Access Persmissions on "ntfs-3g" File System

Provides a tutorial example on how to control access permissions on mounted Windows NTFS partitions with the 'ntfs-3g' device driver.

In the last tutorial, we learned how to mount a Windows NTFS partition with the "ntfs-3g" device driver. Everything works fine on the mounted partition.

But there is one more issue you need to take care of: everyon can access the mounted Windows partition by default. This will be a security problem, if you want to store sensitive information on the mounted partition.

Let's look at the issue by mounting a Windows partition to /mnt/backup with default options:

herong$ ls -l /mnt
drwx------. 2 root root 6 Oct 10 05:20 backup

herong$ sudo mount -t ntfs-3g /dev/sda5 /mnt/backup

herong$ ls -l /mnt
drwxrwxrwx. 1 root root 8192 Oct 10 23:21 backup

As you can see, access permission on the mounted partition has been changed from "700" to "777", which allows everyone to read, write and change files. This is definitely a security issue, if there are multiple users.

You can try to change the access permissions with the "chmod" command, but it will have no impact:

herong$ chmod 700 /mnt/backup

herong$ ls -l /mnt
drwxrwxrwx. 1 root root 8192 Oct 10 23:21 backup

You can try to change the ownership with the "chown" command, but it will have no impact:

herong$ chown herong /mnt/backup

herong$ ls -l /mnt
drwxrwxrwx. 1 root root 8192 Oct 10 23:21 backup

You can try to change the SELinux Type with the "chcon" command, but it will fail.

herong$ sudo chcon -t user_tmp_t /mnt/backup

chcon: failed to change context of '/mnt/backup'
   to ‘system_u:object_r:user_tmp_t:s0’: Operation not supported

To resolve the issue, we have to go back to "ntfs-3g" man page:

herong$ man ntfs-3g

NAME
       ntfs-3g - Third Generation Read/Write NTFS Driver

SYNOPSIS
       ntfs-3g [-o option[,...]]  volume mount_point
       mount -t ntfs-3g [-o option[,...]]  volume mount_point

...

OPTIONS
  Below is a summary of the options that ntfs-3g accepts.

  uid=value and gid=value
    Set the owner and the group of files and directories. The values are
    numerical.  The defaults are the uid and  gid of the current process.

  umask=value
    Set  the   bitmask  of  the  file and directory permissions that are
    not present. The value is given in octal. The default value is 0 which
    means full access to everybody.

  ...

Now let's mount it again for me to access only:

herong$ sudo umount /mnt/backup

herong$ id herong
uid=1000(herong) gid=1000(herong) groups=1000(herong)

herong$ sudo mount -t ntfs-3g -o uid=1000,gid=1000,umask=077 \
   /dev/sda5 /mnt/backup

herong$ ls -l /mnt
drwx------. 1 herong herong  8192 Oct 10 04:07 backup

Perfect, right? Not 100%. Yes, I can control who can access this NTFS partition now. But it still I won't be able to grant different access permissions on its sub-directories, because it is not fully compatible with Linux security architectures.

Table of Contents

 About This Book

 Introduction to Linux Systems

 Cockpit - Web Portal for Administrator

 Process Management

 Files and Directories

 Users and Groups

File Systems

 "df" - Display Free Space of File System

 Mount USB Drive as File System

 "fdisk" - Format Disk Partitions

 "dd" - Copy Data from/to Storage Devices

 Use "dd" Command to Test I/O Speed

 "hdparm" - Hard Disk Parameters

 "du" - Display Disk Usage of Directories

 Mount Windows NTFS File System

Access Persmissions on "ntfs-3g" File System

 Mount Windows Shared Folders

 W95 Ext'd (LBA) Partition

 File System Types, IDs and Formats

 LVM (Logical Volume Manager)

 "parted" - Partition Manipulation Program

 Reformat NTFS Partition into EXT4 Partition

 Unreachable Remote File Systems

 Installing CentOS

 SELinux - Security-Enhanced Linux

 Network Connection on CentOS

 Software Package Manager on CentOS - DNF and YUM

 Running Apache Web Server (httpd) on Linux Systems

 Running PHP Scripts on Linux Systems

 Running MySQL Database Server on Linux Systems

 Running Python Scripts on Linux Systems

 vsftpd - Very Secure FTP Daemon

 Postfix - Mail Transport Agent (MTA)

 Dovecot - IMAP and POP3 Server

 Email Client Tools - Mail User Agents (MUA)

 GCC - C/C++ Compiler

 Conda - Environment and Package Manager

 Tools and Utilities

 References

 Full Version in PDF/EPUB