[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Two questions about LUKS in a file container



On Wed 16 Sep 2020 at 12:56:36 (-0700), David Christensen wrote:
> On 2020-09-16 01:59, Andrei POPESCU wrote:
> > On Sb, 12 sep 20, 15:00:57, Bob Weber wrote:
> > > 
> > > Warning: If you forget to open and mount the file encrypted.img to
> > > $HOME/Private/ and you copy files to $HOME/Private/ it will appear to work
> > > correctly but they will not be encrypted!  If you don't move the files out
> > > of $HOME/Private/ before you correct the mistake and mount encrypted.img you
> > > will not see those files in $HOME/Private/ until you unmount encrypted.img.
> > 
> > Regardless if encrypted or not, I think it is good practice to have all
> > mountpoints (NOT filesystems) owned by root and permission 0000.
> 
> That's an interesting suggestion.  /f1 is a mount point on my
> workstation for the root filesystem on one of my servers:
> 
> 2020-09-16 12:34:14 root@tinkywinky ~
> # grep f1 /etc/fstab
> f1:/	/f1	fuse.sshfs	ro,noauto	0	0
> 
> 
> It is not mounted:
> 
> 2020-09-16 12:34:20 root@tinkywinky ~
> # mount | grep f1
> 
> 
> The permissions on the mount point are default, as set by mkdir(1):
> 
> 2020-09-16 12:35:42 root@tinkywinky ~
> # ll -d /f1
> drwxr-xr-x 2 root root 4096 2020-09-16 12:33:41 /f1/
> 
> 
> If I change the mode of the mount point to 0000:
> 
> 2020-09-16 12:51:28 root@tinkywinky ~
> # chmod 0000 /f1
> 
> 2020-09-16 12:53:08 root@tinkywinky ~
> # ls -la /f1
> total 8
> d---------  2 root root 4096 Sep 16 12:53 .
> drwxr-xr-x 26 root root 4096 Aug 30 13:39 ..
> 
> 
> Root can still create files inside the mount point:
> 
> 2020-09-16 12:53:09 root@tinkywinky ~
> # echo 'hello, world!' > /f1/hello
> 
> 2020-09-16 12:53:41 root@tinkywinky ~
> # ls -la /f1
> total 12
> d---------  2 root root 4096 Sep 16 12:53 .
> drwxr-xr-x 26 root root 4096 Aug 30 13:39 ..
> -rw-r--r--  1 root root   14 Sep 16 12:53 hello
> 
> 2020-09-16 12:53:44 root@tinkywinky ~
> # cat /f1/hello
> hello, world!
> 
> 
> Is there some advantage other than making a long listing visually
> distinctive when the mount point is not in use?

Yes. As explained earlier in the thread, it prevents user OP from
accidentally scribbling in the unused mountpoint. You've confirmed
that unix file permissions don't affect root.

Another side-effect is that you can't enter the mountpoint directory
in, say, mc, which avoids your thinking that the intended filesystem
(were it actually mounted) is itself empty.

But—I see that your own intended filesystem for f1 is fuse.sshfs.
Can you, as a user, mount this filesystem now? I'd be interested
to know how, if you can, because I'm just now thinking about enhancing
my udev rule to chown a mount (in favour of me) if the fstab entry
is a fuse one (eg ntfs and exfat).

Cheers,
David.


Reply to: