Mount Options – Change Automatic Mounts of VFAT/FAT32 Drives to Noexec

mountudisksvfat

When I plug in a USB drive it is automatically mounted on /run/media/user/fslabel. This is done, I guess by some udev/dbus/thunar/nautilus/gvfs or other system, and I find this convenient and do not want to revert to manual mounting by root. However, I have a problem with the default mount options: vfat drives are mounted such that the executable flag ist set on all regular files. This is a nuissance and a security problem and I wish to disable it.

How do I set system-wide options for mounting, like using the noexec flag for all vfat partitions and disabling mounting of ext4 partitions by user-space programs/daemons?

A few years ago I tried something very time-consuming on a different system, like editing some udev or dbus rules (quite apparently not files designed to be edited by hand), which was a great effort due to lack of proper documentation and great variation between distros. Is this the intended and only way? If so, could someone please tell me what to change where?

I am using Arch Linux, CentOS and openSUSE with the XFCE Desktop. Automount may be performed by one of nautilus, thunar or dolphin, running in the background (or possibly, a service started by these?!). I am not sure because it happens in the background.

Best Answer

External media/drives mounting is handled by udisks2 on most modern distros. I don't think there's any trivial way to change the default mount options as they are hard-coded (see FSMountOptions in udiskslinuxfilesystem.c) that is, they're not configurable (at least not yet1). Your options are quite limited: unmount the partition and remount it with different mount options (unless you're willing to patch the source code or write your own automount tool).

As to your other question:

I think one may be able to disallow mounting by type, though, by the looks of the rules?! When I insert a USB (3.0) thumbdrive or HDD all ext[34] partitions get mounted (I wish they weren't) and the user gets a graphical prompt for any LUKS partition to unlock. I wish to disable both. A user may have FAT drives but others may only be mounted by root.

You could use a udev rule to ignore all USB thumbdrive partitions except vfat ones. Create a new rule file e.g. /usr/lib/udev/rules.d/90-ignore-nonvfat.rules with the following content:

SUBSYSTEM=="block", ENV{DEVTYPE}=="partition", ENV{ID_BUS}=="usb", ENV{ID_FS_TYPE}!="vfat", ENV{UDISKS_IGNORE}="1"

(replace UDISKS_IGNORE with UDISKS_PRESENTATION_HIDE if your distro uses udisks1).

1: see FreeDesktop ML for a proposed patch (and a long discussion).

Related Question