Automatically mount a drive using /etc/fstab, and limiting access to all users of a specific group
If the filesystem type is one that doesn't have permissions, such as FAT, you can add umask
, gid
and uid
to the fstab options. For example:
/dev/sdb1 /media/workspace auto defaults,uid=1000,gid=1000,umask=022 0 1
uid=1000
is the user id.
gid=1000
is the group id.
umask=022
this will set permissions so that the owner has read, write, execute. Group and Others will have read and execute.
To see your changes you do not need to reboot. Just umount
and mount
again without arguments. For example:
umount /media/workspace
mount /media/workspace
But make sure to do not have any process (even your shell) using that directory.
I would gate access to the filesystem through a directory that contains the mount point.
As root:
mkdir -p /media/group1only/workspace
chgrp group1 /media/group1only
chmod 750 /media/group1only
This is full access to root and read+execute access for members of group1. Don't give them write access here, since if they accidentally rename the workspace
mount point, it could make your system fail to boot.
And add this to /etc/fstab :
/dev/sdb1 /media/group1only/workspace auto defaults 0 1
After the filesystem is mounted, you can make further ownership and mode changes to objects within the filesystem to accommodate finer-grain access among the group members.
For example, assuming the filesystem on the disk supports ACL's, and using the hypothetical user, myusername, and the hypothetical group for accessing the disk, diskusers, something like the following could be done. $
indicated a command executed as a regular user; #
indicates a command executed as the user, root.
Create a group to which a user may belong for the purpose.
$ sudo groupadd diskusers
$ sudo usermod -a -G diskusers myusername
$ logout
Log in again.
$ sudo -i
# mount /media/workspace
# chown root:root /media/workspace
# chmod 0750 /media/workspace/
# setfacl -d -m -g:diskusers:7 /media/workspace
# setfacl -m g:diskusers:7 /media/workspace
The "7" in the setfacl
command is octal (read = 4 + write = 2 + execute = 1),
much like normal octal permissions (0400, 0200, 0100).
The -d
is a switch to specify a default mask - new files and directories.
The -m
is the mask to apply to the directory.
You also could apply the mask to all files initially after setting the default (above):
find /media/workspace -exec setfacl -m g:diskusers:7 {} +
At that point, only root and members of diskusers can access the files. I like Mark Plotnick's idea, too, about applying permissions to a subdirectory. This technique could be used that way, too.