Ownership of encrpted USBdrive with ext4

How do I change the ownership of an ecrypted USB device (encrypted using YaST) so that I am able to read and write files on it? I’d like to use ext4 on an encrypted USB drive but I wasn’t able to figure this out. Searching the web didn’t help. Paragraph 10.1.4 of the documentation for openSUSE 12.3 simply says: “For devices with a file system other than FAT, change the ownership explicitly for users other than root to enable these users to read or write files on the device.” But no further instructions are given. How do I do that?

Michael

openSUSE 13.1 64bit KDE

There isn’t such a thing as ownership for a file system. Ownership and permissions are for individual files (and thus also for directories).

That means that e.g. the mount point must have correct ownership and/or permissions to allow users (which ones?) to follow the path. And of course all files on the file system are also owned by somebody and have permissions.

When the above does not help, you could become more specific. E.g. telling (and showing) the mount point and it’s contents using ls. And revealing which user(s) must be able to do what.

Oh boy, this goes beyond what I am used to. Here is my attempt of a response.

After formatting and encrypting the device with Yast the device is owned by “User: root” and “Group: root” according to the properties of the device when I access them in Dolphin. But this doesn’t allow me, the normal user “my-user-name” who belongs to the users group to gain acces to the device.

Using Dolphin Super User Mode I can go to the properties of the device (right-click), then “Permissions” and then change the ownership to “User: my-user-name” and “Group: users.” The owner has has rwx permissions, the group only r-x. Permissions are thus the same as the permissions of the folder “my-user-name” in /home.

The device is mounted on /run/media/my-user-name/07470d91-e1c9-493b-8ce3-412c2ccdd4fe as shown in the properties.

The funny thing is that I can copy single files to the device but not a folder with files, or more exact: the folder is copied, but not the files. In the folder properties it says “Forbidden” for owner, group and other. (I could change the permissions manually for each folder but that is time consuming and not practical.)

Checking “Apply changes to all subfolders and their contents” in “Properties Permissions” of the device and then changing the values to “root” in both fields and then back to “my-user-name” and “users” does not help. (At least I tried that without success.)

This is what I did and what the situation is right now. Am I on the wrong track? Do I need to provide more information?

Michael

I gave it another try. I deleted to the encrypted partition on the USB device, created a non-encrypted one with FAT and created a new encrypted partition with ext4 - just to make sure that I have a fresh start.

Using Dolphin Super User Mode I checked “Apply changes to all subfolders and their contents” first and then changed the ownership of the device to “User: my-user-name” and “Group: users” with rwx permissions for the owner and r-x for the group. Now I can copy folders with subfolders and files to the device (which I use as one of my backup devices).

Is this the correct method to gain access to an encrypted device with ext4 as normal user? I’d be glad to read a positive answer. I hope that the method will work with other devices, too.

No, that’s not correct. I am far from clear on what you did.

It is the nature of an ext4 file system, that ownership is at the level of files (and directories). You are probably writing to the FAT partition that you also created but did not encrypt. In other words, I suspect that you have an encrypted ext4 partition that you are not using, and an unencrypted FAT partition that you are using. So the data is not encrypted.

While I have not tried it, as far as I know, you can encrypt the USB and still format the encrypted partition as FAT if that is what you would find most useful. You won’t to access that on Windows, though, unless you install some LUKS encryption software for Windows.

Using FAT looks like the better options as it doesn’t give the problems with denied access. I may switch to FAT then.

But still, there is only an ext4 partition on the device, no FAT partition. Unfortunately I didn’t find a way to show that here.

use

fdisk -l

To show us. note that is a lower case L not a one

Please use code tags (# on the bar) for computer output

FAT does not understand ownership like a real Linux file system. So the files are owned by what ever entity mounts it and the permissions are faked.

Here is what I did with another device: delete the partition on it, add an encrypted ext4 partition, change the ownership in the properties of the device (which shows up as a folder in Dolphin) using Dolphin Super User Mode so that the owner of the device is “my-user-name”, the group is “users” (see post #3 above). And lo and behold, I can read and write on the device. (That’s the expected outcome.) Here is what fdisk -l says:

linux-xxxx:/home/"my-user-name" # fdisk -l
WARNING: fdisk GPT support is currently new, and therefore in an experimental phase. Use at your own discretion.

Disk /dev/sda: 750.2 GB, 750156374016 bytes, 1465149168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disk label type: gpt

#         Start          End    Size  Type            Name
 1         2048       321535    156M  EFI System      primary
 2       321536       643071    157M  Microsoft basic primary
 3       643072   1465147391  698.3G  Linux LVM       primary

Disk /dev/mapper/cr_ata-TOSHIBA_MK7559GSXP_719LS8OXS-part3: 749.8 GB, 749824114688 bytes, 1464500224 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes

Disk /dev/mapper/system-home: 708.7 GB, 708669603840 bytes, 1384120320 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes

Disk /dev/mapper/system-root: 26.8 GB, 26843545600 bytes, 52428800 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes

Disk /dev/mapper/system-swap: 6442 MB, 6442450944 bytes, 12582912 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes

fdisk: cannot open /dev/mapper/cr_usb-Ut163_USB2FlashStorage_000000000000BA-0:0-part1: Input/output error

The only thing I know is that I have access to the device (read and write).

What do you think about this procedure?

Again, you did NOT change the ownership of the device as there is no such thing.

You changed the ownership of the directory. Which is something you can do to any directory (or other type of file for that matter). And it will have the effects of al changed ownerships. The fact that it is a mountpoint or the fact that the file system is encrypted have no relation to this.

Please try to find on the internet some documentation about ownership of files and persmissions in Unix/Linux. Without such basic knowledge it is very difficult to understand what happens here.

All right, I changed the ownership of a directory using a method similar to the one described here: https://www.linux.com/learn/tutorials/760276-how-to-manage-file-and-folder-permissions-in-linux (in the section “GUI: Change ownership” with the necessary adjustments). I get that. The outcome seems to be an encrypted device with an ext4 partition that I can read and write on - I on my own machine or on the machine of my wife with my wife logged in with her user name (also running openSUSE 13.1 with KDE Plasma Desktop) - because I changed the ownership of the *directory. *(Hopefully this is an acceptable description of what is happening here.)

Allow me to go back to post #1 and the quote from paragraph 10.1.4 of the documentation for openSUSE 12.3: “For devices with a file system other than FAT, change the ownership explicitly for users other than root to enable these users to read or write files on the device.” This is where it all started. Although English is not my native language I would say that the natural interpretation of this clause is that ownership is a property of the *device: *“For devices…change the ownership…” Ownership of what? Of the device. Although technically this is not the correct answer as I know now.

I am sorry that I caused a lot of confusion here. But part of the confusion is caused by my interpretation of the documentation.

Apart from that, using FAT for an encrypted partition on an external device seems to be the easier thing to do. Would you agree?

I would never agree with using a non-Linux file system type on Linux for anything else then the exchange of data with non-Linux systems. It may be “easier” (I do not know), but not cleverer. At least when one of your arguments behind using Linux is it’s increased security vs. Windows.

On 2014-03-13 15:46, opensuseinmanila wrote:

> Allow me to go back to post #1 and the quote from paragraph 10.1.4 of
> the documentation for openSUSE 12.3: “For devices with a file system
> other than FAT, change the ownership explicitly for users other than
> root to enable these users to read or write files on the device.” This
> is where it all started. Although English is not my native language I
> would say that the natural interpretation of this clause is that
> ownership is a property of the -device: -“For devices…change the
> ownership…” Ownership of what? Of the device. Although technically
> this is not the correct answer as I know now.

No.

Also, I guess that the people that wrote that did not have English as
their first language

It means that on FAT devices you indeed set the permissions for the
entire device partition. Or to be precise, you fake them.

(and it also applies to NTFS).

On non FAT devices, that is, on proper Linux devices, instead you change
the permissions of directories and permissions in the standard, ages
old, Unix way (change explicitly). You do it file by file, directory by
directory, one by one, or massively on a lot of them. But any new file
can have any other combination of ownership and permissions.

What you did with dolphin is that you change the permission of the
“parent” directory (some say the root directory, but that is confusing).
Once you have permission to write on the parent directory as a normal
user, you can, as that same user, add new files and directories, which
will belong to the user that creates them (which may or not be the one
that owns the parent directory).

Please, find a book on Unix or Linux and learn how permissions work
here. You need reading a text that explains it properly, not make
guesses at how to do things, or even ask us questions. We can not
explain it all in a post - in that case we’d write the book instead!

> I am sorry that I caused a lot of confusion here. But part of the
> confusion is caused by my interpretation of the documentation.

Documentation written by programmers is often difficult to understand by
non-programmers.

> Apart from that, using FAT for an encrypted partition on an external
> device seems to be the easier thing to do. Would you agree?

CERTAINLY NOT!

–
Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

I had a separate /data partition that I encrypted using cryptsetup. After system install, I opened my file manager as root (be it dolphin, nautilus, thunar, etc) and set the permissions to it for root and my user, both can read and write in and out of any folder, and the “Others” group (that do not belong to ‘root’ or ‘my-group’) couldn’t access that partition.
The good thing is that it stays with it’s permissions set even after system re-install.

I wouldn’t worry about it. Every documentation assume a certain level of knowledge, and sometimes this assumption is wrong. But your interpretation was logical and, after all, this documentation is not for programmers, but for the general user. Sometimes the people at the fora (including me) tend to be a bit too much precise, but this is not altogether a bad thing, as it sometimes avoids misinterpretations on the respondent side.

The way you saw it (device permission) vs the way it is (folder permissions) is not too far apart, as every device partition is mounted as a folder (directory?), and if you set this directory permissions everything under it will in principle have the same permissions by default. Of course, there might be system/security policies that prevent you doing this to key folders like / or /sbin and such.

The way you changed the permissions with Dolphin in root mode is just like I usually do. For example, when creating a NFS mount point in Yast NFS client for a network share, the new folder is owned by root, even if under /home/$USER. So I change it like you do, if I want to. If the folder already exist, it retains it’s permissions.

On a side note: what’s the difference between directories and folders? I don’t really know. Maybe there is a huge difference for the techno-wizards, but it was never an issue in my day-to day use of openSUSE - or any other SO for the matter :-).

The problem with FAT is that it is more fragile than ext4, is (AFAIK) limited to 4GB maximum file size, and as mentioned by others, does not implement any kind of permissions. Unfortunately if you need cross-platform compatibility (read a pendrive in windows and linux, for instance), it’s the simplest way to go.

And welcome to the openSUSE community!

On 2014-03-13 22:36, brunomcl wrote:

> On a side note: what’s the difference between directories and folders?

I only use the word “folder” for email folders - because in some cases,
no directories are involved.

> The problem with FAT is that it is more fragile than ext4, is (AFAIK)
> limited to 4GB maximum file size, and as mentioned by others, does not
> implement any kind of permissions. Unfortunately if you need
> cross-platform compatibility (read a pendrive in windows and linux, for
> instance), it’s the simplest way to go.

Portability is nil when using Linux encryption

–
Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

There is no difference. The word “directory” is the term used by Unix since it’s beginning. It was also used by MS-DOS (remind the command: DIR). The word “folder” I am not sure off, but the word “map” comes from the desktop metaphore where everything on a computer “desktop” should have it’s equivalent in daily (office) live. In Unix/Linux (and not restricted to it) a desktop “map” is implemented as a “directory” on the system level. Thus the desktop (GUI) user may say “map” where the system administrator will use “directory”.

As soon as you want to manage your system as system manager/administrator and then start to read man pages and other documentation, you should be prepared to understand the concept of a “directory” in Unix/Linux.