Default mount permissions for external USB drives

When mounting a NTFS partition (either from internal hard disk or connecting an external USB stick/hard disk), I notice it’s always mounted by default with full 777 permissions for all files and directories, and when copying to local system locations they’re copied just like that.

I know full 777 permissions is generally a not good practice, and after an internet search I found that it’s possible to change default mount options -including permissions- in /etc/fstab. The thing is, fstab works well for “static” devices (for example, internal disks precisely); and external devices are normally not added there, I think precisely due to their come-and-go “nature”…

I was wondering, isn’t there a way somewhere to set default mount permissions, or options, for any device found with a certain filesystem (NTFS, FAT32…)? Either internal, or any external device.

Thanks.

I assume that you’re referring to udisks2 mounting? Can you show an example?

mount | grep -i udisks

Yes, there is: http://storaged.org/doc/udisks2-api/latest/mount_options.html

Yes, but Leap 15.3 is using udisks2 version 2.8. That article references version 2.9…

Since the 2.9.0 UDisks release a new way of overriding builtin set of mount options is supported. This is primarily targeted to sysadmins with system-wide write access (e.g. /etc/udisks2 or udev rules) and essentially transfers responsibility for security and data consistency to their side.

I missed that. However the article discusses udev rules which are used in Leap.

Yes, for sure.

You can add as many rules as you wish. Nothing will be using these rules and they will have no effect.

Command shows no output at all, just returns to the command prompt without anything else.

I tried the “mount” command alone just for curiosity. Alone it seems to just display some mounting information, without doing anything else. Is this correct?
Also, alone seems it doesn’t even need root to be run, only when doing some other stuff?

Thanks.

Then you don’t have any external storage devices currently mounted that way. :wink:

For example, when I plug in a USB stick I get

mount |grep -i udisks
/dev/sdb on /media/DE67-E8A3 type vfat (rw,nosuid,nodev,relatime,uid=1000,gid=100,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,showexec,utf8,flush,errors=remount-ro,uhelper=udisks2)

I tried the “mount” command alone just for curiosity. Alone it seems to just display some mounting information, without doing anything else. Is this correct?

Well, yes that is what is does…report what is mounted.

Also, alone seems it doesn’t even need root to be run, only when doing some other stuff?

Thanks.

No need to be root to see what is mounted, but other actions may require it. Here’s an exception…

From ‘man 8 mount’…

Non-superuser mounts
Normally, only the superuser can mount filesystems. However, when fstab contains the user option on a line, anybody can mount
the corresponding filesystem.

   Thus, given a line
          /dev/cdrom  /cd  iso9660  ro,user,noauto,unhide
   any user can mount the iso9660 filesystem found on an inserted CDROM using the command:
          mount /cd
   Note that mount is very strict about non-root users and all paths specified on command line are verified before fstab is parsed
   or a helper program is executed. It's strongly recommended to use a valid mountpoint to specify filesystem, otherwise mount may
   fail. For example it's a bad idea to use NFS or CIFS source on command line.
   Since  util-linux  2.35,  mount  does  not  exit when user permissions are inadequate according to libmount's internal security
   rules.  Instead, it drops suid permissions and continues as regular non-root user. This behavior supports use-cases where  root
   permissions are not necessary (e.g., fuse filesystems, user namespaces, etc).
   For  more  details, see fstab(5).  Only the user that mounted a filesystem can unmount it again.  If any user should be able to
   unmount it, then use users instead of user in the fstab line.  The owner option  is  similar  to  the  user  option,  with  the
   restriction  that  the user must be the owner of the special file.  This may be useful e.g. for /dev/fd if a login script makes
   the console user owner of this device.  The group option is similar, with the restriction that the user must be a member of the
   group of the special file.

I tested with 2 USB devices: a Kingston USB stick with FAT32, and an ADATA external USB3 hard drive with NTFS.

test1@linux-3776:~> mount | grep -i udisks
/dev/sdb1 on /run/media/test1/KINGSTON type vfat (rw,nosuid,nodev,relatime,uid=1000,gid=100,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,showexec,utf8,flush,errors=remount-ro,uhelper=udisks2)
/dev/sdc1 on /run/media/test1/ADATA type fuseblk (rw,nosuid,nodev,relatime,user_id=0,group_id=0,default_permissions,allow_other,blksize=4096,uhelper=udisks2)
test1@linux-3776:~>

Can’t understand very well the output for the external hard disk, but “ls -la” revealed that everything had permissions 0777, at least as expected.
However, in the USB stick case, it says “fmask=0022”, and yet all files were 0644 and all directories 0755! WTH with this?

Also, there’s certainly nothing inside directory /etc/udisks2. So, for not having udisks 2.9, is the only way to change default mount options setting udev rules?

Finally, I tried the mounting stuff with udisksctl and ISO files.
To mount (it always uses default /dev/loop0):

udisksctl loop-setup -r -f file.iso && udisksctl mount -b /dev/loop0

To unmount:

udisksctl unmount -b /dev/loop0 && udisksctl loop-delete -b /dev/loop0

Seemingly works, yet some limitations at least from my point of view:
–Couldn’t find a way to specify custom mount points, unlike plain “mount” command
–Perhaps it’s by good design, but I found slightly pity that it needs 2 steps to mount ISOs, instead of just one with “mount” command
–No additional messages when mounting in “read-only” mode; wondering if “-r” or “-rf” switches really work…
Besides, can ISOs really be mounted as “writable”? Aren’t they read-only by design?
–After using commands to mount ISOs, 8 loop0-7 devices are created under /etc, which even after no longer being used, they’re not gone until a reboot

Thanks again.

Before udisks 2.9 there was no way to change default mount options globally. (Desktop) clients may offer per-mount point or per-filesystem type configuration of mount options as long as udisks allow these options.

Besides, can ISOs really be mounted as “writable”?

“ISO” is ambiguous. Are you talking about International Organization for Standardization?

Aren’t they read-only by design?

If you mean “files with extension .iso” they are just files with some content. The content of these files may be image of writable filesytem or it may be image of read-only filesystem. Traditional filesystem used for CD-ROM - iso9660 - is read-only by design.

Yes, I’m sorry, I meant files with extension .iso, the iso9660 filesystem used for CD/DVD.

Could someone help with the other doubts by chance?
Thanks.

Just found this, by the developer of udevil:
https://igurublog.wordpress.com/2012/03/11/udisks2-another-loss-for-linux/

Yes, very old, but at least from my limited point of view, it’d still make some sense…

RTFM, man.
ISO file is an image of a disk standardised by ISO organisation.

CD/DVD disks can hold different file systems. They have physical limits of ~1000 times for rewriting.

Something closer to ordinary magnetic or flash storage: https://en.wikipedia.org/wiki/DVD-RAM, but it is already deprecated.