[SOLVED] Avoiding creation of files at some mount point.

danielhilst · 03-16-2015, 11:59 AM

I have some embedded environment, on which there is a mount point called /media/card. This mount point receives the SDCard filesystem, where our application runs. We have some problems of card not being inserted, and people wrongly copying data to this mount point - via SFTP. The safe-lock implemented by me was put some check on application's startup script to do not execute if /media/card isn't mounted. I do this by greping /proc/mounts.

I want to know if there is a way to put all tree below /media/card, while umounted, in read-only and when SDCard got mounted, overwrite permissions setted that tree. I've tryied to setup permissions, but even with chmod 000 /media/card, I still can create files, I mean, touch /media/card/foo works.

Since I'm running from a flash disk, the filesystem used is jffs2. Running applications that logs to filesystem can harm whole environment after some time, so I would like to have something more secure.

Best regards,
Daniel

jailbait · 03-16-2015, 03:54 PM

Quote:

Originally Posted by danielhilst

The safe-lock implemented by me was put some check on application's startup script to do not execute if /media/card isn't mounted. I do this by greping /proc/mounts.

Could you do the mount in the application startup script? If so, then you could check the mount command for successful completion. The command would look someting like this:

# Mount the flash drive
if ! (mount -L charlie /media/card);
then
echo "mount failed for flash card"
exit
fi

suicidaleggroll · 03-16-2015, 04:25 PM

Could you just remove the directory if the mount is unsuccessful? What is this "tree" you're speaking of? If the card is not mounted, the mount point should just be an empty directory.

danielhilst · 03-17-2015, 11:27 AM

With tree I mean all directories below /media/card, like /media/card/app/foo/bar/etc... I wan't to prohibit the user from writing on /media/card when no filesystem is mounted on it. Something like this

touch /media/card/foo # Error, pohibited. /media/card on same filesystem as /
mount /dev/sdb1 /media/card
touch /media/card/foo # Ok!

The ideia is to pohibit user to write data below /media/card on root filesystem, and permit on other filesystem (usually vfat)

I think about removing the card directory at all, and create on auto-mount.sh script (udev stuff), and remove on umount. This way no mount point exists when no filesystem is mounted on it. But I don't know if this script will run if the machine boots with SDCard inserted already. I'm gonna test it..

Regards,
Daniel

suicidaleggroll · 03-17-2015, 11:32 AM

Is it root you're trying to stop from writing to this directory, or another user? You can't stop root from doing anything, root can do whatever it wants, but it would be pretty easy to block a regular user from writing to that directory when the card is not mounted.

danielhilst · 03-18-2015, 05:07 AM

I see, it's root user. So this would be fixed if I use proper users, true. I'll try this! Thanks for suggestion!!

Keith Hedger · 03-18-2015, 11:52 AM

You can test if something is mounted on a folder with the 'mountpoint' command eg

Code:

keithhedger@LFSStarBug:/tmp-> mountpoint /etc
/etc is not a mountpoint
keithhedger@LFSStarBug:/tmp-> mountpoint /dev
/dev is a mountpoint
keithhedger@LFSStarBug:/tmp->

cepheus11 · 03-18-2015, 12:06 PM

Mount another filesystem there with options=ro.