Access Persmissions on "ntfs-3g" File System

Linux Tutorials - Herong's Tutorial Examples

∟Access Persmissions on "ntfs-3g" File System

This section provides a tutorial example on how to control access permissions on mounted Windows NTFS partitions with the 'ntfs-3g' device driver.

In the last tutorial, we learned how to mount a Windows NTFS partition with the "ntfs-3g" device driver. Everything works fine on the mounted partition.

But there is one more issue you need to take care of: everyone can access the mounted Windows partition by default. This will be a security problem, if you want to store sensitive information on the mounted partition.

Let's look at the issue by mounting a Windows partition to /mnt/backup with default options:

herong$ ls -l /mnt
drwx------. 2 root root 6 Oct 10 05:20 backup

herong$ sudo mount -t ntfs-3g /dev/sda5 /mnt/backup

herong$ ls -l /mnt
drwxrwxrwx. 1 root root 8192 Oct 10 23:21 backup

As you can see, access permission on the mounted partition has been changed from "700" to "777", which allows everyone to read, write and change files. This is definitely a security issue, if there are multiple users.

You can try to change the access permissions with the "chmod" command, but it will have no impact:

herong$ chmod 700 /mnt/backup

herong$ ls -l /mnt
drwxrwxrwx. 1 root root 8192 Oct 10 23:21 backup

You can try to change the ownership with the "chown" command, but it will have no impact:

herong$ chown herong /mnt/backup

herong$ ls -l /mnt
drwxrwxrwx. 1 root root 8192 Oct 10 23:21 backup

You can try to change the SELinux Type with the "chcon" command, but it will fail.

herong$ sudo chcon -t user_tmp_t /mnt/backup

chcon: failed to change context of '/mnt/backup'
   to 'system_u:object_r:user_tmp_t:s0': Operation not supported

To resolve the issue, we have to go back to "ntfs-3g" man page:

herong$ man ntfs-3g

NAME
       ntfs-3g - Third Generation Read/Write NTFS Driver

SYNOPSIS
       ntfs-3g [-o option[,...]]  volume mount_point
       mount -t ntfs-3g [-o option[,...]]  volume mount_point

...

OPTIONS
  Below is a summary of the options that ntfs-3g accepts.

  uid=value and gid=value
    Set the owner and the group of files and directories. The values are
    numerical.  The defaults are the uid and  gid of the current process.

  umask=value
    Set  the   bitmask  of  the  file and directory permissions that are
    not present. The value is given in octal. The default value is 0 which
    means full access to everybody.

  ...

Now let's mount it again for me to access only:

herong$ sudo umount /mnt/backup

herong$ id herong
uid=1000(herong) gid=1000(herong) groups=1000(herong)

herong$ sudo mount -t ntfs-3g -o uid=1000,gid=1000,umask=077 \
   /dev/sda5 /mnt/backup

herong$ ls -l /mnt
drwx------. 1 herong herong  8192 Oct 10 04:07 backup

Perfect, right? Not 100%. Yes, I can control who can access this NTFS partition now. But it still I won't be able to grant different access permissions on its sub-directories, because it is not fully compatible with Linux security architectures.