Results 1 to 10 of 10

Thread: Prevent users from accessing WinXP system areas

  1. #1
    Join Date
    Jul 2008
    Location
    Ljubljana
    Posts
    522

    Default Prevent users from accessing WinXP system areas

    Hi there. We have a dual boot machine at home (WinXP/openSuSE). There are _huge_ Documents folders on the XP ntfs partition so that they cannot be duplicated on the SuSE partition. Nor can they be moved over to the SuSE partition because they _need_ to be accessed from within XP. Instead, we just redirected (soft-linked) all our SuSE /home/Documents folders to the corresponding folders on the XP partition. The problem is, we mount the XP partition read-write, so we can save our documents from within SuSE; that way, however, the SuSE users can access each other's folders, which is not politically correct, and, what's far worse, they can access XP root and system areas freely (thus potentially messing up the XP partition). Mind you, there's two pre-school brats using the computer. Is there a simple way to make only personal folders on a ntfs partition browsable from within SuSE and prevent other folders to be browsed? With simple I mean without having to go through lengthy or convoluted procedures, such as encrypting the ntfs partition, converting ntfs to ext3 or things like that.

  2. #2

    Default Re: Prevent users from accessing WinXP system areas

    JosipBroz wrote:

    >
    > Hi there. We have a dual boot machine at home (WinXP/openSuSE). There
    > are _huge_ Documents folders on the XP ntfs partition so that they
    > cannot be duplicated on the SuSE partition. Nor can they be moved over
    > to the SuSE partition because they _need_ to be accessed from within
    > XP. Instead, we just redirected (soft-linked) all our SuSE
    > /home/Documents folders to the corresponding folders on the XP
    > partition. The problem is, we mount the XP partition read-write, so we
    > can save our documents from within SuSE; that way, however, the SuSE
    > users can access each other's folders, which is not politically
    > correct, and, what's far worse, they can access XP root and system
    > areas freely (thus potentially messing up the XP partition). Mind you,
    > there's two pre-school brats using the computer. Is there a simple way
    > to make only personal folders on a ntfs partition browsable from within
    > SuSE and prevent other folders to be browsed? With simple I mean without
    > having to go through lengthy or convoluted procedures, such as
    > encrypting the ntfs partition, converting ntfs to ext3 or things
    > like that.


    For the NTFS partition, have mount options:
    uid=jospip,gid=users,fmask=0377,dmask=0277
    This will allow them to potentially write.
    Then, take away their access to the /windows path:
    $ chmod go-rwx /windows
    Then, create mount points within the user's home directories, like
    $ for X in user1 user2; do mkdir --mode=700 -v /home/${X}/WinDocs && \
    chown -v ${X}:users /home/${X}/WinDocs; done
    And mount the user's Documents directory inside his home:
    mount --bind /windows/c/Documents\ and\ Settings/user1/ /home/user1/WinDocs

    or something like that...

    regards,
    Andreas

  3. #3
    Join Date
    Jul 2008
    Location
    Ljubljana
    Posts
    522

    Default Re: Prevent users from accessing WinXP system areas

    A very exhaustive answer, Andreas. Thanx a bunch! I never thought you could chmod/chown ntfs partitions like that, since I know they have a totally different set of ACL from linux.

  4. #4

    Default Re: Prevent users from accessing WinXP system areas

    Quote Originally Posted by JosipBroz View Post
    A very exhaustive answer, Andreas. Thanx a bunch! I never thought you could chmod/chown ntfs partitions like that, since I know they have a totally different set of ACL from linux.
    You actually can't chmod/chown elements inside NTFS, right. You're limited to the uid,gid,umask,fmask,dmask mount options.

    But you can chown/chmod the directory containing the mount points (here: /windows contains /windows/c) and have each user have a limited view on the mounted file system from within their home directory.

  5. #5
    Join Date
    Jul 2008
    Location
    Ljubljana
    Posts
    522

    Default Re: Prevent users from accessing WinXP system areas

    Thx. Everything is clear now.

  6. #6
    Join Date
    Jul 2008
    Location
    Ljubljana
    Posts
    522

    Question Re: Prevent users from accessing WinXP system areas

    The above solution seems correct and promising, but I must be doing smth wrong, 'cause I am repeatedly bumping into a problem. Can anyone confirm the following: after you mount a device onto a folder, all the permissions previously set on the folder get lost/overridden by the mount permissions. No matter what permissions I set on my /media/windows folder, after mounting my NTFS partition on /media/windows, ONLY the mount permissions apply. Thus, if I set my /media/windows folder as, say, only readable by root, regular users can't browse into /media/windows. As soon as I actually _mount_ the ntfs partition on /media/windows, however, the folder is no longer off-limits, all users can browse the mounted partition and do other potentially nasty things (depending on the options set in fstab). Can anyone confirm this? Is this by design in linux? Do the mount point folder permissions cease to apply as soon as anything is actually mounted on it?

  7. #7
    Join Date
    Jul 2008
    Location
    Ljubljana
    Posts
    522

    Default Re: Prevent users from accessing WinXP system areas

    So, can anybody confirm this? How exactly do the mount folder permissions and the mount options interact in Linux? Is there any guru outthere itching to enlighten me (and other bewildered noobs)?

  8. #8
    Tilman Schmidt NNTP User

    Default Re: Prevent users from accessing WinXP system areas

    JosipBroz schrieb:
    > [A]fter you mount a device onto a folder, all the
    > permissions previously set on the folder get lost/overridden by the
    > mount permissions. No matter what permissions I set on my
    > /media/windows folder, after mounting my NTFS partition on
    > /media/windows, ONLY the mount permissions apply. [...] Can
    > anyone confirm this?


    For NTFS or other non-Unix/Linux partitions that description is
    correct. For Linux partitions (eg. ext3) the permissions set
    within the mounted filesystem apply.

    > Is this by design in linux? Do the mount point
    > folder permissions cease to apply as soon as anything is actually
    > mounted on it?


    It is by design. As far as the user is concerned, the mount
    operation entirely replaces the mount point by the mounted
    filesystem.

    What was not foreseen in that design is mounting filesystems
    which have no concept of permissions (eg. FAT) or whose
    permission settings Linux doesn't understand (eg. NTFS).
    For these cases, the mount permission settings were
    introduced as a workaround.

    HTH
    T.

    --
    Tilman Schmidt
    Phoenix Software GmbH
    Bonn, Germany

  9. #9
    Join Date
    Jul 2008
    Location
    Ljubljana
    Posts
    522

    Default Re: Prevent users from accessing WinXP system areas

    Thanx. That settles it, I guess: it's therefore not possible to set different ACLs for different NTFS directories (on the same partition) in Linux in any way. Or is there?

  10. #10
    Tilman Schmidt NNTP User

    Default Re: Prevent users from accessing WinXP system areas

    JosipBroz schrieb:
    > Thanx. That settles it, I guess: it's therefore not possible to set
    > different ACLs for different NTFS directories (on the same partition)
    > in Linux in any way.


    You're right, Tito. :-)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •