[Nottingham] (Mandrake 9.0) Linux security help please

jason nottingham at mailman.lug.org.uk
Mon Jan 20 20:21:02 2003


Just a thought from a novice...

> 1: There are a few windows partitions that are automatically mounted an=
d
> are automatically r/w for all users. How do I make these mounts
> inaccessible/invisible for one or more users?

Here's a thought that may be impractical but maybe not?
The problem with vfat is the inability to set permissions, but that doesn=
't=20
stop you reducing permissions on the parent directory, so unless I've mis=
sed=20
something ( which I probably have ) you could try:
su
mkdir /mnt_win=09(create a new mount directory for the vfat partitions )
create the vfat mount points in mnt_win rather than mnt. e.g. mkdir=20
/mnt_win/win_c
chmod 750 /mnt_win=09(i.e. prevent casual users seeing it, reading or wri=
ting=20
it, as opposed to 755 normally on /mnt )=20
Create a windows group.
chgrp winusers /mnt_win
Change fstab to mount the windows partitions inside the mnt_win directori=
es=20
instead of /mnt

Now assign any user who SHOULD have access to the windows partitions to t=
he=20
winusers group and they should be able to get to the windows partitions a=
s=20
normal through the mnt_win directory.

I tried this on my system (Mandrake 9.0) and it works for me.
$ cd /mnt_win/win_c
bash: cd: /mnt_win/win_c: Permission denied

Obviously if you wish you could create a different mount directory for ea=
ch if=20
you want different permissions.

Hope this helps you out on this. The trick is basically to use the permis=
sions=20
on the parent directory rather than the mounted partion itself.
Extending this, if you want a read-only for some users and read-write for=
=20
others you could always mount it twice, under one directory as rw and one=
 as=20
ro in fstab and again use the parent directory permissions.

Just a thought, be prepared for someone knowledgable to correct me now.

Jason