[clug] Setting permission bit with a mount option

Robert Edwards bob at cs.anu.edu.au
Mon Mar 18 02:04:43 UTC 2019


Hi Andrew,

I like your "trick". I don't understand why you state that 111
is the "minimal permissions" required?

Maybe it was once on some other O/S?

I just tried:

$ sudo -i
# cd /var/tmp
# mkdir mnt
# chown 100 mnt
# ls -las mnt
total 8
4 d--x------  2 root root 4096 Mar 18 12:49 .
4 drwxrwxrwt 12 root root 4096 Mar 18 12:50 ..
# dd if=/dev/zero of=bobtest.raw bs=1024k count=0 seek=1024
# mkfs.ext4 bobtest.raw
# mount bobtest.raw mnt
# ls -las mnt
total 24
  4 drwxr-xr-x  3 root root  4096 Mar 18 12:56 .
  4 drwxrwxrwt 12 root root  4096 Mar 18 12:50 ..
16 drwx------  2 root root 16384 Mar 18 12:50 lost+found
# cp /etc/hosts mnt
# ls -las mnt
total 28
  4 drwxr-xr-x  3 root root  4096 Mar 18 12:57 .
  4 drwxrwxrwt 12 root root  4096 Mar 18 12:50 ..
  4 -rw-r--r--  1 root root   281 Mar 18 12:57 hosts
16 drwx------  2 root root 16384 Mar 18 12:50 lost+found

Seems (naively) to work fine with the mount point dir with even
more minimal permissions.

How about:
# umount mnt
# chmod 000 mnt
# ls -las mnt
total 8
4 d---------  2 root root 4096 Mar 18 12:49 .
4 drwxrwxrwt 12 root root 4096 Mar 18 12:50 ..
# mount bobtest.raw mnt
# ls -las mnt
total 28
  4 drwxr-xr-x  3 root root  4096 Mar 18 12:57 .
  4 drwxrwxrwt 12 root root  4096 Mar 18 12:50 ..
  4 -rw-r--r--  1 root root   281 Mar 18 12:57 hosts
16 drwx------  2 root root 16384 Mar 18 12:50 lost+found

How about as a non-root user...:

# mkdir mnt/mnt
# chmod go+w mnt/mnt
# exit
$ cp cloudstor.url /var/tmp/mnt/mnt
$ ls -las /var/tmp/mnt/mnt
total 12
4 drwxrwxrwx 2 root root 4096 Mar 18 13:01 .
4 drwxr-xr-x 4 root root 4096 Mar 18 13:00 ..
4 -rw-r--r-- 1 bob  bob   188 Mar 18 13:01 cloudstor.url

Seems to work fine with no execute permissions on the underlying
dir...

cheers,
Bob Edwards.

On 18/3/19 12:12 am, Andrew Steele via linux wrote:
> Ah, a pet trick of mine may be of assistance ...
> 
> Don't know if it's any help in the context of the clustering software
> you're using and the underlying mount point permissions, but there's a very
> useful trick we developed years ago (but surprisingly have never seen
> mentioned elsewhere).
> 
> Simply, always set the permissions of a directory where you intend to mount
> a file system to 111.
> 
> There are three reasons for doing this:
> 
> 1. It is the minimal permissions an underlying mount point directory needs
> to stop the mounted filesystem from behaving badly (requiring an umount,
> chmod, mount to fix).
> 
> 2. Because it is an unusual permission to use, if you always apply this to
> all mount points, when you see a directory with this permission, you have a
> fair idea it's supposed to have something mounted on it.
> 
> 3. It stops people writing into the underlying directory of the mount fails
> (useful in a cluster setting).
> 
> We started doing this around 20 years ago with Veritas disk groups of disks
> shared between Sun boxes. We would manually move a diskgroup from one host
> to another where both hosts could see the storage. All the places that
> could have a file system mounted on it were given this permission. It
> enabled us to see what was and wasn't mounted as it should, and stopped
> users writing where they shouldn't. A belt and braces approach.
> 
> Over the years I've always used it on all systems I manage. I've never seen
> an instance where it causes problems. It's saved me many times.  Everyone
> I've shown it to comes to the same conclusion I did - why doesn't everyone
> do this?  I can't claim the original idea as my own.
> 
> Andrew
> 
> 
> 
> On Sun, 17 Mar. 2019, 18:15 Brett Worth via linux, <linux at lists.samba.org>
> wrote:
> 
>> On 17/3/19 3:49 pm, Paul Wayper via linux wrote:
>>> AFAIK the permissions on the directory the file system is mounted on set
>> the
>>> permissions for the root of that file system.  Are you not seeing that?
>>>
>>> I.e. unmount the file system, do `chmod 1777 /mnt/target`, mount the file
>>> system on `/mnt/target`, permissions for root directory should be 1777.
>>
>> Hi Paul.
>>
>> The permissions seen on the mounted mountpoint are the ones from the root
>> directory of the
>> mounted filesystem.  They totally override the directory's permissions.
>>
>> I was specifically looking for an entry I can put in the fstab because the
>> cluster
>> management software I'm using has an XML definition of the filesystem
>> where you can
>> specify the "options" column of the fstab entry.  The entry for the
>> mountpoint name
>> doesn't include the permissions.
>>
>> This will have to be a post boot permission change I think.
>>
>> Brett
>>
>>
>> --
>>    /) _ _ _/_/ / / /  _ _//
>>   /_)/</= / / (_(_/()/< ///
>>
>> --
>> linux mailing list
>> linux at lists.samba.org
>> https://lists.samba.org/mailman/listinfo/linux
>>




More information about the linux mailing list