Fstab mount options for umask, fmask, dmask for ntfs with noexec

fstabntfsntfs-3g

I have a ntfs partition and when I mount it with default options in fstab I get for files and directories:
rwxrwxrwx = 0777
Obviously ntfs does not support "noexec" option and I do not want 'x' flag to the files and directories. So I'd like to ask what values shall I set to fmask, dmask and umask?
When I set umask=0666

/dev/sda3       /ntfsPartition  ntfs-3g     defaults,noatime,umask=0666,locale=en_US.utf8,errors=ro 0 0

I get d–x–x–x for the mount directory of the partition. I can go the directory:

cd /ntfsPartition

but I cannot read the content:

ls /ntfsPartition
ls: cannot open directory '.': Permission denied

Thanks in advance!

Best Answer

The x flag is necessary for directories, in order to access their contents.

With just the r flag on a directory, you can get a directory listing, but cannot access the files and subdirectories within it. With just the x flag on a directory, you won't see the directory listing, but may be able to access files and sub-directories if their permissions allow it and you can specify the exact name of the thing you're trying to access. So, in most cases, you have only two generally useful permissions choices for directories: r-x and rwx.

So, since the umask mount option applies to both files and directories, and you don't want the x flag on files, you'll need to use fmask and dmask only, so you can place one set of permissions on files and another on directories.

The permissions and the corresponding mask numbers:

rwx = mask number 0
rw- = mask number 1 (not very useful for directories)
r-x = mask number 2
r-- = mask number 3
-wx = mask number 4 (special case: an approximation of a "write-only directory")
-w- = mask number 5 (not very useful for directories)
--x = mask number 6 (for directories: access by known filenames only)
--- = mask number 7 (no access)

If you want full access to directories, and everything except the x flag for files, you'll need 0 for the corresponding dmask number and 1 for the fmask number.

For NTFS-3g mask numbers, the first digit will be always 0, to denote that the values are in octal numbers. The second digit will specify access for the user specified with the uid= option (or for the user doing the mounting, if not specified), the third digit will specify access for the group identified with the gid= option, and the last digit will specify access for everyone else.

If this is your personal system and there are no other users who would need access to the NTFS filesystem, you could use the id command to identify your UID number, and then use mount options uid=<your UID here>,dmask=0077,fmask=0177. This would result all the files on the NTFS filesystem appearing as owned by you and with permissions -rw-------, and directories with drwx------.

If there are other users who would need access to the NTFS filesystem, you could create a group for the NTFS access, add all the appropriate users to that group, then also specify the GID of that group in mount options: uid=<your UID here>,gid=<NTFS access group GID here>,dmask=0007,fmask=0117. This would give anyone in the group the same access as you have: files -rw-rw---- and directories drwxrwx---.

Or you could keep the write access for yourself but give the group members read-only access: uid=<your UID here>,gid=<NTFS access group GID here>,dmask=0027,fmask=0137. This would result in permissions -rw-r----- for files and drwxr-x--- for directories.

Or if you want to grant full access to multiple user accounts and read-only access to everyone else, then the mount options would be: uid=<your UID here>,gid=<NTFS access group GID here>,dmask=0002,fmask=0113. That would result in permissions -rw-rw-r-- for files and drwxrwxr-x for directories.

Instead of using mount options to specify permissions to NTFS files and directories, it is also possible to create a user mapping file to map Windows NTFS security IDs (SIDs) to Unix-style UIDs and GIDs. There's even a ntfsusermap tool that will help in creating that file for you. Once you have created the mapping file, you'll only have to place it into <root of NTFS filesystem>/.NTFS-3G/UserMapping and it will be automatically used the next time you mount the filesystem. After that, the real NTFS file ownerships and permissions will be used in Linux as applicable, and they can be persistently manipulated with chown/chgrp/chmod too.

See man ntfs-3g and man ntfsusermap for details.

If you're dual-booting Linux and Windows, you might want to get a Windows command line version of ntfsusermap and generate the user mapping file while running Windows instead. It might be easier, as with the Windows version of the tool you can see the actual Windows usernames rather than just filenames and their associated SIDs.

Even if you don't want the Windows version of ntfsusermap, the page contains a more verbose description of how to use the tool, which may be helpful on Linux side of things too.

Related Solutions

Unable to mount NTFS partition from user account

The ntfs-3g binaries must be set uid root in order for user mounting to work. And you need permission to the block device & mount point.

sudo chmod 1755 /sbin/mount.ntfs-3g /usr/bin/ntfs-3g
sudo chmod 666 /dev/sda2
sudo chmod 777 /media/Windows

(Note: these are the Debian locations, they may differ for Suse, so you will want to check that they are actually in those locations.)

You also need to have ntfs-3g version 1.2506 or later.

See here for more info:

http://www.tuxera.com/community/ntfs-3g-faq/#useroption

CentOS 7.4 Samba share access denied

You're using an unknown account:

check_ntlm_password:  Authentication for user [pepe] -> [pepe] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1

so your access to soft is as guest. You've allowed guest access in Samba but the permissions in the filesystem don't appear to be set up to honour that.

By default the guest user is nobody so you need to set your filesystem permissions to allow it access. Or change how you're trying to access the share.

Following through information added via comments it seems that we need a more detailed solution. At the moment you mount the NTFS filesystem with an explicit owner - essentially treating its ownerships like a vFAT filesystem. But that owner doesn't match the account you have defined through Samba to access the filesystem, so Samba accounts cannot access the filesystem. Either these must match or you need to use the NTFS filesystem permissions and remove the forced mount ownership.

Let's take the route that requires fewer changes to your system. It's a home-user approach rather than a many-user ("enterprisey") approach.

Leave the NTFS mount unchanged, so that you continue to force owner=1000, group=1000.

Tell Samba that authenticated users must be treated as owner=1000, group=1000 when accessing the corresponding share, by including the force user directive:

[global]
...
security = user
map to guest = bad user     # Use "guest" account for unknown users
; guest account = nobody    # Implicit default unless you override it

[soft]
path = /media/SYSTEM/soft
read only = no
writable = yes
browsable = yes
guest ok = yes              # Allow unknown users to access this share
force user = 1000           # Samba authenticates, but filesystem access is as uid=1000

Note that a valid user with an invalid password will be refused access, but an invalid user (with any password) will be allowed access. This is what you have defined here with your map to guest = bad user and guest ok = yes. I would strongly recommend you change one of these to read either map to guest = never or guest ok = no.

In your /etc/fstab I would suggest you consider removing the uid, gid, and umask settings for the NTFS filesystem, as you can then remove the force user and force group settings in Samba. But you may have good reason for these values so I haven't changed them in my answer.

Best Answer

Related Solutions

Unable to mount NTFS partition from user account

CentOS 7.4 Samba share access denied

Related Question