Question

23

Why are the default permissions for /media/username root:root?

rated 0 times [ 23] [ 0] / answers: 1 / hits: 24513 / 2 Years ago, sat, june 25, 2022, 5:22:33

I have tweaked the permissions on /media/username from root:root to username:root [1]. I understand that a user-centric location allows user-centric permissions [2].

But why were the permissions for this folder root:root in the first place?

[1] So that I can mount encrypted folders there with Gnome EncFS Manager. For example, I can now mount an encrypted folder as /media/username/personal-documents.

[2] From Why has Ubuntu moved the default mount points? :

The root cause for this change of default behaviour in udisks2 seems clear : the security. It is safer to restrict access to a file system to one particular user instead of giving access to it to all the users of the system.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

eving

Add To Favorites

Follow

Total Points: 162

Total Questions: 102

Total Answers: 112

Location: Trinidad and Tobago

Member since Thu, Dec 1, 2022

1 Year ago

answered 2 Years ago inaterested · Accepted Answer

In my case this is how things look in /media:

$ ls -l /media | grep $USER

drwxr-x---+  3 root root 4096 Jan 22 15:59 oli

Basically this means that only a root user can interact with the directory. This is great for security (certainly stops other users seeing, let alone stealing/deleting/changing data) but that's not where the story ends.

You might notice the plus sign at the end of the permission mask. This means an ACL (Access Control List) is in use. This allows for far more granular permissions.

$ getfacl /media/$USER

getfacl: Removing leading '/' from absolute path names

# file: media/oli

# owner: root

# group: root

user::rwx

user:oli:r-x

group::---

mask::r-x

other::---

It's through ACL where my user is allowed to view the contents of /media/oli. I'm still not allowed to edit the contents.

The thing doing the mounting in modern desktops (both Gnome and KDE) is udisks2:

root      2882  0.3  0.0 195956  4048 ?        Sl   Jan16  30:35 /usr/lib/udisks/udisks-daemon

root      2887  0.0  0.0  47844   784 ?        S    Jan16   0:00 udisks-daemon: not polling any devices

root      3386  0.0  0.0 429148  6980 ?        Sl   Jan16   7:35 /usr/lib/udisks2/udisksd --no-debug

As you can see, it's running there as root, so when something accesses it over DBUS, it's able to create the mount-points within /home/$USER and chown them down to your user so they can edit the contents.

None of that changes what I said originally. I'm just explaining how it works in practice. This is how something on your desktop is in-effect allowed to write somewhere that is only allowed by root, and how your user is allowed to read it despite an otherwise restrictive ownership.

All that turns it into an environment that is secure for the user's data but one that also makes it hard for the user to meddle with the fabric of the mount. They can't, for example, delete the mount-point or rename it which could cause issues unless they have root access.

Edit: Something that just occurred to me is that it also gives an administrator a good place to mount things for a single user. The permissions by default help keep this mount private and protect this mount against the user's meddling. It seems like a fairly sane default for something that done without the /media/$user/ directory, would need root permissions.