Is there a way to block regular non-root user access to Windows partitions? I have not been able to find a way to do this. In fact, when I log into the X-Server while in root, I don't even see a way to access Windows partitions at all, except by doing a search. Which is kinda backwards since as a regular user they are right there on the desktop under "Devices".


[moved from Software by spinynorman]

In Mandriva, they are normally under /mnt/windows for the windows mounted partitions. Unless you have more than one, then /mnt/win_c, /mnt/win_d, etc, etc.

You'd most likely have to block access through options set within the /etc/fstab.

I ran the command /etc/fstab from the terminal as su and got "permission denied". I would not have known what to do from there anyway.

In Suse, I just log in as root, then right click on the Windows partition and choose properties, then set permissions as "forbidden" for the 3 types of access to the partition. I know it's irrelevant, but just thought I'd show off my tiny bit of "knowledge". Couldn't resist.

Thanks for the help though. I'll play around a little more (armed with your assistance) and try to figure out a way.

/etc/fstab isn't a command, it's a file. if you can open it (best done as root) with your favorite text editor (say, kate) or just do cat /etc/fstab as root in a terminal and post the output, we can tell you want needs to be changed to make the partitions only accessible to root.

/dev/hda6 / ext3 defaults 1 1
/dev/hdc /mnt/cdrom auto umask=0,users,iocharset=utf8,noauto,ro,exec 0 0
/dev/hdd /mnt/cdrom2 auto umask=0,users,iocharset=utf8,noauto,ro,exec 0 0
/dev/hda1 /mnt/windows ntfs umask=0,nls=utf8,ro 0 0
none /proc proc defaults 0 0
/dev/hda8 /usr ext3 defaults 1 2
/dev/hda7 swap swap defaults 0 0
[root@localhost ltd]#

OK there it is, thanks in advance!

The main reason everyone can gain access to your NTFS partition is because of:



on your NTFS partition mount entry in fstab. You'd have to edit this entry to restrict access to the NTFS partition. Unfortunately I don't have an NTFS partition to hand to test what you need to edit this and change it to for it to take effect.

I could play around with it and experiment. I'm guessing you just change the value to a number between like 1 and 5, right?

How would I access the file though? When logged into the X-Server as root, I don't see an option to open and modify system files. I know there is a way to bring up and edit files through the CLI, but I can't remember it offhand.I used to use it to change my X86 Config file when installing the Nvidia driver.

Once I figure this out, I will post it in the tips and tricks section, in case anyone else needs it.

No, there's a far larger number. I'm doing a google now to find out how we can do it. Try removing umask=0 altogether, but I think this will just give read-only access to normal users, which isn't much good, since NTFS by default mounts read-only anyway.

EDIT:

Try a umask of:



might do the trick, something I grabbed quickly of a post on the ubuntuforums.

As I said earlier, I'm unable to edit my fstab file. Can't do it as a regular user due to lack of permissions, and I can't do it as root because no program that runs under the X-Server will let me access it. And finally, I can't access the file in command line because I don't know the command to "edit" a file from the terminal.

I did find a way to limit access to the Windows partitions. Go into Control Center/Mount Points/Create Delete, and Resize Hard Disk Partitions. Then click on the Windows partition, and toggle to Expert Mode and click Options Uncheck the box that says, "mount the file system in read only" and also check the box that says "Do not allow execution of any binaries on the mounted file system." I also unmounted the Windows partiton, just to be safe.

After I did these three things, I was unable to access the Windows partitions as a regular user.

Thanks for all the help. I'm not used to people even responding to my questions, so thanks for your time and let me know if you see anything wrong with what I did. If it looks OK, I will go ahead and post the info in the Tips and Tricks section.

Could we see the contents of the fstab file again? Just to ensure what it did, exactly.

Sure, here it is:

/dev/hda6 / ext3 defaults 1 1
/dev/hdc /mnt/cdrom auto umask=0,users,iocharset=utf8,noauto,ro,exec 0 0
/dev/hdd /mnt/cdrom2 auto umask=0,users,iocharset=utf8,noauto,ro,exec 0 0
/dev/hda1 /mnt/windows ntfs nls=utf8,noexec 0 0
none /proc proc defaults 0 0
/dev/hda8 /usr ext3 defaults 1 2
/dev/hda7 swap swap defaults 0 0

Seems getting rid of the umask=0 and changing ro to noexec in the /etc/fstab is what the gui did.

So I was right on with the umask thing. The noexec just stops you executing files, which shouldn't have anything to do with user access rights as such.

I thought you wanted to allow root to read the windows drives but not allow users to read them. It sounds to me like you've just unmounted the drive so noone will be able to read them. So presumably users won't be allowed to mount the drives either, but as soon as root wants to read them, root will mount them and then they'll be readable for everybody! (Actually writeable too, because you unchecked the "mount as read-only" checkbox). Is that what you wanted?

My goal was to prevent a regular user from accessing Windows partitions, and if that was not possible to block all access from any account. I guess I will not be posting this in tips and tricks.

Thanks for all your help.

Well, at the moment the windows drive is mounted under /mnt/windows which all users have access to. Couldn't you just change the permissions of the /mnt/windows directory so that it was owned by root and only dr-------- ? Or if it's not possible to do that, change the fstab so it mounts under /mnt2/windows instead, and change the permissions of /mnt2 so that normal users can't read it.

Good idea neddie

Sometimes we think too much of doing it the hard way with the mountpoints, when in fact it could be so much simpler with changing rights on a directory at a higher level.

Another thought:

There may be lots of other times you just want to edit a file which belongs to root, so it's worth learning how to do this, for the future. I'll assume for a second that you're using KDE, and are comfortable with the Kate editor. So open up a console window, and type and enter your root password. This gives you root superpowers. Now, type the following to open up the Kate editor: This now opens Kate but because you were root when you launched it, Kate also gets your root superpowers. So be careful! You can now open up your file /etc/fstab as normal with File -> Open and because it's running as root, you can edit and save it. The colours will probably appear a little different when you're root, as a little warning that you can now break stuff.

So, 17 posts later, the solution is to do what?

I believe you already solved it with your method in MCC, however, another method based on what neddie was saying.

If Windows is mounting under /mnt/windows, then you could do this:



then root only has access to /mnt, and means no users can get at what's underneath it. Unfortunately, this also means any usb stick or whatever will have problems mounting. Therefore I'd be tempted to make a separate directory, and then alter where windows mounts in the /etc/fstab.

So, for example:



then, edit /etc/fstab and replace /mnt/windows with the directory as above in my example.

That way you don't stop people mounting other stuff under /mnt like cd-rom drives, usb keys, etc.

OK, sounds good, will do. Thanks again for your help!

It wouldn't work, fstab will overwrite the permissions that you give to the directory when it mounts the windows partition (IIRC). Removing the umask really is the best solution. In your second suggestion (giving /mnt2 different permissions) it could still be possible to navigate to /mnt2/windows based on the permissions given to the Windows folder when mounted by fstab. You should couldn't go down the tree to it (/ -> /mnt2 -> /mnt2/windows) you'd have to go directly to it (/ -> /mnt2/windows), i.e. cd /mnt2/windows/. I could be wrong, however, I'm pretty sure it works this way - that mounted partitions do not inherit the permissions of the directory they are mounted to or any of it's parent directories.

In this case, yes, you're wrong! If the /mnt2/ directory has permissions dr-x------ then it doesn't matter whether subdirectories are read/write for the whole world, if a normal user hasn't got x permissions on the /mnt2 directory then they can't get to the subdirectories of it, whether they cd directly to them or not.

You're right about changing the permissions of the mount point not working though, I wasn't sure when I wrote that (which is why I said "or if it's not possible.." !) and you're right it doesn't work.

Ah, I wasn't sure. The other part I was sure of, though

I think,as neddie has already said,that changing the entry "users" to "nousers" in fstab as root will give you the results you are looking for.
users vs. nousers

How do you edit your own post?
I didn't want users and nousers,but instead user and nouser.

Another thing I,ve noticed.
Protection is only as secure as to who has access to your computer,and not so much your files on that computer.
Anybody with a live cd can read every file there is on your computer.Even on your windows partition.
And even those hidden windows OS files.
You can encrypt the files to further enhance your protection against someone reading them in this case.