an external fuse library and allowing 'unprivileged' users to mount ntfs-3g volumes leads to "unwanted privilege escalation."

However, you probably don't really have to compile it yourself, because it appears to already be in AUR, here (package ID: 37647), although it didn't build right the last time I tried it.

If you install this, don't forget to first remove fuse (and ntfs-3g) using pacman, unless you need fuse for something else.

At the moment, I've just settled with "sudo mount /path/to/ntfs-mountpoint/"; users are allowed to unmount volumes even with the regular ntfs-3g implementation with the right permissions.


Sometimes, I mean what I post.

Offline

#9 2010-07-15 11:31:06

anderfs
Member
Registered: 2010-07-10
Posts: 9

Re: Mounting USB drive as regular user (with ntfs-3g)

Beware of the double post! (+1)

Ok, I decided I'd get this to work, although the method and the implications it could have might not seem pretty to some. There are certain conditions for a user to mount any ntfs volume with ntfs-3g, I will name them here:

1. ntfs-3g with integrated fuse support. You'll get this by:

    1A. Removing ntfs-3g and fuse from your system if you have them installed as separate packages, so do this as root:

pacman -Rn ntfs-3g
pacman -Rn fuse

Now you can install the new package.

    1B. Getting a modified version of the PKGBUILD found in that AUR link previously mentioned by me, here's mine:

# Maintainer: Gula  <gulanito.archlinux.org>
# Slightly modified by anderfs
# Don't forget to setuid-root for the ntfs-3g binary after you install this

pkgname=ntfs-3g-fuse-internal
pkgver=2010.5.16
pkgrel=1
pkgdesc="Stable read and write NTFS driver (whit internal fuse suport)"
url="http://www.tuxera.com"
arch=('i686' 'x86_64')
license=('GPL2')
depends=('glibc')
conflicts=('ntfs-3g')
makedepends=('pkgconfig')
options=('!libtool')
source=(http://www.tuxera.com/opensource/ntfs-3g-${pkgver}.tgz
        http://aur.archlinux.org/packages/ntfs-3g-fuse-internal/ntfs-3g-fuse-internal/25-ntfs-config-write-policy.fdi)
sha1sums=('895da556ad974743841f743c49b734132b2a7cbc'
          '200029f2999a2c284fd30ae25734abf6459c3501')

build() {
  cd "${srcdir}/ntfs-3g-${pkgver}"
  ac_cv_path_LDCONFIG=/bin/true ./configure --prefix=/usr \
    --with-fuse=internal --disable-static || return 1
  make || return 1
}

package() {
  cd "${srcdir}/ntfs-3g-${pkgver}"
  make DESTDIR="${pkgdir}" install || return 1
  ln -s /bin/ntfs-3g "${pkgdir}/sbin/mount.ntfs" || return 1
  install -m755 -d "${pkgdir}/usr/share/hal/fdi/policy/10osvendor"
  install -m644 "${srcdir}/25-ntfs-config-write-policy.fdi" "${pkgdir}/usr/share/hal/fdi/policy/10osvendor/" || return 1
}

Save this as PKGBUILD, preferrably in an empty directory so it doesn't clutter things up when you build it.

    1C. Now go to the directory where you saved it and do this as a regular user:

makepkg PKGBUILD

After that's done, you'll get a package called ntfs-3g-fuse-internal-2010.5.16-1-i686.pkg.tar.xz, or something similar.

    1D. Install that package as root:

pacman -U ntfs-3g-fuse-internal-2010.5.16-1-i686.pkg.tar.xz

If all went well you now have ntfs-3g compiled with integrated fuse support.

2. The ntfs-3g version must be higher than 1.2506, this is already covered, the package installed from AUR matches this requirement.

3. The ntfs-3g binary must be set to setuid-root, to accomplish this you shall do the following as root:

chown root $(which ntfs-3g)
chmod 4755 $(which ntfs-3g)

I used 4750 instad of 4755, I guess that last bit can be a matter of personal taste as long as it isn't something obnoxious like "7".

4. The user must have the right access to the volume. Okay, this is the ugly part, volumes are owned by root and managed by the disk group with permissions brw-rw----, this means you have to add any users you want mounting this volume to the disk group.

    4A. So, do this as root:

gpasswd -a [user] disk

Where [user] is obviously the name of whichever user you're adding to the disk group, do this for any user you want mounting this volume.

    Any users currently logged in will have to log out and back in for these change to take effect, this most likely includes you.

    4B. Now that you logged back in, try this:

groups

One of the groups listed should be disk, if it's not there you didn't completely log out of all open sessions.

5. The user must have the right permissions/access to the mount point. For a user to be able to mount something to a mount point, that user needs to have read permission (pretty self-explanatory), write permission (so the user can make any changes to the sub-structure of the mount point), and execute permission (so the user can change-dir to that mount point) to it. Mount points can be anywhere, so this really depends where you're mounting.

In my case, I'm mounting these volumes on certain directories under /mnt/, for example /mnt/example. If you're mounting stuff there, you might as well take advantage of the fact your "mounting user" is already in the group disk, and do the following as root:

chgrp disk /mnt/example
chmod 774 /mnt/example

Now users in the disk group will be able to manage these mount points.

6. Mount it. That's it, you should now be able to mount ntfs volumes as an "unpriveleged enough" user. Here's an example of what you'd have to put in /etc/fstab:

UUID=XXXXYYYYXXXXYYYY /mnt/example ntfs-3g noauto,noatime,user,uid=0,gid=6,fmask=137,dmask=027,rw 0 0

uid=0 means root will be the owner of this mount-point and anything in it after it's mounted. This is due to the fact that even though users might own their mountpoints and have rwx permissions on them, you might still not want them to write to the mounted ntfs volumes. Remove this if you want them to be able to write to the volume.

gid=6 means this will be managed by the disk group in my system. Perhaps the disk group has a different id in your system, run "id root" to find out, as root usually is part of this group.

fmask = 137 means the owner (root) can do anything with files in this volume except executing files. Group members (disk) can only read files here, not create or execute them. And other users can't do anything in this volume.

dmask = 027 means the owner can do anything with directories (execute here is needed to chdir), users can't write directories but they can read or execute in them (once again, needed by 'cd'), and finally other users still don't have any access.

You can use whichever fmask and dmask makes sense to you, or use an umask instead.

Last edited by anderfs (2010-07-15 11:34:48)


Sometimes, I mean what I post.

Offline

#10 2011-12-10 03:38:29

Gen2ly
Member
From: Sevierville, TN
Registered: 2009-03-06
Posts: 1,529
Website

Re: Mounting USB drive as regular user (with ntfs-3g)

anderfs, beautiful post man.  Great detail.  Thanks for the information.


Setting Up a Scripting Environment | Proud donor to wikipedia - link

Offline

#11 2011-12-10 04:13:28

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,739

Re: Mounting USB drive as regular user (with ntfs-3g)

Gen2ly,
FYI, Look at the age of the thread tongue


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

Board footer

Powered by FluxBB