Prevent normal users to mount (or unmount) partitions using gnome-disks

Questions about Grub, UEFI,the liveCD and the installer
Forum rules
Before you post please read how to get help
brancalessio
Level 1
Level 1
Posts: 41
Joined: Fri Jul 24, 2015 4:59 am

Prevent normal users to mount (or unmount) partitions using gnome-disks

Post by brancalessio » Sun Sep 08, 2019 7:46 am

Hello everyone!

In my computer there are a couple of partitions that should be not mounted from Linux, that is to say, the Windows Recovery Partition and another one used by a software in Windows.

The point is that a user can mount or unmount these partitions using gnome-disks. In general I would like to prevent this. How do I achieve this?

I added the following two lines in /etc/fstab:

Code: Select all

UUID=8F3F-F678 /mnt/8F3F-F678 auto defaults,noauto,nouser 0 0
UUID=7BA56G3JK12H1 /mnt/7BA56G3JK12H1 auto default,noauto,nouser 0 0
In particular I added noauto because I do not want this partitions to be mounted at boot and nouser because only root should be allowed to mount these partition.

From the command line it works: the mount command says that only root can mount these partitions. However it remains possible to mount them from gnome-disks.

Suggestions? Thank you for your answers!

gm10
Level 18
Level 18
Posts: 8722
Joined: Thu Jun 21, 2018 5:11 pm

Re: Prevent normal users to mount (or unmount) partitions using gnome-disks

Post by gm10 » Sun Sep 08, 2019 7:50 am

Remove the user from the admin and sudo groups.
Last edited by gm10 on Sun Sep 08, 2019 12:05 pm, edited 1 time in total.
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

brancalessio
Level 1
Level 1
Posts: 41
Joined: Fri Jul 24, 2015 4:59 am

Re: Prevent normal users to mount (or unmount) partitions using gnome-disks

Post by brancalessio » Sun Sep 08, 2019 7:57 am

Thank you for your answer.

Your answer practically implies that if a user has administrative rights, it will be always able to mount devices using gnome-disks (independently on what is written in /etc/fstab). Is that right?

gm10
Level 18
Level 18
Posts: 8722
Joined: Thu Jun 21, 2018 5:11 pm

Re: Prevent normal users to mount (or unmount) partitions using gnome-disks

Post by gm10 » Sun Sep 08, 2019 8:10 am

That's the whole point of administrative rights. It allows you to invoke root privileges, which in turn gives you full access to every aspect of the system. Without any limitation.
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

User avatar
Larry78723
Level 6
Level 6
Posts: 1110
Joined: Wed Jan 09, 2019 7:01 pm
Location: Jasper County, SC, USA

Re: Prevent normal users to mount (or unmount) partitions using gnome-disks

Post by Larry78723 » Sun Sep 08, 2019 10:57 am

A "normal user" should not be a member of either the adm or sudo groups
Image

pbear
Level 7
Level 7
Posts: 1783
Joined: Wed Jun 21, 2017 12:25 pm
Location: San Francisco

Re: Prevent normal users to mount (or unmount) partitions using gnome-disks

Post by pbear » Sun Sep 08, 2019 11:45 am

brancalessio wrote:
Sun Sep 08, 2019 7:46 am
From the command line it works: the mount command says that only root can mount these partitions.
I'm rather more puzzled by this. Did you use sudo mount or just mount by itself?
Time flies like an arrow. Fruit flies like a banana.
If your problem has been solved, please edit the thread title.

brancalessio
Level 1
Level 1
Posts: 41
Joined: Fri Jul 24, 2015 4:59 am

Re: Prevent normal users to mount (or unmount) partitions using gnome-disks

Post by brancalessio » Sun Sep 08, 2019 11:58 am

Just mount
pbear wrote:
Sun Sep 08, 2019 11:45 am
brancalessio wrote:
Sun Sep 08, 2019 7:46 am
From the command line it works: the mount command says that only root can mount these partitions.
I'm rather more puzzled by this. Did you use sudo mount or just mount by itself?

pbear
Level 7
Level 7
Posts: 1783
Joined: Wed Jun 21, 2017 12:25 pm
Location: San Francisco

Re: Prevent normal users to mount (or unmount) partitions using gnome-disks

Post by pbear » Sun Sep 08, 2019 12:01 pm

You understand now, right? Any user with sudo privileges can run any command.
Time flies like an arrow. Fruit flies like a banana.
If your problem has been solved, please edit the thread title.

rene
Level 11
Level 11
Posts: 3627
Joined: Sun Mar 27, 2016 6:58 pm

Re: Prevent normal users to mount (or unmount) partitions using gnome-disks

Post by rene » Sun Sep 08, 2019 12:02 pm

Just as a quick interjection, not "adm" but "admin". Unix-group "adm" in fact exists (and "admin" does not any more) but is used for nothing other than some logs in /var/log, historically /var/adm and hence the name. Unix group "admin" was in older versions of Ubuntu used as the "sudo group", i.e., in the same manner in which now the actual group "sudo" is. Group "admin" as said does not in fact exist any more these days, but is still referenced by polkit on Ubuntu/Mint: its definition of "an administrator" is the user being root or a member of groups "sudo" or "admin"; see the two files in /etc/polkit-1/localauthority.conf.d/ for that. Given that "admin" does not in fact exist you can depending on context forget about it; I tend to simply adopt the system definition when for example writing custom rules under /etc/polkit-1/localauthority but, whatever; "not root and not in group sudo" is what is in practice a non-administrator in current Ubuntu/Mint...

gm10
Level 18
Level 18
Posts: 8722
Joined: Thu Jun 21, 2018 5:11 pm

Re: Prevent normal users to mount (or unmount) partitions using gnome-disks

Post by gm10 » Sun Sep 08, 2019 12:06 pm

rene wrote:
Sun Sep 08, 2019 12:02 pm
Just as a quick interjection, not "adm" but "admin".
Thanks, good catch. Fixed it above.
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

brancalessio
Level 1
Level 1
Posts: 41
Joined: Fri Jul 24, 2015 4:59 am

Re: Prevent normal users to mount (or unmount) partitions using gnome-disks

Post by brancalessio » Sun Sep 08, 2019 12:06 pm

One thing makes nevertheless puzzled.

Another partition is mounted at boot (with the auto option). So I presume the user root mounts the partition. From gnome-disks I can unmount it, but I am asked the administrator password, because "the partition is mounted by another user".

I understand that this other partition is mounted without the users option, but the logic of the whole this is not completely clear to me.
gm10 wrote:
Sun Sep 08, 2019 8:10 am
That's the whole point of administrative rights. It allows you to invoke root privileges, which in turn gives you full access to every aspect of the system. Without any limitation.

brancalessio
Level 1
Level 1
Posts: 41
Joined: Fri Jul 24, 2015 4:59 am

Re: Prevent normal users to mount (or unmount) partitions using gnome-disks

Post by brancalessio » Sun Sep 08, 2019 1:25 pm

It is actually even more complicated, because one of the two partitions automatically mounted on boot have different behaviours with gnome-disk.

One of the two can be unmounted without entering any password. For the other a password is necessary. The partitions are both NTFS and mount options are completely the same.

The only differences are that one is a primary partition, the other is a logical partition. Another difference is that maybe one was mounted in gnome-disks before writing a line in fstab to automount it, the other was maybe never mounted.
gm10 wrote:
Sun Sep 08, 2019 8:10 am
That's the whole point of administrative rights. It allows you to invoke root privileges, which in turn gives you full access to every aspect of the system. Without any limitation.

gm10
Level 18
Level 18
Posts: 8722
Joined: Thu Jun 21, 2018 5:11 pm

Re: Prevent normal users to mount (or unmount) partitions using gnome-disks

Post by gm10 » Sun Sep 08, 2019 1:42 pm

User-mounted partitions can of course be umounted by the same user.
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

brancalessio
Level 1
Level 1
Posts: 41
Joined: Fri Jul 24, 2015 4:59 am

Re: Prevent normal users to mount (or unmount) partitions using gnome-disks

Post by brancalessio » Sun Sep 08, 2019 1:47 pm

The point is that, now, both partitions are mounted at boot by supposedly root. One the them can be unmounted in gnome-disks (by brancalessio, let's say) without entering a password. For the other partition a password is instead needed. Mount options are exactly the same. Why is there a difference in behaviour?
gm10 wrote:
Sun Sep 08, 2019 1:42 pm
User-mounted partitions can of course be umounted by the same user.

gm10
Level 18
Level 18
Posts: 8722
Joined: Thu Jun 21, 2018 5:11 pm

Re: Prevent normal users to mount (or unmount) partitions using gnome-disks

Post by gm10 » Sun Sep 08, 2019 2:07 pm

Code: Select all

cat /etc/fstab
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

brancalessio
Level 1
Level 1
Posts: 41
Joined: Fri Jul 24, 2015 4:59 am

Re: Prevent normal users to mount (or unmount) partitions using gnome-disks

Post by brancalessio » Sun Sep 08, 2019 2:31 pm

Code: Select all

# windows System partition (primary)
UUID=CD05D3FCC5CC4544	/win10	ntfs-3g	defaults,windows_names,noexec,ro	0	0
# windows common partition (logical)
UUID=A9FEA1CE548049C3	/windata	ntfs-3g	defaults,windows_names,noexec,ro	0	0
# Windows Recovery Partition (primary)
UUID=525D4DBB1D724624 /winrecovery auto defaults,noauto,noexec,ro 0 0
# Extra partition (primary)
UUID=4DF5D5D4836E4DE5 /winextra auto defaults,noauto,noexec,ro 0 0
  • The 1st one is mounted at boot and the user brancalessio can unmount it only entering its user password.
  • The 2nd one is mounted at boot and the use brancalessio can unmount it without entering its password.
  • The 3rd one is not mounted at boot, the user brancalessio can mount or unmount without entering any password.
  • The 4th one is not mounted at boot, the user brancalessio can mount or unmount without entering any password.
The user brancalessio is a member of the following groups: adm, cdrom, dip, lpadmin, plugdev, sambashare, sudo. It is a standard user with administrative right of Linux Mint (I did not make any changes).

gm10
Level 18
Level 18
Posts: 8722
Joined: Thu Jun 21, 2018 5:11 pm

Re: Prevent normal users to mount (or unmount) partitions using gnome-disks

Post by gm10 » Sun Sep 08, 2019 2:41 pm

I think I figured out what you are doing: Your credentials remain cached for 5 minutes so you do not need to enter them consecutively. If you enter them for the first partition the second one needs no additional authentication. There should be an icon in the notification area on the tray when that's the case. sudo even caches for 15 minutes since it was last used by default (no icon for that one since it's CLI).
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

brancalessio
Level 1
Level 1
Posts: 41
Joined: Fri Jul 24, 2015 4:59 am

Re: Prevent normal users to mount (or unmount) partitions using gnome-disks

Post by brancalessio » Sun Sep 08, 2019 4:01 pm

I checked and you are actually right about the first two partitions (those automatically mounted at boot).

For the 3rd and 4th I am still able to mount them without password (I sure there is no password cached). What could be the explanation?

Nevertheless I got no notification in the tray area about cached passwords.
gm10 wrote:
Sun Sep 08, 2019 2:41 pm
I think I figured out what you are doing: Your credentials remain cached for 5 minutes so you do not need to enter them consecutively. If you enter them for the first partition the second one needs no additional authentication. There should be an icon in the notification area on the tray when that's the case. sudo even caches for 15 minutes since it was last used by default (no icon for that one since it's CLI).

gm10
Level 18
Level 18
Posts: 8722
Joined: Thu Jun 21, 2018 5:11 pm

Re: Prevent normal users to mount (or unmount) partitions using gnome-disks

Post by gm10 » Sun Sep 08, 2019 4:10 pm

brancalessio wrote:
Sun Sep 08, 2019 4:01 pm
For the 3rd and 4th I am still able to mount them without password (I sure there is no password cached). What could be the explanation?
As I mentioned before, that's working as intended, the default policy is to let any user mount new filesystems (otherwise you couldn't use USB sticks or things like that), and if it's the user that mounted it then the same user can also unmount it again. Other users cannot without invoking root rights, however.

You can verify this yourself. Mount the 4th partition as root:

Code: Select all

sudo mount /winextra
and then try to unmount it in gnome-disks. You will be asked to authenticate now.
brancalessio wrote:
Sun Sep 08, 2019 4:01 pm
Nevertheless I got no notification in the tray area about cached passwords.
I suppose not all desktop environments have that then.
Tune up your LM 19.x: ppa:gm10/linuxmint-tools

User avatar
Spearmint2
Level 16
Level 16
Posts: 6167
Joined: Sat May 04, 2013 1:41 pm
Location: Maryland, USA

Re: Prevent normal users to mount (or unmount) partitions using gnome-disks

Post by Spearmint2 » Sun Sep 08, 2019 4:43 pm

why not just comment them out in the fstab file? Put # in front of those lines. That way if you change your mind later, at least they will be there where you can set to mount them again. Might check the mtab file also, remove if in there.
All things go better with Mint. Mint julep, mint jelly, mint gum, candy mints, pillow mints, peppermint, chocolate mints, spearmint,....

Post Reply

Return to “Installation & Boot”