[Nottingham] (Mandrake 9.0) Linux security help please

[Martin]

jason wrote:

> Just a thought from a novice...
> 
>>1: There are a few windows partitions that are automatically mounted and
>>are automatically r/w for all users. How do I make these mounts
>>inaccessible/invisible for one or more users?
> 
> Here's a thought that may be impractical but maybe not?
> The problem with vfat is the inability to set permissions, but that doesn't 
> stop you reducing permissions on the parent directory, so unless I've missed 
> something ( which I probably have ) you could try:
> su
> mkdir /mnt_win	(create a new mount directory for the vfat partitions )
> create the vfat mount points in mnt_win rather than mnt. e.g. mkdir 
> /mnt_win/win_c
> chmod 750 /mnt_win	(i.e. prevent casual users seeing it, reading or writing 
> it, as opposed to 755 normally on /mnt ) 
> Create a windows group.
> chgrp winusers /mnt_win
> Change fstab to mount the windows partitions inside the mnt_win directories 
> instead of /mnt
> 
> Now assign any user who SHOULD have access to the windows partitions to the 
> winusers group and they should be able to get to the windows partitions as 
> normal through the mnt_win directory.


EXACTLY - spot on!

Now why didn't I know that!!! Now to try a few fstab et al tweeks...


> Obviously if you wish you could create a different mount directory for each if 
> you want different permissions.
> 
> Hope this helps you out on this. The trick is basically to use the permissions 
> on the parent directory rather than the mounted partion itself.
> Extending this, if you want a read-only for some users and read-write for 
> others you could always mount it twice, under one directory as rw and one as 
> ro in fstab and again use the parent directory permissions.


A nice little extra to be played with also.

(Beer in hand for continued reading...)
Thanks,
Martin

-- 
----------------
Martin Lomas
martin@ml1.co.uk
----------------