[SOLVED] Automount LUKS encrypted USB disk as regular user
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How can I get a LUKS encrypted partition on an external USB device automounted with r/w access for non-privileged users?
Background:
I just reformatted an external USB device with ext4. The only partition is LUKS encrypted. Now, when I plug the device to my computer, KDE notifies me and asks me to enter the LUKS passphrase. Then it mounts the device. Little snag here: Non-privileged users have read-only access.
My user is a member of group plugdev, but not of group disk, as this was discouraged several times, e. g. by Robby Workman. With non-encrypted disks regular users have read/write access, or can change the filemodes accordingly, as far as I recall (currently I have no more non-encrypted disks left to verify it...).
It's an ext4 filesystem, so you have to change the ownership and/or permissions on the filesystem itself. In that respect, it's no different than any other directory on a non-hotpluggable disk. In other words, let's forget about the encrypted device for a moment and pretend you want to make /home/common writable to everyone on the system:
You can consider adding the sticky bit (chmod 1xxx) if you want files to only be removable by the user who created them, and you can adjust the ownership and permissions to use the "plugdev" group (which is probably what you really want) and even make it unreadable by everyone else. In essence, the fact that the device is removable is completely irrelevant - the filesystem is a unix filesystem, and thus you have to control access using unix permissions.
If you want it to behave like Windows filesystems (vfat, ntfs) in that the filesystem is owned and writable by the mounting user, then you'll have to make it a windows filesystem on the encrypted device.
Thanks a lot, this is exactly the information I needed!
I am going to go the plugdev group write access way, I think. I thought about modifying the file mode of the directory representing the mount point, but there's no guarantee that the device is mounted to this very mountpoint every time, as I am using other removable USB devices, too, and it depends on the order they are connected to my computer to which mountpoint they are mounted.
Changing the ownership and/or mode of the mountpoints won't help anyway, unless the device is actually mounted at that time. Just like the first set of examples, think in terms of a separate partition (nonremovable) on your system:
If /dev/sda1 is your / partition, and /dev/sda2 is the /home partition, you first have / mounted, and there is a /home directory in there already (it's the empty mountpoint). It doesn't matter what the ownership and mode of that empty /home directory is - when you mount /dev/sda2 to /home, the ownership and mode of the filesystem on /dev/sda2 is what will matter.
Changing the ownership and/or mode of the mountpoints won't help anyway, unless the device is actually mounted at that time. Just like the first set of examples, think in terms of a separate partition (nonremovable) on your system:
If /dev/sda1 is your / partition, and /dev/sda2 is the /home partition, you first have / mounted, and there is a /home directory in there already (it's the empty mountpoint). It doesn't matter what the ownership and mode of that empty /home directory is - when you mount /dev/sda2 to /home, the ownership and mode of the filesystem on /dev/sda2 is what will matter.
Changing the ownership and/or mode of the mountpoints won't help anyway, unless the device is actually mounted at that time. Just like the first set of examples, think in terms of a separate partition (nonremovable) on your system:
If /dev/sda1 is your / partition, and /dev/sda2 is the /home partition, you first have / mounted, and there is a /home directory in there already (it's the empty mountpoint).
Aha, I see.
Quote:
Originally Posted by rworkman
It doesn't matter what the ownership and mode of that empty /home directory is - when you mount /dev/sda2 to /home, the ownership and mode of the filesystem on /dev/sda2 is what will matter.
If I wanted to change this, then, how would I go about it? I would like to avoid changing the file mode of the device file, as it only temporarily exists, and I would have to do it every time I plug the USB device to my computer.
So
Code:
# chmod g+rw /dev/sda2
is not really an option, I guess. And actually it should be somthing like
Code:
# chmod g+rw /dev/mapper/usbluksdevicefilename
anyway, right?
After mounting the device read-only I see, that owner is root und group is root, and only the owner (and maybe the group, I am not at home, and cannot check this, at the moment) has write access.
Another, simpler option now would be to create a folder named, say, data on the device, and make it writable for members of plugdev. Correct?
But changing the ownership and/or "filemode" of the whole filesystem seems more elegant, I just don't know, how to do it.
Change the ownership/mode of the mountpoint *after* mounting it.
Yes, this would work, of course, it's just not persistent. When the device is removed and then plugged again, it may be mounted to a different mount point, and even if it is mounted to the same mount point, the filemode have changed in the meantime.
I guess, a directory "data" with ownership set to group plugdev and r/w access for plugdev comes closest to what I want.
Seems, that the simple way of changing ownership and filemode of a directory named data or so comes closest to what I want.
Thanks again for your patience! I now do not only know what my options are, but also understand the whys behind them. Very helpful!
It *is* persistent - when you change the ownership/mode of the toplevel mountpoint *with* the filesystem mounted to it, you're actually changing the filesystem - not the mountpoint.
mountpoints are created when external devices are connected and
removed when the computer is shutdown
(and maybe also after removing the external device).
So when I plug the first disk to my computer it is mounted to /media/disk, which always exists, the second one to /media/disk-1, which is created at this moment, and so on. Now, when I change the filemode of /media/disk-1, I lose the setting when I reboot my computer, because the directory representing the mountpoint will be removed and re-created with default filemode.
Now, if I only had one external disk, this wouldn't be a problem. Adjusting the filemode of /media/disk after mounting the external filesystem would do the trick. But the disk is not always mounted to /media/disk, but sometimes to /media/disk-n.
I guess I could now start to fiddle with udev rules and define to which mountpoint this device should be mounted every time it is connected, and/or I could add an entry to /etc/fstab.
bash-3.1# mkfs.ext4 -L PART1 /dev/sdb1
mke2fs 1.41.9 (22-Aug-2009)
Filesystem label=PART1
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
62592 inodes, 250224 blocks
12511 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=260046848
8 block groups
32768 blocks per group, 32768 fragments per group
7824 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376
Writing inode tables: done
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 28 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
###############
(Remove and re-plug the device)
###############
bash-3.1# mount | grep PART1
/dev/sdb1 on /media/PART1 type ext4 (rw,nosuid,nodev,uhelper=hal)
bash-3.1# ls -ld /media/PART1/
drwxr-xr-x 3 root root 4.0K 2009-10-31 04:08 /media/PART1//
bash-3.1# su rworkman
liberty $ touch /media/PART1/testfile
touch: cannot touch `/media/PART1/testfile': Permission denied
liberty $ exit
bash-3.1# chown root:plugdev /media/PART1/
bash-3.1# chmod 1770 /media/PART1/
bash-3.1# ls -ld /media/PART1/
drwxrwx--T 3 root plugdev 4.0K 2009-10-31 04:08 /media/PART1//
bash-3.1# su rworkman
liberty $ touch /media/PART1/testfile
liberty $ ls -l /media/PART1/
total 16
drwx------ 2 root root 16384 2009-10-31 04:08 lost+found/
-rw-r--r-- 1 rworkman rworkman 0 2009-10-31 04:10 testfile
As you can see, everything so far is exactly as expected.
Now, observe :-)
Code:
liberty $ exit
bash-3.1# umount /media/PART1/
bash-3.1# tune2fs -L PART2 /dev/sdb1
tune2fs 1.41.9 (22-Aug-2009)
#############
(I just changed the filesystem label so that the mountpoint will change)
(then I removed and replugged the device)
#############
bash-3.1# mount | grep PART2
/dev/sdb1 on /media/PART2 type ext4 (rw,nosuid,nodev,uhelper=hal)
bash-3.1# ls -ld /media/PART2/
drwxrwx--T 3 root plugdev 4.0K 2009-10-31 04:10 /media/PART2/
The simple trick is to change the filesystem label in order to have it mounted to the same mount point every time. Boahh. This was TOO trivial, then, uhhh hum...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
