Saturday, September 23, 2023
 Popular · Latest · Hot · Upcoming
rated 0 times [  23] [ 0]  / answers: 1 / hits: 24433  / 1 Year ago, sat, june 25, 2022, 5:22:33

I have tweaked the permissions on /media/username from root:root to username:root [1]. I understand that a user-centric location allows user-centric permissions [2].

But why were the permissions for this folder root:root in the first place?

[1] So that I can mount encrypted folders there with Gnome EncFS Manager. For example, I can now mount an encrypted folder as /media/username/personal-documents.

[2] From Why has Ubuntu moved the default mount points? :

The root cause for this change of default behaviour in udisks2 seems clear : the security. It is safer to restrict access to a file system to one particular user instead of giving access to it to all the users of the system.

More From » permissions


In my case this is how things look in /media:

$ ls -l /media | grep $USER
drwxr-x---+ 3 root root 4096 Jan 22 15:59 oli

Basically this means that only a root user can interact with the directory. This is great for security (certainly stops other users seeing, let alone stealing/deleting/changing data) but that's not where the story ends.

You might notice the plus sign at the end of the permission mask. This means an ACL (Access Control List) is in use. This allows for far more granular permissions.

$ getfacl /media/$USER
getfacl: Removing leading '/' from absolute path names
# file: media/oli
# owner: root
# group: root

It's through ACL where my user is allowed to view the contents of /media/oli. I'm still not allowed to edit the contents.

The thing doing the mounting in modern desktops (both Gnome and KDE) is udisks2:

root      2882  0.3  0.0 195956  4048 ?        Sl   Jan16  30:35 /usr/lib/udisks/udisks-daemon
root 2887 0.0 0.0 47844 784 ? S Jan16 0:00 udisks-daemon: not polling any devices
root 3386 0.0 0.0 429148 6980 ? Sl Jan16 7:35 /usr/lib/udisks2/udisksd --no-debug

As you can see, it's running there as root, so when something accesses it over DBUS, it's able to create the mount-points within /home/$USER and chown them down to your user so they can edit the contents.

None of that changes what I said originally. I'm just explaining how it works in practice. This is how something on your desktop is in-effect allowed to write somewhere that is only allowed by root, and how your user is allowed to read it despite an otherwise restrictive ownership.

All that turns it into an environment that is secure for the user's data but one that also makes it hard for the user to meddle with the fabric of the mount. They can't, for example, delete the mount-point or rename it which could cause issues unless they have root access.

Edit: Something that just occurred to me is that it also gives an administrator a good place to mount things for a single user. The permissions by default help keep this mount private and protect this mount against the user's meddling. It seems like a fairly sane default for something that done without the /media/$user/ directory, would need root permissions.

[#27936] Saturday, June 25, 2022, 1 Year  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.

Total Points: 162
Total Questions: 102
Total Answers: 112

Location: Trinidad and Tobago
Member since Thu, Dec 1, 2022
11 Months ago