Tuxera. Com Community Ntfs- 3g- Faq Unprivileged

Besides this issue my controller function very well with all its buttons and jogs.Posted Wed 02 Jul 14 @ 9:01 pm. After DDJ-ERGO reappears and factory default choosen Audio Settings windows become correct and after click on Apply the controller functioning correctly with sound on Headphones. This problem occurred several time during the day and I decided to write you. /pioneer-ddj-ergo-v-dj-controller-for-virtual-dj-download.html. 5- While on Controller Mapping Windows, I have turned off DDJ-ERGO and turned ON again. PRO Infinity Development Manager Member since 2005 More or less its the issue we have with version 7 too.

View unanswered posts View active topics It is currently Sun Apr 12, 2020 02:23

Cannot mount as non-root in Debian/Sid

Moderators: d242, szaka



Page 1 of 1
[ 23 posts ]
Previous topic Next topic
AuthorMessage

Joined: Fri Feb 22, 2008 00:17
Posts: 4
Cannot mount as non-root in Debian/Sid
Hi to all!!
This is my first post in the forum :)
I have the following problem in i686 running Debian/Sid.
I compiled the 1.2216 version from source and it installed with no problems.
However I cannot mount as non-root user.
E.g. username is 'user1', member of the groups 'disk' & 'fuse'
ntfs-3g > rws/rws/r-x root disk
/dev/fuse=> rw/rw/- root fuse
/dev/sda1=> rw/rw/- root disk
/mnt/sda1=> rwx/rwx/- root disk
As 'user1':
$ntfs-3g /dev/sda1 /mnt/sda1
The following error occurs:
'ntfs-3g-mount: Failed to open /dev/fuse. Permission denied.'
Any ideas??
I also tried the suggested:
http://www.ntfs-3g.org/support.html#useroption
but gives the same error.
Thanks in advance!


Fri Feb 22, 2008 00:31

Joined: Tue Nov 21, 2006 23:15
Posts: 1648
Try to change your group before mount:
chgrp fuse

If it doesn't help then
sudo chmod 666 /dev/fuse


Fri Feb 22, 2008 00:41
$chgrp fuse

both as non-root and root gives the error:
chgrp: missing operand after `fuse'

It requires a 'file' parameter as shown in the man page.


Fri Feb 22, 2008 01:06

Joined: Tue Nov 21, 2006 23:15
Posts: 1648


Fri Feb 22, 2008 01:26

Joined: Fri Feb 22, 2008 00:17
Posts: 4
I currently do not want to change the default group of user1
Thanks anyway :)


Fri Feb 22, 2008 02:12

Joined: Sun Feb 10, 2008 01:12
Posts: 6
Location: France
Hello,
I have the same problem with normal users here (/usr/bin/ntfs-3g is setuid root).
mount gives the following message:
Error opening partition device: Permission denied
Failed to mount '/dev/hdb1': Permission denied
Please check the volume and the ntfs-3g binary permissions,
and the mounting user ID. More explanation is provided at
http://ntfs-3g.org/support.html#unprivileged

$ ls -l /dev/hdb1
brw-rw---- 1 root disk 3, 65 2008-02-25 13:02 /dev/hdb1

I add the user to group 'disk' but the same error appears. I log into this group with 'newgrp disk'. This time I get:
ntfs-3g-mount: failed to open /dev/fuse: Permission denied

Repeating the previous two steps with group 'fuse' this time doesn't help..
Haven't try with a compiled-from-source ntfs-3g though, might be a packaging problem (?)


Mon Feb 25, 2008 23:00

Joined: Tue Nov 21, 2006 23:15
Posts: 1648
Thanks for the bug report, it will be fixed in the next release.
For now just do
chmod 666 /dev/fuse


Tue Feb 26, 2008 00:26
I tried it today with a source-compiled deb and it results in the same fault.


Sun Mar 02, 2008 03:46

Joined: Tue Nov 21, 2006 23:15
Posts: 1648
Do you mean you get the 'ntfs-3g-mount: Failed to open /dev/fuse. Permission denied.' error after you did a 'chmod 666 /dev/fuse'?
That would be unexpected.


Sun Mar 02, 2008 10:55

Joined: Sun Feb 10, 2008 01:12
Posts: 6
Location: France
With 'chmod 666 /dev/fuse' I still get 'Permission denied' on /dev/hdb1. Adding the user to group 'disk' then 'newgrp disk' fixes the permission issue but the following error occurs during the mount:
$ mount /media/rack/
ntfs-3g-mount: user has no write access to mountpoint /media/rack

Here is the line for this device in /etc/fstab:
/dev/hdb1 /media/rack ntfs-3g user,noauto,dmask=022,fmask=133 0 0

Hope this helps (for the moment I mount as root :)


Mon Mar 03, 2008 11:48
Hello,
I have the same problem too.
I think it's a problem with ntfs-3g since u+s ntfsmount let users mount ntfs partitions successfully.
Thanks Szaka for you support.


Mon Mar 03, 2008 13:23

Joined: Tue Nov 21, 2006 23:15
Posts: 1648
Yes, ntfsmount works because it has a local root exploit. But NTFS-3G does not have know security problem. From http://ntfs-3g.org/support.html#unprivileged
Unprivileged block device mounts work only if NTFS-3G is compiled with integrated FUSE support, the ntfs-3g binary is set to setuid-root, and the user has access rights to the volume and mount point.

SeeSharp didn't have access right to volume and to the mount point, so mount was correctly denied. It's a user setup/configuration problem, NTFS-3G works as it was designed, securely, without giving away the root access.


Mon Mar 03, 2008 15:22
Thank you for your reply.
It is actually a permission problem:
chmod 666 /dev/sde1
chmod 777 /media/Volume

This way the mount is succesful, but quite insecure.
I don't understand why secondary groups are ignored, since I am in both disk and storage (with primary group being users)
carlocci ~/abs/ntfs-3g $ ls -ld /media/Volume/
drwxrwxr-x 2 root storage 4096 5 feb 16:28 /media/Volume/
carlocci ~/abs/ntfs-3g $ ls -l /dev/sde* /dev/fuse
crw-rw-rw- 1 root root 10, 229 3 mar 16:33 /dev/fuse
brw-rw---- 1 root disk 8, 64 3 mar 11:03 /dev/sde
brw-rw---- 1 root disk 8, 65 3 mar 11:03 /dev/sde1
carlocci ~/abs/ntfs-3g $ groups
tty disk wheel locate games dbus hal network video audio optical floppy storage power users

The only way to mount as user seems
chown root:disk /media/Volume
sg disk 'mount /media/Volume'

or change my primary group with newgrp.
Probably I'm missing something as I'm quite a linux newbie; I wonder what that is.


Mon Mar 03, 2008 21:35
I noticed I can mount ntfs partitions graphically if I remove the partition entry from fstab and mount through hal. Still can't mount from console, though.
Here is the entry I removed
# /dev/sde1 label Volume
/dev/disk/by-uuid/68941CD6941CA918 /media/Volume ntfs-3g users,noauto,uid=1000,gid=95,fmask=0113,dmask=0002,nls=utf8 0 0

The package which contains mount in my current install:
Name : util-linux-ng
Version : 2.13.0.1-2
Is this a problem with mount?


Tue Mar 04, 2008 18:51

Joined: Tue Nov 21, 2006 23:15
Posts: 1648
Yes, the mount(8) and umount(8) utilities have known problems handling user mounts.
The /dev/fuse permission problem is fixed in NTFS-3G 1.2310.


Wed Mar 12, 2008 21:53
Strange thing. I cannot confirm your fix in 1.2310.
See yourself:
denis@dencomp ~ $ ls -dl /mnt/usb
drwxrwxr-x 2 root usb 1024 Янв 21 18:50 /mnt/usb
denis@dencomp ~ $ groups denis
disk wheel usb denis
denis@dencomp ~ $ ls -l /dev/sda1
brw-rw---- 1 root disk 8, 1 Мар 13 14:17 /dev/sda1
denis@dencomp ~ $ ls -l /dev/fuse
crw-rw-rw- 1 root root 10, 229 Мар 13 12:18 /dev/fuse
denis@dencomp ~ $ mount /mnt/usb
Error opening '/dev/sda1': Отказано в доступе
Failed to mount '/dev/sda1': Отказано в доступе
Please check '/dev/sda1' and the ntfs-3g binary permissions,
and the mounting user ID. More explanation is provided at
http://ntfs-3g.org/support.html#unprivileged

P.S. Отказано в доступе - access denied in russian :)
Thanks.


Thu Mar 13, 2008 15:06

Joined: Tue Nov 21, 2006 23:15
Posts: 1648
Strange thing. I cannot confirm your fix in 1.2310.

/dev/fuse handling was fixed, not the supplementary group support which is completely dropped during startup as a security measure (so you need to have the 'disk' group as your main group at the moment). The two are different issues.
I try to find the time to check it out and fix for the next release.
Thanks, Szaka


Fri Mar 14, 2008 23:25
/dev/fuse handling was fixed

Hm, ok.
not the supplementary group support which is completely dropped during startup as a security measure (so you need to have the 'disk' group as your main group at the moment)

Completely dropped? I hope it's a temporary measure.
I try to find the time to check it out and fix for the next release.

Looking forward for the next release. (re)Switching main group is too high price for security, imho.
Thanks.


Sat Mar 15, 2008 17:57

Joined: Sun Feb 10, 2008 01:12
Posts: 6
Location: France
SeeSharp didn't have access right to volume and to the mount point, so mount was correctly denied. It's a user setup/configuration problem, NTFS-3G works as it was designed, securely, without giving away the root access.

I haven't changed the access rights on the mount point (which is 'drwxr-xr-x 2 root root') and I think with previous releases of ntfs3g the user mount was allowed without the need of write access for the user on the mount point.
I thought this was an expected behaviour for mounting a device, independently of the driver: for example a user mount of a vfat (rw) device on a mount point which is also 'drwxr-xr-x 2 root root' works without any access denied error.
Also if I change the access rights on the mount point to 777, I get:
ntfs-3g-mount: option allow_other only allowed if 'user_allow_other' is set in /etc/fuse.conf
(but /etc/fuse.conf doesn't exist on my distribution - maybe this is just a debian packaging problem for v1.2310).
I'm not doing a bug report here, just trying to figure how things work :)
Again thank you szaka for your time and support.


Sun Mar 16, 2008 21:29

Joined: Tue Nov 21, 2006 23:15
Posts: 1648
Cannot mount as non-root in Debian/Sid
On Sun, 16 Mar 2008, SeeSharp wrote:
I haven't changed the access rights on the mount point (which is
'drwxr-xr-x 2 root root') and I think with previous releases of ntfs3g
the user mount was allowed without the need of write access for the user
on the mount point.

This is a local root exploit.
I thought this was an expected behaviour for mounting a device,

Yes, at that time it wasn't known that this is a local root exploit.
independently of the driver: for example a user mount of a vfat (rw)
device on a mount point which is also 'drwxr-xr-x 2 root root' works
without any access denied error.

This is a fundamentally different issue. It works because root gave
explicit permission in fstab by the the 'user' or 'users' mount option.
I'm sure you can not mount fat wherever you want as a user.
The real problem is that, the mount utility doesn't support this for helper
mount software. We can't do anything about it, this is a problem in another
software. It's explained here: http://ntfs-3g.org/support.html#useroption2
Also if I change the access rights on the mount point to 777, I get:
ntfs-3g-mount: option allow_other only allowed if 'user_allow_other'
is set in /etc/fuse.conf (but /etc/fuse.conf doesn't exist on my
distribution - maybe this is just a debian packaging problem for
v1.2310).

This is indeed a known NTFS-3G problem and will be fixed in one of the
forecoming releases. Thanks.
I'm not doing a bug report here, just trying to figure how things work :)

This is indeed a quite compex issue what not even many developers
understand ;-) When we fixed all security problems in release 1.2216
then we made the driver way too strict. Now we are relaxing the
constrains where it's safe to do.
Again thank you szaka for your time and support.

Thanks for the feedback! :-)
Bye, Szaka


Sun Mar 16, 2008 21:49

Joined: Tue Nov 21, 2006 23:15
Posts: 1648
The NTFS-3G 1.2412 release fixes these two issues:
o Fix: unprivileged mount may have been denied because supplementary groups were dropped too early as a security measure.
o Fix: unprivileged mount may have been denied if the /etc/fuse.conf file wasn't properly configured. This was redundant and the /etc/fuse.conf file is not required anymore.
Thanks, Szaka


Sun Apr 13, 2008 02:02

Joined: Sun Feb 10, 2008 01:12
Posts: 6
Location: France
Sorry to bump this old thread, but there is something I still don't get. Suppose we have the following mount point:
drwxrwx--- 2 root test 4096 Jun 19 02:09 multimedia

why is it not possible for a user member of group 'test' to mount his ntfs-3g partition without having to log-in to group 'test' (with /usr/bin/newgrp) before mounting?
I understand it is certainly an extra-security mesure, but if the administrator added a given user to a group, authorized user-mounts in /etc/fstab, and set r/w access to the mount point for this group, shouldn't it be enough to allow said user to mount the partition?


Thu Jun 19, 2008 05:27

Joined: Tue Nov 21, 2006 23:15
Posts: 1648
Sorry to bump this old thread, but there is something I still don't get. Suppose we have the following mount point:
drwxrwx--- 2 root test 4096 Jun 19 02:09 multimedia

why is it not possible for a user member of group 'test' to mount his ntfs-3g partition without having to log-in to group 'test' (with /usr/bin/newgrp) before mounting?

Because you use a too old NTFS-3G release: http://ntfs-3g.org/releases.html


Thu Jun 19, 2008 11:27
Page 1 of 1
[ 23 posts ]


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Original forum style by Vjacheslav Trushkin.
Tuxera

Http://tuxera.com/community/ntfs-3g-faq/#unprivileged

Blog about Debian and other GNU/Linux distributions, configurations, scripsts, desktop environments and similar things. Apr 02, 2013  Unprivileged user can not mount NTFS block devices using the external FUSE library. Either mount the volume as root, or rebuild NTFS-3G with integrated FUSE support and make it setuid root. Please see more information at http://tuxera.com/community/ntfs-3g-faq/#unprivileged'.