Linux Tutorials - Herong's Tutorial Examples - v5.34, by Dr. Herong Yang
Access Persmissions on "ntfs-3g" File System
Provides a tutorial example on how to control access permissions on mounted Windows NTFS partitions with the 'ntfs-3g' device driver.
In the last tutorial, we learned how to mount a Windows NTFS partition with the "ntfs-3g" device driver. Everything works fine on the mounted partition.
But there is one more issue you need to take care of: everyone can access the mounted Windows partition by default. This will be a security problem, if you want to store sensitive information on the mounted partition.
Let's look at the issue by mounting a Windows partition to /mnt/backup with default options:
herong$ ls -l /mnt drwx------. 2 root root 6 Oct 10 05:20 backup herong$ sudo mount -t ntfs-3g /dev/sda5 /mnt/backup herong$ ls -l /mnt drwxrwxrwx. 1 root root 8192 Oct 10 23:21 backup
As you can see, access permission on the mounted partition has been changed from "700" to "777", which allows everyone to read, write and change files. This is definitely a security issue, if there are multiple users.
You can try to change the access permissions with the "chmod" command, but it will have no impact:
herong$ chmod 700 /mnt/backup herong$ ls -l /mnt drwxrwxrwx. 1 root root 8192 Oct 10 23:21 backup
You can try to change the ownership with the "chown" command, but it will have no impact:
herong$ chown herong /mnt/backup herong$ ls -l /mnt drwxrwxrwx. 1 root root 8192 Oct 10 23:21 backup
You can try to change the SELinux Type with the "chcon" command, but it will fail.
herong$ sudo chcon -t user_tmp_t /mnt/backup chcon: failed to change context of '/mnt/backup' to ‘system_u:object_r:user_tmp_t:s0’: Operation not supported
To resolve the issue, we have to go back to "ntfs-3g" man page:
herong$ man ntfs-3g NAME ntfs-3g - Third Generation Read/Write NTFS Driver SYNOPSIS ntfs-3g [-o option[,...]] volume mount_point mount -t ntfs-3g [-o option[,...]] volume mount_point ... OPTIONS Below is a summary of the options that ntfs-3g accepts. uid=value and gid=value Set the owner and the group of files and directories. The values are numerical. The defaults are the uid and gid of the current process. umask=value Set the bitmask of the file and directory permissions that are not present. The value is given in octal. The default value is 0 which means full access to everybody. ...
Now let's mount it again for me to access only:
herong$ sudo umount /mnt/backup herong$ id herong uid=1000(herong) gid=1000(herong) groups=1000(herong) herong$ sudo mount -t ntfs-3g -o uid=1000,gid=1000,umask=077 \ /dev/sda5 /mnt/backup herong$ ls -l /mnt drwx------. 1 herong herong 8192 Oct 10 04:07 backup
Perfect, right? Not 100%. Yes, I can control who can access this NTFS partition now. But it still I won't be able to grant different access permissions on its sub-directories, because it is not fully compatible with Linux security architectures.
Table of Contents