Ubuntu – NTFS data partition can’t be accessed by another user unless unmounted in the current user session before logging out

mountmultiple usersntfspermissions

I am on ubuntu 14.04, wanted to create another account, beside my admin one, for my family members to use so as not to interrupt my work. The problem is I can't grant the other account access to the NTFS partiton which contains the data and I have tried some solutions mentioned on the forums but nothing worked. Still the user who logs in first when the machine reboots seems to take hold of that partition and prohibit any other users from accessing it even after he had logged out. The only trick I found to work is to unmount that partition before logging out the current user. That way the next one who is going to log in will mount the partition and acess it.

My question really is wether this is the way partition access works among different machine users, I mean to unmount whichever partition you are using for another user to be able to use it after you, or that I couldn't properly grant the access to that partition?

Best Answer

The easiest, and likely best way to achieve this if you need this all the time for all users all the time whenever the computer is on, is to define the mount point and the rules for mounting the partition in /etc/fstab. By doing this, you can provide access rights automatically when the partition / drive is mounted.

This is a much more advanced practice, but if the device with the NTFS partition is always connected to the computer anyways, this removes some headaches that you're encountering, and effectively automates the providing of security controls around the data, and allows us to actually modify the controls over time, without having to manually remount things with different options or users each time.

I have a few other sections in this answer.

The first is one of my NTFS fstab entries, which is for the Windows partition on my Ubuntu computer (and I'm the only user on the computer).
The second section takes my fstab entry, and explains the mount options.
The third section provides you my suggested procedure for providing 'secure' access to the partition, automounting at boot, and a decent set of mount options for your case (including making a 'user group' that you add users who are permitted to access the data on the mounted partition to. That user group acts as an 'access control', as does the specific file permissions being applied.)
The fourth section will give you a potential /etc/fstab line to use, provided you listened to me in the third section.

(1) My fstab entry

I unfortunately have such a NTFS partition on my laptop, and I have to make it readable to myself and system services...

# Windows Partition - targetted for /media/win7
UUID=UUIDOFPARTITION  /media/win7    ntfs-3g     defaults,locale=en_US.utf8,windows_names,umask=7000,uid=1000,gid=1000,user  0   0

What's this line mean? Well, the first line with a # in front is a comment. The second line is the more important bit, which is the actual fstab entry:

I identify the partition by UUID, which is a string that identifies the partition. You can get the UUID of any given partition by doing sudo blkid /dev/sda1 (replacing /dev/sda1 with the actual ID for your partition, so if it's on a second disk and it's the third partition in the second disk's partition table, then possibly /dev/sdb3 would be in this command. I strip out the quotes around the UUID= line in my fstab entry.)
I mount it in /media/win7 at boot.
It's an NTFS partition, so I pass to fstab the ntfs-3g option so it knows it's NTFS.
I provide it the default mount options and then some (I explain these later).
The fifth field determines whether filesystems need to be dumped or not, but since this isn't necessary, I passed it a 0.
The sixth field is used by fsck to determine the order of filesystem checks at boot time, but since I don't need it to do so, I pass a 0.

(2) Mount Options

I pass quite a few mount options:

defaults - passes default mount options (rw - read/write, suid - allow set-user-identifier or set-group-identifier bits to take effect, dev - interpret character or block special devices on the filesystem, exec - permit execution of binaries, auto - allows mounting with the -a option of mount, nouser - prohibits a user from mounting (overridden later), async - permit asynchronous I/O with the filesystem.)
locale=en_US.utf8 - enforces the US English locale with UTF8
windows_names - enforces that Windows name restrictions are in place for new files in the partition.
umask=7000 - Basically, inverse chmod. Define what permissions are not permitted for files. Essentially, I don't prohibit anything read/write/execute here, so all files on the mounted location get, effectively, read, write, and execute privileges. I don't want any of the special bits set (setuid, setgid, sticky), so I have to eliminate them from the first octet - since the numeric sum of those is a '7' and i'm prohibiting those permissions, I put a leading 7.
uid=1000, gid=1000 - Have the partition mounted into that folder with user and group ownership of UID (User ID) and GID (Group ID) of 1000 (this is my user's user and group, teward, on the Ubuntu system).
user - Allow a user to mount or unmount the directory. Overrides the nouser option in defaults.

(3) A Solution for You, in a Secure Way

We could probably simplify the mount options to be these options, though, for your use case, since users are accessing the data and not the system. However, lets do this in a secure manner. Lets create a user group that would give read/write/execute here.

addgroup ntfs-users - This will create a user group called 'ntfs-users'.

id -g ntfs-users - This will give us a numeric group ID for 'ntfs-users'. We need this for the gid= mount option.

usermod -a -G ntfs-users USERNAME - add the USERNAME user to the ntfs-users group we just created.

Now, we can utilize this string of mount options:

rw,exec,async,auto,user,locale=en_US.utf8,windows_names,umask=7007,gid=654

What this does that my string in my fstab does not is:

Pick and choose certain options we want to use from defaults
Lets the uid of the owner user be whatever (usually root at boot mounting)
Does NOT permit users to mount/unmount
Sets 'group' ownership of the mountpoint (and therefore access to the data inside) to Group ID 654, the hypothetical group ID of ntfs-users which we created above
Does not permit the 'everyone else' set of users (i.e. not the owner user and not anyone in the ntfs-users group) access to the data at all.

If you want to own the data, that is, to be the owner user instead of root, then add back in the uid= option. Use id -u YOURUSERNAME and replace YOURUSERNAME with your username to get the User ID (uid) to use with that option.

(4) A possible /etc/fstab entry for YOUR use case, assuming you listened to me in section 3

Get the UUID for the partition, then this could be something like your /etc/fstab line:

UUID=0123456789ABCDEF    /mnt    ntfs-3g    rw,exec,async,auto,user,locale=en_US.utf8,windows_names,umask=7007,gid=654    0    0

Replace the value in UUID= with the UUID of the partition you want to mount, replace /mnt with the mount point on your system, replace the value for gid= in the mount options with the group ID of your ntfs-users group we created, and if you wish to have your user as owner instead of root, then add a uid= option, providing the uid for your user, as I stated how to do so earlier.

Related Solutions

Ubuntu – How to set up a folder so that anything created in it inherits permissions

Another approach is to use Access Control Lists, a superset of file permissions.

First of all, we have to install the acl package:

sudo apt-get install acl

Before Ubuntu 14.04, the partition has to be mounted with the option acl for the following to work. It could be added in /etc/fstab, as in

UUID=<XXXX>  /media/shared  ext4  noatime,acl  0  2

or for an already mounted filesystem

sudo mount -o remount,acl /media/shared

Next, you should create a new group, to which all users allowed to access the share in read/write mode will be added. I call it usershare. An already existing group could be used.

sudo addgroup usershare

Now we add the users enzotib and steevc to that group:

sudo gpasswd -a steevc  usershare
sudo gpasswd -a enzotib usershare

(effective at the next login).

Then we add an ACL with rwx permissions for the group usershare to all files already in /media/shared

sudo setfacl -Rm g:usershare:rwX /media/shared

Finally we add a default ACL with rwx permissions for the group usershare for all files created from now on inside /media/shared

sudo setfacl -d -Rm g:usershare:rwX /media/shared

Now all users of the usershare group have full permissions on all files under /media/shared. Permissions of each user on his and other's home directories are not affected.

I tested this solution and seems to work, but suggestions and corrections are welcome.

Remark: new files and directories created in the considered directory will have write permission for the usershare group, but files copied or moved in the folder will retain their original permissions. If the user, as I understand, only require write access to newly created directories, this is not a problem. Otherwise it should modify permissions by hand. See this answer on how to overcome this by defining the umask of users to 002.

Ubuntu – Restrict access to the home folder from another standard user account

One way would be logging in as your user, open up a terminal (hit Ctrl+Alt+T), type

chmod go-rwx ~

and hit enter.

Like that you deny the permission to read, write and cd to your home directory to anybody apart from you.

Best Answer

Related Solutions

Ubuntu – How to set up a folder so that anything created in it inherits permissions

Ubuntu – Restrict access to the home folder from another standard user account

Related Question