restrict disk access for user - Mandriva

This is a discussion on restrict disk access for user - Mandriva ; My brother uses the desktop, it is pretty much shared among everyone in the house so we have a seperate account for each user. now as the user having root access, i want to control access to certain partitions. how ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: restrict disk access for user

  1. restrict disk access for user

    My brother uses the desktop, it is pretty much shared among everyone
    in the house so we have a seperate account for each user.

    now as the user having root access, i want to control access to
    certain partitions.

    how do I restrict access to certain partitions for a user? as in to
    say : how do i set settings such that a particular partition(s)
    doesn't show up / is not mounted for the user ?

    is this possible?

  2. Re: restrict disk access for user

    On Monday 25 August 2008 18:31, someone identifying as *Sindhu* wrote
    in /alt.os.linux.mandriva:/

    > My brother uses the desktop, it is pretty much shared among everyone
    > in the house so we have a seperate account for each user.
    >
    > now as the user having root access, i want to control access to
    > certain partitions.
    >
    > how do I restrict access to certain partitions for a user? as in to
    > say : how do i set settings such that a particular partition(s)
    > doesn't show up / is not mounted for the user ?
    >
    > is this possible?


    Not really, but you can set up a /chroot/ jail. Takes a bit of work,
    though, and I don't really see why you would need to do that. Only the
    root user as write access to system files anyway.

    And if it's a matter of limiting diskspace usage, set up quotas.

    --
    *Aragorn*
    (registered GNU/Linux user #223157)

  3. Re: restrict disk access for user

    On Mon, 25 Aug 2008 09:31:00 -0700 (PDT),
    Sindhu wrote:

    > My brother uses the desktop, it is pretty much shared among everyone
    > in the house so we have a seperate account for each user.
    >
    > now as the user having root access, i want to control access to
    > certain partitions.
    >
    > how do I restrict access to certain partitions for a user? as in to
    > say : how do i set settings such that a particular partition(s)
    > doesn't show up / is not mounted for the user ?
    >
    > is this possible?


    That depends on a number of things, including the details of the nature
    of the partitions in question and how many of the other users of the
    machine you want to be able to access them besides yourself, if any.

    For example, if a particular partition contains a VFAT or NTFS
    filesystem, and you only wish to be able to access it yourself, it's
    pretty simple: include the options "noauto", "uid=500", and "umask=7"
    in its fstab line, and remove the "user" and/or "users" options if they
    appear there now. This means that at boot time the system will come up
    with that partition unmounted, and only you (operating as root, using
    sudo presumably) can mount it; once mounted, it will be owned by your
    unprivileged user (assuming that that user's uid is 500, which is given
    to the first user created at install time in MDV installs - check with
    the "id" command run as that user, and adjust fstab accordingly) and
    will be inaccessible to all other local users. That latter detail is
    useful, should you forget to unmount it before you log off and allow
    others to use the machine; they'll be able to see it, but not use it.

    If you wish to be able to leave the partition mounted and allow some
    other users to access it, but not your brother, then things get a bit
    more complicated - as they also do if the filesystem on the partition
    is a native Linux one, such as ext3 or reiserfs. For the former, and
    still assuming a VFAT or NTFS filesystem, you'll want to create a new
    group that contains the users to whom you wish to grant access; the
    mount options in fstab should now include "umask=7" and "gid=XXX",
    where XXX is the number of your newly-created group, and the "noauto",
    "user" and "users" options are now the ones that should not be there.
    Your brother *will* be able to see this partition, but not to use it.

    For Linux filesystem types, your best bet is to use the permissions on
    the directories at the top level of the filesystem on the partition to
    control access. If you want multi-user access, you still need to create
    a new group with the users allowed in as members; you'd then use chmod
    and chown to set the permissions and ownerships (respectively) to what
    accomplishes your aims. An example, with an empty Linux-FS partition
    mounted at /mnt/files and an allowed-users group called "elite":

    sudo mkdir /mnt/files/nobrother
    sudo chown root:elite /mnt/files/nobrother
    sudo chmod 2770 /mnt/files/nobrother

    This creates a top-level dir within the partition called "nobrother",
    which your brother *will* be able to see there, but he will not be able
    to cd into it or access any files/subdirs residing inside it. Members of
    the "elite" group will be able to access this dir, and any dirs created
    within that one will also be owned by the "elite" group (but can only
    be created by the root user, unless you give a single unprivileged user
    this right by replacing the "root" in the second command above with
    that user's username). Another caveat is that new directories created
    within "nobrother" will not have write access for any members of the
    "elite" group by default, only read access (except for the user you
    selected, if you did select one in the chown command); you'd need to
    run "chmod g+w dirname" on each of them after creation to enable that.

    The real problem, as I see it, is keeping your brother unaware of even
    the existence of these partitions, which appears from the wording of
    your question to be your primary goal. Pretty much the only way to do
    that, without regard to what sort of filesystem is on them, is to not
    have them auto-mount at boot time and to unmount them before you allow
    him access to the machine; even then, if he knows enough to take a look
    at the /etc/fstab file and you've made entries for them there, he will
    learn that they exist even though he can't mount them and use them. You
    could go without fstab entries for them entirely and just write a script
    to mount them (one that issues the full mount commands with the desired
    options for each partition manually), I suppose ... but the first time
    you forget to unmount them before letting him login, there goes all your
    careful strategy right out the proverbial window. YHBW. :-/

    HTH!

    --
    Bill Mullen
    RLU #270075



+ Reply to Thread