LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   Automount LUKS encrypted USB disk as regular user (https://www.linuxquestions.org/questions/slackware-14/automount-luks-encrypted-usb-disk-as-regular-user-765227/)

gargamel 10-29-2009 02:13 AM

Automount LUKS encrypted USB disk as regular user
 
Hi there,

I have a question regarding automounting.

How can I get a LUKS encrypted partition on an external USB device automounted with r/w access for non-privileged users?


Background:

I just reformatted an external USB device with ext4. The only partition is LUKS encrypted. Now, when I plug the device to my computer, KDE notifies me and asks me to enter the LUKS passphrase. Then it mounts the device. Little snag here: Non-privileged users have read-only access.

My user is a member of group plugdev, but not of group disk, as this was discouraged several times, e. g. by Robby Workman. With non-encrypted disks regular users have read/write access, or can change the filemodes accordingly, as far as I recall (currently I have no more non-encrypted disks left to verify it...).

Thanks a lot, best regards

gargamel

rworkman 10-29-2009 10:29 PM

It's an ext4 filesystem, so you have to change the ownership and/or permissions on the filesystem itself. In that respect, it's no different than any other directory on a non-hotpluggable disk. In other words, let's forget about the encrypted device for a moment and pretend you want to make /home/common writable to everyone on the system:
Code:

bash-3.1# mkdir /home/common
bash-3.1# ls -ld /home/common/
drwxr-xr-x 2 root root 1 2009-10-29 22:24 /home/common//
bash-3.1# chmod 0777 /home/common
bash-3.1# ls -ld /home/common/
drwxrwxrwx 2 root root 1 2009-10-29 22:24 /home/common/

Now let's pretend you want to make it writable by members of the "users" group only:
Code:

bash-3.1# chmod 0775 /home/common
bash-3.1# chown root:users /home/common
bash-3.1# ls -ld /home/common/
drwxrwxr-x 2 root users 1 2009-10-29 22:24 /home/common/

You can consider adding the sticky bit (chmod 1xxx) if you want files to only be removable by the user who created them, and you can adjust the ownership and permissions to use the "plugdev" group (which is probably what you really want) and even make it unreadable by everyone else. In essence, the fact that the device is removable is completely irrelevant - the filesystem is a unix filesystem, and thus you have to control access using unix permissions.

If you want it to behave like Windows filesystems (vfat, ntfs) in that the filesystem is owned and writable by the mounting user, then you'll have to make it a windows filesystem on the encrypted device.

gargamel 10-30-2009 02:37 AM

Thanks a lot, this is exactly the information I needed!

I am going to go the plugdev group write access way, I think. I thought about modifying the file mode of the directory representing the mount point, but there's no guarantee that the device is mounted to this very mountpoint every time, as I am using other removable USB devices, too, and it depends on the order they are connected to my computer to which mountpoint they are mounted.

So thanks for your help!

gargamel

rworkman 10-30-2009 08:49 AM

Changing the ownership and/or mode of the mountpoints won't help anyway, unless the device is actually mounted at that time. Just like the first set of examples, think in terms of a separate partition (nonremovable) on your system:

If /dev/sda1 is your / partition, and /dev/sda2 is the /home partition, you first have / mounted, and there is a /home directory in there already (it's the empty mountpoint). It doesn't matter what the ownership and mode of that empty /home directory is - when you mount /dev/sda2 to /home, the ownership and mode of the filesystem on /dev/sda2 is what will matter.

rworkman 10-30-2009 08:49 AM

Changing the ownership and/or mode of the mountpoints won't help anyway, unless the device is actually mounted at that time. Just like the first set of examples, think in terms of a separate partition (nonremovable) on your system:

If /dev/sda1 is your / partition, and /dev/sda2 is the /home partition, you first have / mounted, and there is a /home directory in there already (it's the empty mountpoint). It doesn't matter what the ownership and mode of that empty /home directory is - when you mount /dev/sda2 to /home, the ownership and mode of the filesystem on /dev/sda2 is what will matter.

gargamel 10-30-2009 03:53 PM

Quote:

Originally Posted by rworkman (Post 3737929)
Changing the ownership and/or mode of the mountpoints won't help anyway, unless the device is actually mounted at that time. Just like the first set of examples, think in terms of a separate partition (nonremovable) on your system:

If /dev/sda1 is your / partition, and /dev/sda2 is the /home partition, you first have / mounted, and there is a /home directory in there already (it's the empty mountpoint).

Aha, I see.

Quote:

Originally Posted by rworkman (Post 3737929)
It doesn't matter what the ownership and mode of that empty /home directory is - when you mount /dev/sda2 to /home, the ownership and mode of the filesystem on /dev/sda2 is what will matter.

If I wanted to change this, then, how would I go about it? I would like to avoid changing the file mode of the device file, as it only temporarily exists, and I would have to do it every time I plug the USB device to my computer.

So

Code:

# chmod g+rw /dev/sda2
is not really an option, I guess. And actually it should be somthing like

Code:

# chmod g+rw /dev/mapper/usbluksdevicefilename
anyway, right?

After mounting the device read-only I see, that owner is root und group is root, and only the owner (and maybe the group, I am not at home, and cannot check this, at the moment) has write access.


Another, simpler option now would be to create a folder named, say, data on the device, and make it writable for members of plugdev. Correct?

But changing the ownership and/or "filemode" of the whole filesystem seems more elegant, I just don't know, how to do it.


Thanks a lot, again!

gargamel

rworkman 10-30-2009 04:38 PM

Change the ownership/mode of the mountpoint *after* mounting it.

gargamel 10-30-2009 07:47 PM

Quote:

Originally Posted by rworkman (Post 3738466)
Change the ownership/mode of the mountpoint *after* mounting it.

Yes, this would work, of course, it's just not persistent. When the device is removed and then plugged again, it may be mounted to a different mount point, and even if it is mounted to the same mount point, the filemode have changed in the meantime.

I guess, a directory "data" with ownership set to group plugdev and r/w access for plugdev comes closest to what I want.

Seems, that the simple way of changing ownership and filemode of a directory named data or so comes closest to what I want.

Thanks again for your patience! I now do not only know what my options are, but also understand the whys behind them. Very helpful!

Best regards

gargamel

rworkman 10-30-2009 08:38 PM

It *is* persistent - when you change the ownership/mode of the toplevel mountpoint *with* the filesystem mounted to it, you're actually changing the filesystem - not the mountpoint.

gargamel 10-31-2009 03:08 AM

This would be very close to what I want, then.

But what I observed so far is that
  • mountpoints are created when external devices are connected and
  • removed when the computer is shutdown
  • (and maybe also after removing the external device).

So when I plug the first disk to my computer it is mounted to /media/disk, which always exists, the second one to /media/disk-1, which is created at this moment, and so on. Now, when I change the filemode of /media/disk-1, I lose the setting when I reboot my computer, because the directory representing the mountpoint will be removed and re-created with default filemode.

Now, if I only had one external disk, this wouldn't be a problem. Adjusting the filemode of /media/disk after mounting the external filesystem would do the trick. But the disk is not always mounted to /media/disk, but sometimes to /media/disk-n.

I guess I could now start to fiddle with udev rules and define to which mountpoint this device should be mounted every time it is connected, and/or I could add an entry to /etc/fstab.

Am I missing something?

gargamel

rworkman 10-31-2009 04:13 AM

Code:

bash-3.1# mkfs.ext4 -L PART1 /dev/sdb1
mke2fs 1.41.9 (22-Aug-2009)
Filesystem label=PART1
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
62592 inodes, 250224 blocks
12511 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=260046848
8 block groups
32768 blocks per group, 32768 fragments per group
7824 inodes per group
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376

Writing inode tables: done                           
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 28 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

###############
(Remove and re-plug the device)
###############

bash-3.1# mount | grep PART1
/dev/sdb1 on /media/PART1 type ext4 (rw,nosuid,nodev,uhelper=hal)
bash-3.1# ls -ld /media/PART1/
drwxr-xr-x 3 root root 4.0K 2009-10-31 04:08 /media/PART1//
bash-3.1# su rworkman
liberty $ touch /media/PART1/testfile
touch: cannot touch `/media/PART1/testfile': Permission denied
liberty $ exit
bash-3.1# chown root:plugdev /media/PART1/
bash-3.1# chmod 1770 /media/PART1/
bash-3.1# ls -ld /media/PART1/
drwxrwx--T 3 root plugdev 4.0K 2009-10-31 04:08 /media/PART1//
bash-3.1# su rworkman
liberty $ touch /media/PART1/testfile
liberty $ ls -l /media/PART1/
total 16
drwx------ 2 root    root    16384 2009-10-31 04:08 lost+found/
-rw-r--r-- 1 rworkman rworkman    0 2009-10-31 04:10 testfile

As you can see, everything so far is exactly as expected.
Now, observe :-)

Code:

liberty $ exit 
bash-3.1# umount /media/PART1/
bash-3.1# tune2fs -L PART2 /dev/sdb1
tune2fs 1.41.9 (22-Aug-2009)

#############
(I just changed the filesystem label so that the mountpoint will change)
(then I removed and replugged the device)
#############
bash-3.1# mount | grep PART2
/dev/sdb1 on /media/PART2 type ext4 (rw,nosuid,nodev,uhelper=hal)
bash-3.1# ls -ld /media/PART2/
drwxrwx--T 3 root plugdev 4.0K 2009-10-31 04:10 /media/PART2/

And that concludes today's lesson ;-)

gargamel 10-31-2009 05:13 AM

I am humiliated.

And excited.

And grateful.

All together at the same time. Shame on me.

The simple trick is to change the filesystem label in order to have it mounted to the same mount point every time. Boahh. This was TOO trivial, then, uhhh hum... :)

THANKS A LOT!!!!

gargamel


All times are GMT -5. The time now is 03:38 AM.