Advice please on mounting USB disk for all users

I am running KDE Plasma 5 on Tumbleweed and want to be able to plug in a new external USB3 1TB hard disk formatted EXT4 with a single partition and when I access it via any application like Dolphin I want it to be mounted for any user to have write access. If possible I do not want to have to use any mount commands to achieve this but have the system do it without manual intervention. Can someone please explain how I manage this?

Stuart

Am Tue, 16 May 2017 09:06:01 GMT
schrieb broadstairs <broadstairs@no-mx.forums.microfocus.com>:

> I am running KDE Plasma 5 on Tumbleweed and want to be able to plug in a
> new external USB3 1TB hard disk formatted EXT4 with a single partition
> and when I access it via any application like Dolphin I want it to be
> mounted for any user to have write access. If possible I do not want to
> have to use any mount commands to achieve this but have the system do it
> without manual intervention. Can someone please explain how I manage
> this?
>
> Stuart
>
>

Create (as root) a file in /etc/udev/rules.d/$SOME_NUMBER-"SOME_NAME…rules,
for example:

/etc/udev/rules.d/99-external_mounts_are_shared.rules

Get back the “classic” behavior

ENV{ID_FS_USAGE}==“filesystem|other|crypto”, ENV{UDISKS_FILESYSTEM_SHARED}=“1”

and run “udevadm trigger” as root.

Your external disks will now be mounted in /media instead
of /run/user/$USER_ID/media and be visible/available to all users.

Of course, standard access controls (rwx) will still be there, so if they don’t
allow write access to some user, that also has to be dealt with no matter where
you mount the file system.

AK


Never attribute to malice that which can be adequately explained by stupidity.
(R.J. Hanlon)

Am Tue, 16 May 2017 09:37:45 GMT
schrieb AK <Akoellh@no-mx.forums.microfocus.com>:

Edit:

Just to make things a little more clear,

/etc/udev/rules.d/99-external_mounts_are_shared.rules

would be a (IMHO useful) example for the naming that file

and this

Get back the “classic” behavior

ENV{ID_FS_USAGE}==“filesystem|other|crypto”, ENV{UDISKS_FILESYSTEM_SHARED}=“1”

should be the content of it.

AK


Never attribute to malice that which can be adequately explained by stupidity.
(R.J. Hanlon)

I have done exactly as described and created a /media folder (which did not exist) and it mounts OK but as root not the user so I am unable to access it. I tried changing permissions of /media but still no joy. Yes it mounts in /media with a sub-directory of the UUID but as root!

Stuart

Most likely wrong permissions, the folder /media does not reflect the permissions of the files below it, it only has to be accessible so a normal user is allowed to mount something there.


ls -l / | grep media
drwxr-xr-x   2 root root       40 16. Mai 18:12 media

I will use udisksctl on the command line as KDE/Plasma will use the same framework (udisks2).


udisksctl mount --block-device /dev/sdb2 
Mounted /dev/sdb2 at /media/PLATINUM2.

 ls -l / | grep media
drwxr-xr-x   3 root root       60 16. Mai 18:14 media

ls -l /media/

drwxr-xr-x 5 root users 4096 18. Feb 22:37 PLATINUM2

Anything below PLATINUM2 will have (and retain) the permissions set inside the file system, no matter who mounts it where.

//Edit:

Just installed dolphin (I don’t use KDE/Plasma) and it works as expected (but on 42.2, not TW).

AK

I get the idea that you thhink that permission have anything to do with the mounting. This is not the case. File/directory ownership (user.group) and permissions work through your complete directory. tree from / on.

When you have a permission problem with a file/directory then please SHOW us what they are. Specialy as you say you changed there things and you do not show what they are now, most other people will have no idea.

If I understand you correct, you want to allow all users to be able to create and remove file in /media. Then you should of course see that the options allow that. Thus when root:root is the owner, the permissions should be rwxrwxrwx to allow user root, all users that are part of group root and all others to read, write and acces the indodes of /media.
But take care. This means that when user aap cretes a file there, user noot is able to remove it. I do not know if that is what you want.

An alternative is to make it the same as /tmp:

henk@boven:~> ls -ld /tmp
drwxrwxrwt 17 root root 12288 16 mei 21:30 /tmp
henk@boven:~>

which uses the “restrivted deleteion flag”. You see the t at the end of the permission string. The description in man chmod says it all"

RESTRICTED DELETION FLAG OR STICKY BIT

The restricted deletion flag or sticky bit is a single bit, whose interpretation depends on the file type. For directories, it prevents unprivileged users from removing or renaming a file in the directory unless they own the file or the directory; this is called the restricted deletion flag for the directory, and is commonly found on world-writable directories like /tmp.

In other words, user noot above can not delete something that is owned by users aap.

I hope you are also aware of the fact that users that create directories/files thjere can protect them from other users by setting the permissions of those files owned by them.

I have no idea if this fits your “I want it to be mounted for any user to have write access.” (where the word mount for anyuser is incorrect, one does not mount “for a user”, one does mount a file system on a mount point and the permissions are what they are).

I think what was (and is) confusing me is that when I mounted a USB stick it would mount with write access for the user automatically and the only difference here is that this is an external USB HDD effectively just a large USB stick, so why did it mount, even before any messing around with the above for root? In plain English I want this external HDD to mount automatically with write access for the user mounting it. It will be used as a back up device and as soon as the back up completes it will be removed and stored in a drawer until the next back up time. BTW the same issue exists with Leap 42.2 where it mounts as root. So all I need is for it to mount exactly as a USB stick does.

Stuart

Very likely, the USB stick that worked was formatted for a Windows file system (FAT or NTFS). Since Windows file systems don’t have typical unix permissions, those are simulated with the person mounting them as owner.

But now you are trying to mount an “ext4” file system. And the “ext4” file system does support normal unix permissions. So you need to set the permissions in that file system.

For example:


# cd /media/wherever   ## go to the top of the mounted file system
# chmod -R a+rwx .

That should make all directories readable and writable by all.

So basically what you are saying is that in Linux there is no way to automatically mount a USB HDD formatted EXT4 as writeable for the mounting user without then running commands after each and every mount unless I resort to using Windows filesystems which kind of defeats the idea of having an HDD for Linux backup since none of the permissions etc will be preserved. I simply cannot understand why this is so problematic and do not understand why it works this way. Once this disk has the various backups on it from the 4 different Linux PCs/Laptops using EXT4 will ensure that each set of files for the user concerned will have all their permissions etc set correctly and they will only be able to manipulate their own files so to me it makes sense that it should be mounted with write access for the relevant user and this should happen without having to resort to additional commands in order to make it work. This is security getting in the way of normal work.

Stuart

If you configure udisks2 for shared removable media mounting as Alkoellh has already mentioned, and you also have the appropriate permissions applied to your removable media filesystem (a one-time config), then users writing to that device will have their respective permissions preserved. I have a USB HDD that I have formatted with a ext3 filesystem for backups. I have a mixture of files owned by different users on it (including root-owned files).

I simply cannot understand why this is so problematic and do not understand why it works this way.

It’s not - just a bit of learning about *nix filesystems required.

No, that is not at all what I am saying.

The command that I mentioned is only needed once. It is not needed for every mount.

Who can read/write files is defined within the file system, not with the mount command (at least for unix file systems).

As people do so often, it looks as if you “asked for the step instead of for the goal” (see: How To Ask Questions The Smart Way).

I now think I begin to understand that you want your users to be able to use each space on that file system to make backups of their files. In that case, I would make this look like the /home is. That is one directory (e.g. named /backup to give it a name that better describes it’s usage then /media) with owner and permissions sme as this:

drwxr-xr-x 10 root root 4096 14 mrt 16:21 /backup

Then mount the file system there.
Then create for each user (that should be able to use this backup feature) a directory same as in /home:

drwxr-xr-x 86 henk users 4096 17 mei 21:38 /home/aap

Now user aap can use /backup/aap in the same wayy he can use /home/aap. To create directories and files there, chang them, remove them, what he likes.
When user aap is a clever Unix/Linux user he will probably from his home directory create a symbolic link:

ln -s /backup/aap backup

to enable him to surf from his home directory wuth e.g. Dolphin, direct to backup.

As said

I simply cannot understand why this is so problematic and do not understand why it works this way.

This is “simply” the way Unix/Linux security on file access works. When you can not understand this, that is a problem. But impossibility to understand it will not remove the facts of Unix/Linux live.

That, with a trick, a non Linux file system is mounted by the desktop on a directory that is owned by the desktop session owner and that all files on that file system are given the fake owner and permissions they get (from the mount parameters btw), shows only the insecurity of those devices. At one moment user aap “is owner” of all on the device, the next moment it is user noot. Not really a secure situation :(.

I was composing an answer when I saw this reply from nrickert. My answer was going to be the same. Once you have done as he asks, that will be preserved on future mounting.

Henk’s instructions, though, are even better. Just make certain that – for each user – you give that particular user ownership and rights.

From the directory just above where you made each user, do similar to the following, as root:

chown -R abe:users abe

for user abe with his own directory of abe, and

chown -R linda:users linda

for user linda with her own directory of linda.

Et cetera, et cetera, et cetera. – Yul Brynner in The King and I;)

So much has gone on now I am confused. So to explain my goal…

Any user wishing to back up their files from their laptop/PC to be able to plug in the USB HDD and copy their files to it using whatever they want (lets say Dolphin). So they click on Open with filemanager from the options in the Device Notifier and the system mounts the HDD at a point where they have write access to it and they can copy their files from Dolphin to the USB HDD, they then click on the option to unmount it and unplug the drive and put it away.

That is what I want to achieve. I dont want them to have to issue any console commands or run any scripts to achieve this, I expect the system to do this without any additional steps to those I outlined. I am quite content to have to set things up to achieve this myself but once done the user should not have anything to do apart from the above. Is this achievable without using NTFS or FAT file systems?

Stuart

… again, YES

… if you follow either nrickert’s or Henk’s instructions. My best guess would be that is why the gave them to you?

Yes. Only YOU need to configure the removable media first as already outlined well by Henk. It’s what I have done with a particular backup device using an ext3 formatted partition. The various users can only write to a given directory, and if using KDE you can even save a link on Dolphin to provide direct access to the appropriate directory if desired. (I’m sure it can be similarly accomplished with Nautilus as well.) You’re the administrator it would seem, so you need to take the required steps, and then it should be transparent to the users.

New information is unveiled!
The device is to wander between several systems and the user population of all those systems must be able to have their backups on it.
Then I have another, most probably unpleasant to you, remark to make.
You then must have a central user administration. All the different users on all those systems must each have a unique userid (UID).
Thus when user aap has userid 1001 on one system, user noot must have a different uid (e.g. 1005). User noot must also have uid 1005 when (s)he is also registered on one or more of the other systems. In other words the UID is the deciding factor in telling users apart. The user name is only for human consumption on a system.

When not doing this and user aap on system1 would have 1001 and user noot on system2 would also have 1001, both would own the same stuff on the wandering disk. No privacy, no security.

I would never use non-Linux file systems for anything else then direct exchange of data between my Linux systems and other non-Linux systems.

The user privacy thing is no big deal as this is not a commercial system but a private home one where a couple of users are not techy and just expect things to work and I have root access to their systems anyway. I just want it to be plug and play so they can do back ups when they want. No I dont want to use non-Linux filesystems either for this.

I seem to have worked my way through this stuff now to get it mounting at least on one system OK.

Now have an issue where it stops copying file after a while, not sure yet if this is a bad disk (it is a new HDD) but of course unable to see smart data as it is USB connected. I suppose it could be a problem with buffers filling up and it has to wait for them to empty before continuing but I did leave it quite a while. I’ll try again another day when I can leave it on for longer, cant do it now as we have to go out and I dont like leaving stuff like this when no one is around.

Stuart

I assume that when user a removes user b’s files (by incident because the system does not protect against this) both will not appreciate that as “it just works”.

In any case, you have chosen to use a Unix type system, thus you have the pros as well as the cons of a multi-user and multi-session OS and all the security that is build in it to be able to function as such.

You can also choose to use systems that do not support that and where everybody can roam around and do what they like because such an OS has a different trade off between security and usability. We only have to watch the news media to see where that leads to.

BTW my idea about providing a backup policy for a multi system multi user shop would be based upon much more automation (by root, probably based on rsync over the network) instead trusting the users to make backups themselves (and letting drop that disk where everybody’s things are on).

I appreciate all you say but I am not sure all of that is required for 4 PCs at home. I do regular backups of the PCs but want anyone to be able to back up anything they feel the need for on this HDD.

Stuart