I currently have an extra HDD which I am using as my workspace. I am trying to get it to mount automatically on reboots using the following line added to /etc/fstab
/dev/sdb1 /media/workspace auto defaults 0 1 This works to auto mount it, however I would like to restrict read/write access to users belonging to a specific group. How would I go about doing this in /etc/fstab? Can I simply just use chown or chmod to control the access?
If the filesystem type is one that doesn't have permissions, such as FAT, you can add umask, gid and uid to the fstab options. For example:
/dev/sdb1 /media/workspace auto defaults,uid=1000,gid=1000,umask=022 0 1 uid=1000 is the user id.
gid=1000 is the group id.
umask=022 this will set permissions so that the owner has read, write, execute. Group and Others will have read and execute.
To see your changes you do not need to reboot. Just umount and mount again without arguments. For example:
umount /media/workspace mount /media/workspace But make sure to do not have any process (even your shell) using that directory.
umask produced invalid argument when I tried to pass it to mount in Debian 11.10, so I had to use file_mode=0600,dir_mode=0700 instead. I would gate access to the filesystem through a directory that contains the mount point.
As root:
mkdir -p /media/group1only/workspace chgrp group1 /media/group1only chmod 750 /media/group1only This is full access to root and read+execute access for members of group1. Don't give them write access here, since if they accidentally rename the workspace mount point, it could make your system fail to boot.
And add this to /etc/fstab :
/dev/sdb1 /media/group1only/workspace auto defaults 0 1 After the filesystem is mounted, you can make further ownership and mode changes to objects within the filesystem to accommodate finer-grain access among the group members.
/media/group1only/workspace are drwxr-xr-x 2 root root 4096 apr 13 09:05 workspace. Thus group1only does not play any role for the mount point. group1only plays. Even if the permissions are 766 on workspace, users without the required permissions for the 750-permissioned parent directory will get permission denied. Try this in a non-root shell by cding to / and attempting to end workspace. For example, assuming the filesystem on the disk supports ACL's, and using the hypothetical user, myusername, and the hypothetical group for accessing the disk, diskusers, something like the following could be done. $ indicated a command executed as a regular user; # indicates a command executed as the user, root.
Create a group to which a user may belong for the purpose.
$ sudo groupadd diskusers $ sudo usermod -a -G diskusers myusername $ logout Log in again.
$ sudo -i # mount /media/workspace # chown root:root /media/workspace # chmod 0750 /media/workspace/ # setfacl -d -m -g:diskusers:7 /media/workspace # setfacl -m g:diskusers:7 /media/workspace The "7" in the setfacl command is octal (read = 4 + write = 2 + execute = 1), much like normal octal permissions (0400, 0200, 0100).
The -d is a switch to specify a default mask - new files and directories. The -m is the mask to apply to the directory.
You also could apply the mask to all files initially after setting the default (above):
find /media/workspace -exec setfacl -m g:diskusers:7 {} + At that point, only root and members of diskusers can access the files. I like Mark Plotnick's idea, too, about applying permissions to a subdirectory. This technique could be used that way, too.
I'am on ubuntu 22.04
My root mount in fstab is like this:
UUID=myuuid / ext4 errors=remount-ro,user=owner 0 1 So, I don't have aa owner user into passwd conf file, but i think this owner is the absolute owner of the mount point (directory) ...
/ has root owner/home/whateveruser has whateveruser owner/media/myuser/mypendrive has myuser ownerWe don't need to specify user=listofusers. Owner is sufficient to get root and effective logged user(s).
My usb 3.0 pendrive is getting almost 200 MB transfer rate, after i set user=owner at / ext4 mount point.
I don't know if that works like I said, but I can boot with no mount errors nor systemd errors.
