LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 10-29-2009, 02:13 AM   #1
gargamel
Senior Member
 
Registered: May 2003
Distribution: Slackware, SLAX, OpenSuSE
Posts: 1,723

Rep: Reputation: 184Reputation: 184
Automount LUKS encrypted USB disk as regular user


Hi there,

I have a question regarding automounting.

How can I get a LUKS encrypted partition on an external USB device automounted with r/w access for non-privileged users?


Background:

I just reformatted an external USB device with ext4. The only partition is LUKS encrypted. Now, when I plug the device to my computer, KDE notifies me and asks me to enter the LUKS passphrase. Then it mounts the device. Little snag here: Non-privileged users have read-only access.

My user is a member of group plugdev, but not of group disk, as this was discouraged several times, e. g. by Robby Workman. With non-encrypted disks regular users have read/write access, or can change the filemodes accordingly, as far as I recall (currently I have no more non-encrypted disks left to verify it...).

Thanks a lot, best regards

gargamel
 
Old 10-29-2009, 10:29 PM   #2
rworkman
Slackware Contributor
 
Registered: Oct 2004
Location: Tuscaloosa, Alabama (USA)
Distribution: Slackware
Posts: 2,312

Rep: Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828
It's an ext4 filesystem, so you have to change the ownership and/or permissions on the filesystem itself. In that respect, it's no different than any other directory on a non-hotpluggable disk. In other words, let's forget about the encrypted device for a moment and pretend you want to make /home/common writable to everyone on the system:
Code:
bash-3.1# mkdir /home/common
bash-3.1# ls -ld /home/common/
drwxr-xr-x 2 root root 1 2009-10-29 22:24 /home/common//
bash-3.1# chmod 0777 /home/common
bash-3.1# ls -ld /home/common/
drwxrwxrwx 2 root root 1 2009-10-29 22:24 /home/common/
Now let's pretend you want to make it writable by members of the "users" group only:
Code:
bash-3.1# chmod 0775 /home/common
bash-3.1# chown root:users /home/common
bash-3.1# ls -ld /home/common/
drwxrwxr-x 2 root users 1 2009-10-29 22:24 /home/common/
You can consider adding the sticky bit (chmod 1xxx) if you want files to only be removable by the user who created them, and you can adjust the ownership and permissions to use the "plugdev" group (which is probably what you really want) and even make it unreadable by everyone else. In essence, the fact that the device is removable is completely irrelevant - the filesystem is a unix filesystem, and thus you have to control access using unix permissions.

If you want it to behave like Windows filesystems (vfat, ntfs) in that the filesystem is owned and writable by the mounting user, then you'll have to make it a windows filesystem on the encrypted device.
 
Old 10-30-2009, 02:37 AM   #3
gargamel
Senior Member
 
Registered: May 2003
Distribution: Slackware, SLAX, OpenSuSE
Posts: 1,723

Original Poster
Rep: Reputation: 184Reputation: 184
Thanks a lot, this is exactly the information I needed!

I am going to go the plugdev group write access way, I think. I thought about modifying the file mode of the directory representing the mount point, but there's no guarantee that the device is mounted to this very mountpoint every time, as I am using other removable USB devices, too, and it depends on the order they are connected to my computer to which mountpoint they are mounted.

So thanks for your help!

gargamel
 
Old 10-30-2009, 08:49 AM   #4
rworkman
Slackware Contributor
 
Registered: Oct 2004
Location: Tuscaloosa, Alabama (USA)
Distribution: Slackware
Posts: 2,312

Rep: Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828
Changing the ownership and/or mode of the mountpoints won't help anyway, unless the device is actually mounted at that time. Just like the first set of examples, think in terms of a separate partition (nonremovable) on your system:

If /dev/sda1 is your / partition, and /dev/sda2 is the /home partition, you first have / mounted, and there is a /home directory in there already (it's the empty mountpoint). It doesn't matter what the ownership and mode of that empty /home directory is - when you mount /dev/sda2 to /home, the ownership and mode of the filesystem on /dev/sda2 is what will matter.
 
Old 10-30-2009, 08:49 AM   #5
rworkman
Slackware Contributor
 
Registered: Oct 2004
Location: Tuscaloosa, Alabama (USA)
Distribution: Slackware
Posts: 2,312

Rep: Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828
Changing the ownership and/or mode of the mountpoints won't help anyway, unless the device is actually mounted at that time. Just like the first set of examples, think in terms of a separate partition (nonremovable) on your system:

If /dev/sda1 is your / partition, and /dev/sda2 is the /home partition, you first have / mounted, and there is a /home directory in there already (it's the empty mountpoint). It doesn't matter what the ownership and mode of that empty /home directory is - when you mount /dev/sda2 to /home, the ownership and mode of the filesystem on /dev/sda2 is what will matter.
 
Old 10-30-2009, 03:53 PM   #6
gargamel
Senior Member
 
Registered: May 2003
Distribution: Slackware, SLAX, OpenSuSE
Posts: 1,723

Original Poster
Rep: Reputation: 184Reputation: 184
Quote:
Originally Posted by rworkman View Post
Changing the ownership and/or mode of the mountpoints won't help anyway, unless the device is actually mounted at that time. Just like the first set of examples, think in terms of a separate partition (nonremovable) on your system:

If /dev/sda1 is your / partition, and /dev/sda2 is the /home partition, you first have / mounted, and there is a /home directory in there already (it's the empty mountpoint).
Aha, I see.

Quote:
Originally Posted by rworkman View Post
It doesn't matter what the ownership and mode of that empty /home directory is - when you mount /dev/sda2 to /home, the ownership and mode of the filesystem on /dev/sda2 is what will matter.
If I wanted to change this, then, how would I go about it? I would like to avoid changing the file mode of the device file, as it only temporarily exists, and I would have to do it every time I plug the USB device to my computer.

So

Code:
# chmod g+rw /dev/sda2
is not really an option, I guess. And actually it should be somthing like

Code:
# chmod g+rw /dev/mapper/usbluksdevicefilename
anyway, right?

After mounting the device read-only I see, that owner is root und group is root, and only the owner (and maybe the group, I am not at home, and cannot check this, at the moment) has write access.


Another, simpler option now would be to create a folder named, say, data on the device, and make it writable for members of plugdev. Correct?

But changing the ownership and/or "filemode" of the whole filesystem seems more elegant, I just don't know, how to do it.


Thanks a lot, again!

gargamel
 
Old 10-30-2009, 04:38 PM   #7
rworkman
Slackware Contributor
 
Registered: Oct 2004
Location: Tuscaloosa, Alabama (USA)
Distribution: Slackware
Posts: 2,312

Rep: Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828
Change the ownership/mode of the mountpoint *after* mounting it.
 
Old 10-30-2009, 07:47 PM   #8
gargamel
Senior Member
 
Registered: May 2003
Distribution: Slackware, SLAX, OpenSuSE
Posts: 1,723

Original Poster
Rep: Reputation: 184Reputation: 184
Quote:
Originally Posted by rworkman View Post
Change the ownership/mode of the mountpoint *after* mounting it.
Yes, this would work, of course, it's just not persistent. When the device is removed and then plugged again, it may be mounted to a different mount point, and even if it is mounted to the same mount point, the filemode have changed in the meantime.

I guess, a directory "data" with ownership set to group plugdev and r/w access for plugdev comes closest to what I want.

Seems, that the simple way of changing ownership and filemode of a directory named data or so comes closest to what I want.

Thanks again for your patience! I now do not only know what my options are, but also understand the whys behind them. Very helpful!

Best regards

gargamel
 
Old 10-30-2009, 08:38 PM   #9
rworkman
Slackware Contributor
 
Registered: Oct 2004
Location: Tuscaloosa, Alabama (USA)
Distribution: Slackware
Posts: 2,312

Rep: Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828
It *is* persistent - when you change the ownership/mode of the toplevel mountpoint *with* the filesystem mounted to it, you're actually changing the filesystem - not the mountpoint.
 
Old 10-31-2009, 03:08 AM   #10
gargamel
Senior Member
 
Registered: May 2003
Distribution: Slackware, SLAX, OpenSuSE
Posts: 1,723

Original Poster
Rep: Reputation: 184Reputation: 184
This would be very close to what I want, then.

But what I observed so far is that
  • mountpoints are created when external devices are connected and
  • removed when the computer is shutdown
  • (and maybe also after removing the external device).

So when I plug the first disk to my computer it is mounted to /media/disk, which always exists, the second one to /media/disk-1, which is created at this moment, and so on. Now, when I change the filemode of /media/disk-1, I lose the setting when I reboot my computer, because the directory representing the mountpoint will be removed and re-created with default filemode.

Now, if I only had one external disk, this wouldn't be a problem. Adjusting the filemode of /media/disk after mounting the external filesystem would do the trick. But the disk is not always mounted to /media/disk, but sometimes to /media/disk-n.

I guess I could now start to fiddle with udev rules and define to which mountpoint this device should be mounted every time it is connected, and/or I could add an entry to /etc/fstab.

Am I missing something?

gargamel

Last edited by gargamel; 10-31-2009 at 03:11 AM.
 
Old 10-31-2009, 04:13 AM   #11
rworkman
Slackware Contributor
 
Registered: Oct 2004
Location: Tuscaloosa, Alabama (USA)
Distribution: Slackware
Posts: 2,312

Rep: Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828
Code:
bash-3.1# mkfs.ext4 -L PART1 /dev/sdb1
mke2fs 1.41.9 (22-Aug-2009)
Filesystem label=PART1
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
62592 inodes, 250224 blocks
12511 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=260046848
8 block groups
32768 blocks per group, 32768 fragments per group
7824 inodes per group
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376

Writing inode tables: done                            
Creating journal (4096 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 28 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

###############
(Remove and re-plug the device)
###############

bash-3.1# mount | grep PART1
/dev/sdb1 on /media/PART1 type ext4 (rw,nosuid,nodev,uhelper=hal)
bash-3.1# ls -ld /media/PART1/
drwxr-xr-x 3 root root 4.0K 2009-10-31 04:08 /media/PART1//
bash-3.1# su rworkman
liberty $ touch /media/PART1/testfile
touch: cannot touch `/media/PART1/testfile': Permission denied
liberty $ exit
bash-3.1# chown root:plugdev /media/PART1/
bash-3.1# chmod 1770 /media/PART1/
bash-3.1# ls -ld /media/PART1/
drwxrwx--T 3 root plugdev 4.0K 2009-10-31 04:08 /media/PART1//
bash-3.1# su rworkman
liberty $ touch /media/PART1/testfile
liberty $ ls -l /media/PART1/
total 16
drwx------ 2 root     root     16384 2009-10-31 04:08 lost+found/
-rw-r--r-- 1 rworkman rworkman     0 2009-10-31 04:10 testfile
As you can see, everything so far is exactly as expected.
Now, observe :-)

Code:
liberty $ exit  
bash-3.1# umount /media/PART1/
bash-3.1# tune2fs -L PART2 /dev/sdb1
tune2fs 1.41.9 (22-Aug-2009)

#############
(I just changed the filesystem label so that the mountpoint will change)
(then I removed and replugged the device)
#############
bash-3.1# mount | grep PART2
/dev/sdb1 on /media/PART2 type ext4 (rw,nosuid,nodev,uhelper=hal)
bash-3.1# ls -ld /media/PART2/
drwxrwx--T 3 root plugdev 4.0K 2009-10-31 04:10 /media/PART2/
And that concludes today's lesson ;-)
 
Old 10-31-2009, 05:13 AM   #12
gargamel
Senior Member
 
Registered: May 2003
Distribution: Slackware, SLAX, OpenSuSE
Posts: 1,723

Original Poster
Rep: Reputation: 184Reputation: 184
Smile

I am humiliated.

And excited.

And grateful.

All together at the same time. Shame on me.

The simple trick is to change the filesystem label in order to have it mounted to the same mount point every time. Boahh. This was TOO trivial, then, uhhh hum...

THANKS A LOT!!!!

gargamel

Last edited by gargamel; 10-31-2009 at 06:25 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Encrypted root with LUKS on LVM and RAID-1: How? gargamel SUSE / openSUSE 5 03-20-2010 04:30 PM
Slackware 12.2 + RAID-1 + LVM + LUKS encrypted root gargamel Slackware 35 12-17-2009 11:25 AM
Loaded Fedora 9 (twice) in encrypted hard drive, now I can't get past LUKS? GaveUpOnTV Linux - Newbie 3 05-04-2009 02:48 PM
Recover encrypted LUKS partition itinlopez Linux - General 3 11-30-2008 02:20 AM
mount luks encrypted partition with kdm mattydee Slackware 2 01-28-2008 12:32 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 03:22 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration