KNOW HOW
fstab
File Systems
Fstab in the dark D
uring the boot process the /etc/fstab file is read by the mount command in an init script and implemented line by line. It includes entries for device files, CD-Rom drives and hard disk partitions which are available for immediate access after the system initialization. The administrator can use the configuration in this file to assign mount points to drives and partitions, to specify the file system or regulate the access bits via access bits. Let us take a closer look at the entries in Listing 1. The fact that the entries are divided into six columns is immediately apparent. The first column, (fs_spec), contains the device file name belonging to the partition. The second column, (fs_file), contains the mount point, that is the position where the medium is inserted into the directory tree. The third column, (fs_vfstype), is used to define the file system type. Table 1 contains a list of some of the available system types. The entries in the fourth column, (fs_mntops), define access to the volume. As you can see in Listing 1, this column can contain multiple, comma separated options. These statements are also available in the command line, if you supply them as mount command line options. The manpages for this command also provide detailed information on the various parameters. You can refer to Table 2 for an initial overview of the mount options. The dump program that creates a backup of the data on an Ext2 file
The file system table (fstab) contains information on the partitions and volumes that need to be inserted into the directory tree on starting up the system. The table allows the administrator to enhance the security of a multi-user system by applying various options. BY ANDREAS KNEIB
system, refers to the entry in column five, (fs_freq), for its configuration data. Refer to the dump manpages for additional details on the functionality provided by this backup tool. Like its predecessor, the last column is also read by a program. In this case it tells the fsck command how to check the consistency of the file system. The root directory is tagged with a 1, any other file systems with a 2. A value of 0
Listing 1: fstab example # The following # (fs_spec) # [1] /dev/hda1 /dev/hda2 proc
52
lines are (fs_file) [2] /boot / /proc
February 2003
designed to explain and implement assignments (fs_vfstype) (fs_mntops) (fs_freq) (fs_passno) [3] [4] [5] [6] ext2 defaults 1 2 ext2 defaults 1 1 proc defaults 0 0
www.linux-magazine.com
is assigned for file systems such as CD-ROMs that do not need to be checked by fsck. Now let’s add a few examples to the rudimentary /etc/fstab in Listing 1.
CD-ROM and DVD After taking a quick look at the contents of our two tables, it should be no problem to define an entry that allows us to mount the CD-ROM drive – at least for home users with stand-alone computers, as we will see: /dev/cdrom /cdrom auto ro,noauto,user,exec 0 0
U
Let’s look at the syntax of the line. The /dev/cdrom entry specifies the device name of the drive. In this case,
fstab
/dev/cdrom is a symbolic link that points to the proper device file (for example /dev/hdc). The /cdrom field indicates the mount point in the directory tree. In this case the drive is mounted directly below the root directory in /cdrom. Some distributions collate mount points for removable media below /mnt or /media. You could choose the file system type iso9660 instead of auto if you are experiencing difficulty mounting DVDs. The ro option permits read only access to the mounted medium. The noauto entry does not bind the drive on starting the system, but waits for an explicit mount /cdrom command in the shell. The user allows any user to issue the mount command. The same applies to users executing programs on the CD, as stipulated by the exec keyword; if noexec is stipulated, it is impossible to start programs, although the x attributes normally required to do so are present. Whether or not you decide to use these options depends on your approach to secure administration. You can create a similar entry for a floppy drive: /dev/fd0 /floppy noauto,user 0 0
auto
U
Table 1: Common file system types auto
Assign file system automatically
ext2
ext2 file system
ext3
ext3 file system
reiserfs
Reiser file system
jfs
IBM Journaling file system
minix
Minix file system
vfat
Windows 95,Windows 98 or DOS file system
ntfs
Windows NT/2000/XP file system
msdos
MS-DOS Floppy/Partitions
umsdos
MS-DOS with Unix add-ons
hpfs
OS/2 file system
xiafs
Xia file system
swap
Swap files/partitions
usbdevfs
USB device administration
devpts
Pseudo terminals
proc
Process administration
iso9660
DVDs/CD-ROMs
udf
Universal Disk Format (DVDs)
nfs
Network File System
smbfs
Server Message Block Protocol
ignore
(ignore partition)
KNOW HOW
In this case the ro has Listing 2: Virtual file systems been omitted, to allow write access to the devpts /dev/pts devpts defaults 0 0 floppy. But the exec usbdevfs /proc/bus/usb usbdevfs defaults 0 0 option has been proc /proc proc defaults 0 0 removed to prevent users from starting -P “less +‘/^[ ]*umask’” bash for programs stored on floppy disks. additional information on using masked From Process Administration file privileges. to USB The quiet, iocharset=, and uni_xlate options are interesting in this context. The system stores various internal kernel They specify error handling and administration data in files. This character set management. As these principle applies both to the proc file aspects are beyond the scope of this system and USB devices (usbdevfs). article, refer to the mount manpages for devpts is now the base for pseudo further details. terminals operations. Let us now move on to the next All of these files provide interfaces candidate, Windows XP, where we will used by emulators, such as xterm. To be applying a more stringent level of file allow devices and processes to run system security. smoothly after booting the system, three virtual file systems must be added to the configuration, as shown in Listing 2. /dev/hda4 /winxp ntfs U ro,uid=999,gid=555,user 0 0
Taming Windows The following section looks into the security of DOS and Windows partitions. We will be mounting a Windows 98 partition first. Read and write access to this section of the directory tree should be available to every user. Additionally, the file system will be activated by a mount /win98 command, issued by root: /dev/hda3 /win98 vfat noauto,umask=0 0 0
U
The umask option in this entry has not been discussed previously. As Table 2 shows, the option sets inverse file privileges. What does that mean? Just like the chmod command, umask works with octal numbers. The access bits are calculated by subtracting the desired file privileges from seven, and assigning the result as the umask. The access privileges for the modes read, write and execute (octal 7) are thus assigned by entering 0, r-x (octal 5) by entering 2, and rw- (octal 6) by typing a 1. As Windows 98 does not support access privileges for files, we can use Linux access bits to impose an extra level of security. In this case we are applying fairly lax security privileges, since umask=0 will allow any user to read, write and execute any file. You can type man
As Windows XP, NT, and 2000 use the NTFS file system, only read-only access (ro) is currently available (the driver is also capable of write access, but this is currently experimental and disabled in the standard kernel). The uid= and gid= options are used here. These abbreviations are short for User Identification (UID) and Group Identification (GID). Explanation: The /etc/passwd contains a list of all users, which includes details on the number assigned to a user and the user’s group memberships. You can also ascertain these values by typing id or id username: [andreas]~ > id uid=500(andreas) gid=100(users) Groups=100(users),[...],42U (trusted)
The UID/GID options allow you to assign a user and group ID to each Windows XP file. Now, all you need to do is launch umask and create an appropriate group, to allow for a more granular access control of Windows.
Samba and NFS Let us stick with Windows for the time being and investigate Microsoft’s own variant of a network directory. The
www.linux-magazine.com
February 2003
53
KNOW HOW
fstab
Figure 1: Mounting the subscription CD in the directory tree
counterpart to the Network File System (NFS) commonly found on Unix is the Server Message Block or SMB. A Windows server can use this protocol to provide access to its data. You will need to install Samba, to access external Windows computers via Linux. The smbclient tool provides access to shared Windows directories. But it is a lot easier to mount the directory in the local directory tree: //win/C /winc smbfs user,noauto 0 0
U
This entry allows the C directory on the win computer to be accessed by any user in the /winc directory on Linux. However, the user will be prompted for a password after issuing the mount command. Although users can supply a username parameter when issuing the mount command (-o username=tux, password=pw), you might like to simplify this task:
linux1:/out /nfs user,noauto 0 0
54
February 2003
nfs
U
This causes the computer to export the /out directory as linux1. The directory must be entered in the /etc/exports file on this computer, however, we will not be looking into NFS at this stage.
Users in Command Files in MP3 format are a good idea. You can listen to them, list, manage and collect them. And above all else, you can waste a lot of space on the file system with them. What options are available to the administrator to prevent individual user collections from getting out of control? The answer is, use quotas [1]. Quotas allow the system administrator to restrict the amount of storage capacity available to groups and individual users. You can define the quotas with either dynamic or hard limits. Quotas use separate configuration files to manage partitions, and are simple to apply. The original HOWTO is available
//win/C /winc smbfs U user,noauto,username="tux",U password="pw" 0 0
You might be a little confused at this point, because you have not been able to find the username and password commands in man mount. The program actually runs smbmount at this point, and the smbmount manpages are where you should be looking for further details on this topic. The configuration required to mount a directory via the Network File System (NFS) is similar and can be seen if we use the following:
Figure 2: Refusing access
Table 2: Overview of mount options defaults
defaults:rw,suid, dev,exec, auto,nouser and async
exec
allows binary and script execution
noexec
prevents binary and script execution
user
allows a user to mount the file system
noauto
must be mounted by the mount command
ro
mounts the file system in read-only mode
rw
mounts the file system in read-write mode
umask=
inverse bitmask of the access privileges (e.g. for FAT file systems)
uid=
User ID of the data
gid=
Group ID of the data
sync
Synchronous I/O Operations
www.linux-magazine.com
on the Web at [2]. However, quota support must be compiled into the kernel, if you intend to use quotas. As a full description of configuring this program is beyond the scope of this article, we will be focusing on the entries in /etc/fstab. The usrquota option is provided to restrict the amount of space available to users. The option is entered immediately after the defaults entry and affects the /home partition: /dev/hda5 /home ext2 defaults,usrquota 1 1
U
You can replace usrquota by grpquota to apply quotas to groups: /dev/hda6 /usr ext2 defaults,grpquota 1 1
U
If required, you can apply both settings to a single partition: /dev/hda6 /var ext2 U defaults,usrquota,grpquota 1 1
A separation of system and user data can be achieved by defining appropriate partitions for your Linux installation. This allows for ease of administrative intervention. Also, a well-planned fstab structure will save an administrator headaches – especially when under time pressure with things going wrong. ■
INFO [1] Quotas: http://www.sourceforge.net/ projects/linuxquota [2] Quota Howto: http://www.tldp.org/ HOWTO/mini/Quota.html