I donβt know if this topic is in the correect forum, feel free to move if not
on my laptop running 15.5 and KDE using user1 I attach my USB disk or stick and I can access easily to its content.
when I switch to user2 I cannot access to my USB disk or stick, even if I remove and attach again.
how can I have my USB stick or disk available to all the users?
Like all file systems mounted for use by all users, root
can mount it on a mount point accessible by all. Either by using the mount command (maybe helped by configuring the lot of parameters in /etc/fstab
, or maybe βalwaysβ (from boot till shutdown), by configuring it in /etc/fstab
.
@pier_andreit Hi, itβs all about file permissions and ownership/groups.
See here: https://doc.opensuse.org/documentation/leap/security/html/book-security/sec-sec-file-management.html
You will see a note βImportant: Test permission changesβ
There are so many ways this can be doneβ¦
Complicating factors are:
- when the file system is already mounted through the desktop, the mount point is dedicated to the user (and other users have no normal access to that);
- when the file system is non-Linux (which is often the case with spontanious by an end-user connected mass-storage device), the ownership and permissions are faked and unchangeable.
@hcvv for 1. I suspect if itβs just one USB device, based on the lsusb output, one could craft a udev rule to mount somewhere on demand, or like you indicated, a fstab entry with nofail?
That is what I would prefer (as suggested above). Udev rules are more complicated for most people.
The real solution is of course that the original user does a βsave removeβ and disconnects it before he gives the device to another human. That would also be the better way of living in a security aware environment. Not leaving your data lying around (or in this case even connected to the computer) for others.
It may be that many Linux users coming from an MS Windows environment do so (partly) because of more security. I find it always humorous to see how they then stumble into security barriers and then, without even contemplating about the security logic of them, immediately want to do away with such restrictions. Yes, βsecurityβ and βeasy of useβ are to ends of the balance.
Post output of
findmnt -u
when you are doing it.
And once more after you have done this.
manythanks, but in this case I have many users with theyr settings and tenth of usb sticks so I my better way of live is to have everything accessible to all the users regardless to security and with much regard to ease of use, is there a way to have this?
manythanks, I did what you asked, if I safely remove, system asks me root password, detach and attach again it works, is it possible to do it without be asked for root password?
here is the output of command after switched to user2, after safely removed in user2 with root password, after attached again in user2
attached and mounted in user pla&st
switched user to user pla
pla@localhost:~> findmnt -u
TARGET SOURCE FSTYPE OPTIONS
/ /dev/nvme0n1p4
β ext4 rw,relatime
ββ/proc
β proc proc rw,nosuid,nodev,noexec,relatime
β ββ/proc/sys/fs/binfmt_misc
β systemd-1
β autofs rw,relatime,fd=30,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=24260
ββ/sys sysfs sysfs rw,nosuid,nodev,noexec,relatime
β ββ/sys/kernel/security
β β securityfs
β β securityfs
β β rw,nosuid,nodev,noexec,relatime
β ββ/sys/fs/cgroup
β β tmpfs tmpfs ro,nosuid,nodev,noexec,size=4096k,nr_inodes=1024,mode=755,inode64
β β ββ/sys/fs/cgroup/unified
β β β cgroup2
β β β cgroup2
β β β rw,nosuid,nodev,noexec,relatime,nsdelegate
β β ββ/sys/fs/cgroup/systemd
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,xattr,name=systemd
β β ββ/sys/fs/cgroup/misc
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,misc
β β ββ/sys/fs/cgroup/freezer
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,freezer
β β ββ/sys/fs/cgroup/blkio
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,blkio
β β ββ/sys/fs/cgroup/cpu,cpuacct
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,cpu,cpuacct
β β ββ/sys/fs/cgroup/rdma
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,rdma
β β ββ/sys/fs/cgroup/memory
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,memory
β β ββ/sys/fs/cgroup/net_cls,net_prio
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,net_cls,net_prio
β β ββ/sys/fs/cgroup/devices
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,devices
β β ββ/sys/fs/cgroup/perf_event
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,perf_event
β β ββ/sys/fs/cgroup/pids
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,pids
β β ββ/sys/fs/cgroup/hugetlb
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,hugetlb
β β ββ/sys/fs/cgroup/cpuset
β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,cpuset
β ββ/sys/fs/pstore
β β pstore pstore rw,nosuid,nodev,noexec,relatime
β ββ/sys/firmware/efi/efivars
β β efivarfs
β β efivarfs
β β rw,nosuid,nodev,noexec,relatime
β ββ/sys/fs/bpf
β β bpf bpf rw,nosuid,nodev,noexec,relatime,mode=700
β ββ/sys/kernel/debug
β β debugfs
β β debugfs
β β rw,nosuid,nodev,noexec,relatime
β ββ/sys/kernel/tracing
β β tracefs
β β tracefs
β β rw,nosuid,nodev,noexec,relatime
β ββ/sys/fs/fuse/connections
β β fusectl
β β fusectl
β β rw,nosuid,nodev,noexec,relatime
β ββ/sys/kernel/config
β configfs
β configfs
β rw,nosuid,nodev,noexec,relatime
ββ/dev devtmpfs
β devtmpfs
β rw,nosuid,size=4096k,nr_inodes=1048576,mode=755,inode64
β ββ/dev/shm
β β tmpfs tmpfs rw,nosuid,nodev,inode64
β ββ/dev/pts
β β devpts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000
β ββ/dev/mqueue
β β mqueue mqueue rw,nosuid,nodev,noexec,relatime
β ββ/dev/hugepages
β hugetlbfs
β hugetlbfs
β rw,relatime,pagesize=2M
ββ/run tmpfs tmpfs rw,nosuid,nodev,size=4859812k,nr_inodes=819200,mode=755,inode64
β ββ/run/media/pla6ST/backup7
β β /dev/sda1
β β fuseblk
β β rw,nosuid,nodev,relatime,user_id=0,group_id=0,default_permissions,allow_other,blksize=4096
β ββ/run/user/1000
β β tmpfs tmpfs rw,nosuid,nodev,relatime,size=2429904k,nr_inodes=607476,mode=700,uid=1000,gid=100,inode64
β β ββ/run/user/1000/doc
β β β portal fuse.portal
β β β rw,nosuid,nodev,relatime,user_id=1000,group_id=100
β β ββ/run/user/1000/gvfs
β β gvfsd-fuse
β β fuse.gvfsd-fuse
β β rw,nosuid,nodev,relatime,user_id=1000,group_id=100
β ββ/run/user/1002
β tmpfs tmpfs rw,nosuid,nodev,relatime,size=2429904k,nr_inodes=607476,mode=700,uid=1002,gid=100,inode64
β ββ/run/user/1002/doc
β β portal fuse.portal
β β rw,nosuid,nodev,relatime,user_id=1002,group_id=100
β ββ/run/user/1002/gvfs
β gvfsd-fuse
β fuse.gvfsd-fuse
β rw,nosuid,nodev,relatime,user_id=1002,group_id=100
ββ/home
β /dev/nvme0n1p5
β ext4 rw,relatime,data=ordered
ββ/dati
β /dev/nvme0n1p8
β fuseblk
β rw,nosuid,nodev,noexec,relatime,user_id=0,group_id=0,default_permissions,allow_other,blksize=4096
ββ/boot/efi
β /dev/nvme0n1p1
β vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro
ββ/tmp/.mount_ObsidiW6jN44
Obsidian-1.4.16.AppImage
fuse.Obsidian-1.4.16.AppImage
ro,nosuid,nodev,relatime,user_id=1000,group_id=100
pla@localhost:~>
================================================
safely removed in user pla and system asked me root password
pla@localhost:~> findmnt -u
TARGET SOURCE FSTYPE OPTIONS
/ /dev/nvme0n1p4
β ext4 rw,relatime
ββ/proc
β proc proc rw,nosuid,nodev,noexec,relatime
β ββ/proc/sys/fs/binfmt_misc
β systemd-1
β autofs rw,relatime,fd=30,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=24260
ββ/sys sysfs sysfs rw,nosuid,nodev,noexec,relatime
β ββ/sys/kernel/security
β β securityfs
β β securityfs
β β rw,nosuid,nodev,noexec,relatime
β ββ/sys/fs/cgroup
β β tmpfs tmpfs ro,nosuid,nodev,noexec,size=4096k,nr_inodes=1024,mode=755,inode64
β β ββ/sys/fs/cgroup/unified
β β β cgroup2
β β β cgroup2
β β β rw,nosuid,nodev,noexec,relatime,nsdelegate
β β ββ/sys/fs/cgroup/systemd
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,xattr,name=systemd
β β ββ/sys/fs/cgroup/misc
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,misc
β β ββ/sys/fs/cgroup/freezer
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,freezer
β β ββ/sys/fs/cgroup/blkio
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,blkio
β β ββ/sys/fs/cgroup/cpu,cpuacct
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,cpu,cpuacct
β β ββ/sys/fs/cgroup/rdma
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,rdma
β β ββ/sys/fs/cgroup/memory
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,memory
β β ββ/sys/fs/cgroup/net_cls,net_prio
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,net_cls,net_prio
β β ββ/sys/fs/cgroup/devices
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,devices
β β ββ/sys/fs/cgroup/perf_event
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,perf_event
β β ββ/sys/fs/cgroup/pids
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,pids
β β ββ/sys/fs/cgroup/hugetlb
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,hugetlb
β β ββ/sys/fs/cgroup/cpuset
β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,cpuset
β ββ/sys/fs/pstore
β β pstore pstore rw,nosuid,nodev,noexec,relatime
β ββ/sys/firmware/efi/efivars
β β efivarfs
β β efivarfs
β β rw,nosuid,nodev,noexec,relatime
β ββ/sys/fs/bpf
β β bpf bpf rw,nosuid,nodev,noexec,relatime,mode=700
β ββ/sys/kernel/debug
β β debugfs
β β debugfs
β β rw,nosuid,nodev,noexec,relatime
β ββ/sys/kernel/tracing
β β tracefs
β β tracefs
β β rw,nosuid,nodev,noexec,relatime
β ββ/sys/fs/fuse/connections
β β fusectl
β β fusectl
β β rw,nosuid,nodev,noexec,relatime
β ββ/sys/kernel/config
β configfs
β configfs
β rw,nosuid,nodev,noexec,relatime
ββ/dev devtmpfs
β devtmpfs
β rw,nosuid,size=4096k,nr_inodes=1048576,mode=755,inode64
β ββ/dev/shm
β β tmpfs tmpfs rw,nosuid,nodev,inode64
β ββ/dev/pts
β β devpts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000
β ββ/dev/mqueue
β β mqueue mqueue rw,nosuid,nodev,noexec,relatime
β ββ/dev/hugepages
β hugetlbfs
β hugetlbfs
β rw,relatime,pagesize=2M
ββ/run tmpfs tmpfs rw,nosuid,nodev,size=4859812k,nr_inodes=819200,mode=755,inode64
β ββ/run/user/1000
β β tmpfs tmpfs rw,nosuid,nodev,relatime,size=2429904k,nr_inodes=607476,mode=700,uid=1000,gid=100,inode64
β β ββ/run/user/1000/doc
β β β portal fuse.portal
β β β rw,nosuid,nodev,relatime,user_id=1000,group_id=100
β β ββ/run/user/1000/gvfs
β β gvfsd-fuse
β β fuse.gvfsd-fuse
β β rw,nosuid,nodev,relatime,user_id=1000,group_id=100
β ββ/run/user/1002
β tmpfs tmpfs rw,nosuid,nodev,relatime,size=2429904k,nr_inodes=607476,mode=700,uid=1002,gid=100,inode64
β ββ/run/user/1002/doc
β β portal fuse.portal
β β rw,nosuid,nodev,relatime,user_id=1002,group_id=100
β ββ/run/user/1002/gvfs
β gvfsd-fuse
β fuse.gvfsd-fuse
β rw,nosuid,nodev,relatime,user_id=1002,group_id=100
ββ/home
β /dev/nvme0n1p5
β ext4 rw,relatime,data=ordered
ββ/dati
β /dev/nvme0n1p8
β fuseblk
β rw,nosuid,nodev,noexec,relatime,user_id=0,group_id=0,default_permissions,allow_other,blksize=4096
ββ/boot/efi
β /dev/nvme0n1p1
β vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro
ββ/tmp/.mount_ObsidiW6jN44
Obsidian-1.4.16.AppImage
fuse.Obsidian-1.4.16.AppImage
ro,nosuid,nodev,relatime,user_id=1000,group_id=100
pla@localhost:~>
=====================================================================
attached again in user pla and it works now
pla@localhost:~> findmnt -u
TARGET SOURCE FSTYPE OPTIONS
/ /dev/nvme0n1p4
β ext4 rw,relatime
ββ/proc
β proc proc rw,nosuid,nodev,noexec,relatime
β ββ/proc/sys/fs/binfmt_misc
β systemd-1
β autofs rw,relatime,fd=30,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=24260
ββ/sys sysfs sysfs rw,nosuid,nodev,noexec,relatime
β ββ/sys/kernel/security
β β securityfs
β β securityfs
β β rw,nosuid,nodev,noexec,relatime
β ββ/sys/fs/cgroup
β β tmpfs tmpfs ro,nosuid,nodev,noexec,size=4096k,nr_inodes=1024,mode=755,inode64
β β ββ/sys/fs/cgroup/unified
β β β cgroup2
β β β cgroup2
β β β rw,nosuid,nodev,noexec,relatime,nsdelegate
β β ββ/sys/fs/cgroup/systemd
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,xattr,name=systemd
β β ββ/sys/fs/cgroup/misc
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,misc
β β ββ/sys/fs/cgroup/freezer
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,freezer
β β ββ/sys/fs/cgroup/blkio
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,blkio
β β ββ/sys/fs/cgroup/cpu,cpuacct
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,cpu,cpuacct
β β ββ/sys/fs/cgroup/rdma
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,rdma
β β ββ/sys/fs/cgroup/memory
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,memory
β β ββ/sys/fs/cgroup/net_cls,net_prio
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,net_cls,net_prio
β β ββ/sys/fs/cgroup/devices
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,devices
β β ββ/sys/fs/cgroup/perf_event
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,perf_event
β β ββ/sys/fs/cgroup/pids
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,pids
β β ββ/sys/fs/cgroup/hugetlb
β β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,hugetlb
β β ββ/sys/fs/cgroup/cpuset
β β cgroup cgroup rw,nosuid,nodev,noexec,relatime,cpuset
β ββ/sys/fs/pstore
β β pstore pstore rw,nosuid,nodev,noexec,relatime
β ββ/sys/firmware/efi/efivars
β β efivarfs
β β efivarfs
β β rw,nosuid,nodev,noexec,relatime
β ββ/sys/fs/bpf
β β bpf bpf rw,nosuid,nodev,noexec,relatime,mode=700
β ββ/sys/kernel/debug
β β debugfs
β β debugfs
β β rw,nosuid,nodev,noexec,relatime
β ββ/sys/kernel/tracing
β β tracefs
β β tracefs
β β rw,nosuid,nodev,noexec,relatime
β ββ/sys/fs/fuse/connections
β β fusectl
β β fusectl
β β rw,nosuid,nodev,noexec,relatime
β ββ/sys/kernel/config
β configfs
β configfs
β rw,nosuid,nodev,noexec,relatime
ββ/dev devtmpfs
β devtmpfs
β rw,nosuid,size=4096k,nr_inodes=1048576,mode=755,inode64
β ββ/dev/shm
β β tmpfs tmpfs rw,nosuid,nodev,inode64
β ββ/dev/pts
β β devpts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000
β ββ/dev/mqueue
β β mqueue mqueue rw,nosuid,nodev,noexec,relatime
β ββ/dev/hugepages
β hugetlbfs
β hugetlbfs
β rw,relatime,pagesize=2M
ββ/run tmpfs tmpfs rw,nosuid,nodev,size=4859812k,nr_inodes=819200,mode=755,inode64
β ββ/run/media/pla/backup7
β β /dev/sda1
β β fuseblk
β β rw,nosuid,nodev,relatime,user_id=0,group_id=0,default_permissions,allow_other,blksize=4096
β ββ/run/user/1000
β β tmpfs tmpfs rw,nosuid,nodev,relatime,size=2429904k,nr_inodes=607476,mode=700,uid=1000,gid=100,inode64
β β ββ/run/user/1000/doc
β β β portal fuse.portal
β β β rw,nosuid,nodev,relatime,user_id=1000,group_id=100
β β ββ/run/user/1000/gvfs
β β gvfsd-fuse
β β fuse.gvfsd-fuse
β β rw,nosuid,nodev,relatime,user_id=1000,group_id=100
β ββ/run/user/1002
β tmpfs tmpfs rw,nosuid,nodev,relatime,size=2429904k,nr_inodes=607476,mode=700,uid=1002,gid=100,inode64
β ββ/run/user/1002/doc
β β portal fuse.portal
β β rw,nosuid,nodev,relatime,user_id=1002,group_id=100
β ββ/run/user/1002/gvfs
β gvfsd-fuse
β fuse.gvfsd-fuse
β rw,nosuid,nodev,relatime,user_id=1002,group_id=100
ββ/home
β /dev/nvme0n1p5
β ext4 rw,relatime,data=ordered
ββ/dati
β /dev/nvme0n1p8
β fuseblk
β rw,nosuid,nodev,noexec,relatime,user_id=0,group_id=0,default_permissions,allow_other,blksize=4096
ββ/boot/efi
β /dev/nvme0n1p1
β vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro
ββ/tmp/.mount_ObsidiW6jN44
Obsidian-1.4.16.AppImage
fuse.Obsidian-1.4.16.AppImage
ro,nosuid,nodev,relatime,user_id=1000,group_id=100
pla@localhost:~>
Is it your USB disk? In this case it is mounted as shared and should be accessible by all users. What exact error do you get when you say that another user cannot access it?
I can:
erlangen:~ # cat /etc/udev/rules.d/99-udisks2.rules
# UDISKS_FILESYSTEM_SHARED
# ==1: mount filesystem to a shared directory (/media/VolumeName)
# ==0: mount filesystem to a private directory (/run/media/$USER/VolumeName)
# See udisks(8)
ENV{ID_FS_USAGE}=="filesystem|other|crypto", ENV{UDISKS_FILESYSTEM_SHARED}="1"
erlangen:~ #
The user mounting the device is owner and is granted write access. Others have read access.
erlangen:~ # findmnt /media/0050-E47F
TARGET SOURCE FSTYPE OPTIONS
/media/0050-E47F /dev/sdb1 vfat rw,nosuid,nodev,relatime,uid=1000,gid=100,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,showexec,utf8,flush,errors=remount-ro
erlangen:~ #
I attach my USB disk backup7 and access it in user pla6ST
I switch to user pla
if I try to access with dophin it gives a red band with this error:
Could not enter folder /run/media/pla6ST/backup7.
manythanks, so I should create a new rule in /etc/udev/rules.d?
and is it possible to have write access for all users?
[quote=βpier_andreit, post:13, topic:170890β]
manythanks, so I should create a new rule in /etc/udev/rules.d?[/quote]
Yep. Mounting is performed by udisks2.service.
Presumably you need to tell polkit. The following grants user karl permission to start dup.service (zypper dist-upgrade):
erlangen:~ # cat /etc/polkit-1/rules.d/00-dup.rules
// Allow karl to manage dup.service;
// fall back to implicit authorization otherwise.
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit") == "dup.service" &&
subject.user == "karl") {
return polkit.Result.YES;
}
});
erlangen:~ #
OK, I was wrong, you have per-user mounts. You also apparently have NTFS filesystem on this USB disk and use ntfs-3g so we do not see mount options, passed during mount - we see FUSE mount options, which are not really interesting here. The output of
ps -wwef | grep ntfs
would be interesting.
Anyway - as far as I can tell, if you configure shared filesystem and try to mount NTFS via ntfs-3g, it is mounted as read-write for everyone by default. It is possible that KDE is using different options, in which case we need the output of the above command.
Create udev rule as instructed and do not forget to create /media
directory which does not exist by default. Reboot and try again. If you have an error accessing this disk, show the output of the above command.
manythanks it works, but if I attach to user pla and access to USB disk, then switch to user pla6ST and access to the USB disk I receive this request:
and when I try to safely remove this request:
I would like to non be requested for password to mount and unmount,
reading what you suggested me I suppose to have to change something in:
/etc/polkit-default-privs.local
but I donβt know what, I suppose one of these:
org.freedesktop.udisks2.filesystem-mount
org.freedesktop.udisks2.filesystem-mount-other-seat
org.freedesktop.udisks2.filesystem-mount-system
for mount without password request
and this to unmount with password request
org.freedesktop.udisks2.filesystem-unmount-others
setting permission as
auth_admin:yes:yes
is this correct to allow any user to mount and unmount USB disks without password request?
or there is a better way you can suggest me?
Did you try to press βDetailsβ on the authentication dialogue?
Udisks2 uses /usr/share/polkit-1/actions/org.freedesktop.UDisks2.policy
. You may override these definitions in /etc/polkit-1/actions/
.
http://storaged.org/doc/udisks2-api/latest/mount_options.html
So here you have action IDs for which you need to change permissions.