FAQ SearchLogin
Tuxera Home
View unanswered posts | View active topics It is currently Sat Jan 16, 2021 04:09



Post new topic Reply to topic  [ 9 posts ] 
mount option inherit not working 
Author Message

Joined: Tue Apr 28, 2009 12:01
Posts: 5
Post mount option inherit not working
I have a dual booting system Windows Vista / Ubuntu.
I have compiled the advanced driver version 2009.4.4AR.1 with the configure option --enable-posix-acls and used usermap on Linux to create a UserMapping file.

Mounting the NTFS partition with the inherit option does not result in the desired behavior. New files don't have the same access rights as their parent directories, despite the fact that in Windows the directory is set up to pass on the access rights to its children. ACL in general works, it's just the inheritance feature which does not.

If I mount the partition as
Code:
ntfs-3g -o no_detach,inherit /dev/sda2 /media/win

I get the following debug information:
Code:
Version 2009.4.4AR.1 integrated FUSE 27
Mounted /dev/sda2 (Read-Write, label "SW_Preload", NTFS 3.1)
Cmdline options: no_detach,inherit
Mount options: silent,allow_other,nonempty,relatime,fsname=/dev/sda2,blkdev,blksize=4096
User mapping built, Posix ACLs in use


Although inherit is recognized as a command line option it doesn't show up as a mount option.

Am I missing something? Any help is appreciated.


Tue Apr 28, 2009 12:33
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: mount option inherit not working
Hi,

Quote:
I have compiled the advanced driver version 2009.4.4AR.1 with the configure option --enable-posix-acls and used usermap on Linux to create a UserMapping file.

This should be OK, assuming the user mapping file was correct.
Quote:
ACL in general works, it's just the inheritance feature which does not.

Can you be more explicit about what is wrong ?

Also can you post the result of
Code:
secaudit -v /media/win/some-path/parent-directory

Or unmount the volume and, as root, do
Code:
secaudit -v /dev/sda2 /some-path/parent-directory

(some versions of secaudit segfault after the display, just ignore it)
The contents of UserMapping file may also be helpful.

Note that owner and group are not inherited. On Windows, files always belong to the creating process. Same on Linux, provided owner and group are mapped (if not, they are copied from parent directory).
Also note that, if parent directory was created on Linux, its ACL is generally such that its execution flags is inherited to directories only (even on Windows).

Quote:
Although inherit is recognized as a command line option it doesn't show up as a mount option.

This is normal, the inherit option is internal to ntfs-3g, and not handed over to mount.

Quote:
Any help is appreciated.

But I will not be able to help for a few weeks (to-morrow ok).

Regards

Jean-Pierre


Tue Apr 28, 2009 22:40
Profile

Joined: Tue Apr 28, 2009 12:01
Posts: 5
Post Re: mount option inherit not working
Hi Jean-Pierre

Quote:
Can you be more explicit about what is wrong ?

Example: On Windows, I create a folder /media/win/Users/creller/test. Therein I create a file win.txt (still on Windows). On Linux, I create a file tux.txt and a subdirectory tuxdir. With the inherit option I would expect tux.txt and win.txt to have the same permissions. (Maybe it's here where I am wrong?) An ls -l in this directory yields:
Code:
drwx------+ 1 creller creller 0 2009-04-29 07:41 tuxdir
-rwxrwx---+ 1 creller creller 0 2009-04-29 07:40 tux.txt
-rwx------  1 creller creller 0 2009-04-29 07:33 win.txt


More details now:

My UserMapping file:
Code:
# Generated by usermap for Linux, v 1.1.0
creller:creller:S-1-5-21-1290541147-824283939-1609055870-1000
:creller:S-1-5-21-1290541147-824283939-1609055870-513


Output of secaudit -v /media/win/Users/creller/test: (I leave away the numbers at the beginning and messages about freeing unallocated memory)
Code:
Computed hash : 0x8f14be60
Windows attrib : 0x10
building permissions
Interpreted Unix owner 1000, group 1000, mode 0700
Posix descriptor :
    acccnt 3
    defcnt 3
    firstdef 3
    mode : 0700
    tagsset : 0x25
Posix ACL :
    version 2
    flags 0x00
ace 0 : access  USR-O   -1 perms 0007 rwx
ace 1 : access  GRP-O   -1 perms 0000 ---
ace 2 : access  OTHER   -1 perms 0000 ---
ace 3 : default USER     0 perms 0000 ---
ace 4 : default GROUP 1000 perms 0000 ---
ace 5 : default MASK    -1 perms 0007 rwx
No errors were found

Output of secaudit -v /media/win/Users/creller/test/tuxdir is identical with the above (apart from the hash of course). So this actually works as I would expect.

Output of secaudit -v /media/win/Users/creller/test/win.txt:
Code:
Computed hash : 0xdde65837
Windows attrib : 0x20
building permissions
Interpreted Unix owner 1000, group 1000, mode 0700
No errors were found


Output of secaudit -v /media/win/Users/creller/test/tux.txt:
Code:
Computed hash : 0x6a2b0e72
Windows attrib : 0x80
building permissions
Interpreted Unix owner 1000, group 1000, mode 0770
Posix descriptor :
    acccnt 6
    defcnt 0
    firstdef 6
    mode : 0770
    tagsset : 0x3f
Posix ACL :
    version 2
    flags 0x00
ace 0 : access  USR-O   -1 perms 0007 rwx
ace 1 : access  USER     0 perms 0000 ---
ace 2 : access  GRP-O   -1 perms 0000 ---
ace 3 : access  GROUP 1000 perms 0000 ---
ace 4 : access  MASK    -1 perms 0007 rwx
ace 5 : access  OTHER   -1 perms 0000 ---
No errors were found


I would expect both files to have the same permissions, or am I wrong here?

Regards

Christoph


Wed Apr 29, 2009 08:22
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: mount option inherit not working
Hi Christoph,

Quote:
With the inherit option I would expect tux.txt and win.txt to have the same permissions. (Maybe it's here where I am wrong?)

Correct. You should get the same results provided the owner and group are the same. If you look closely, you do get the same results :

win.txt is shown with protection rwx for user creller and no access to anybody else.
tux.txt has a Posix ACL (there is a + in the ls display), this means the mask is displayed where the group access is generally shown. Looking at the Posix ACL display :
Quote:
Code:
ace 0 : access  USR-O   -1 perms 0007 rwx
ace 1 : access  USER     0 perms 0000 ---
ace 2 : access  GRP-O   -1 perms 0000 ---
ace 3 : access  GROUP 1000 perms 0000 ---
ace 4 : access  MASK    -1 perms 0007 rwx
ace 5 : access  OTHER   -1 perms 0000 ---

You see the owner (ace 0) has rwx permissions
the owning group (ace 2 and mask) has no access
other users have no access (ace 5).
Now there is a special case for group 1000 (creller, ace3). It means that is you change the owning group (by chgrp), the group creller will still have no access.There is also a special case for user root (ace 1) only meaningful on Windows (administrator has no access)

This may seem weird. It is probably related to the fact the directory was created with the special account 1000 on Vista, which is a user account with protection elevation abilities (did you elevate permissions to create the directory ?)

Quote:
I leave away the numbers at the beginning and messages about freeing unallocated memory

I needed these hexadecimal numbers to know exactly how the parent directory ACL is like. And if you have freeing unallocated memory messages, there is a probably a bug which I can only fix if I know about it.

Quote:
I would expect both files to have the same permissions, or am I wrong here?

I see nothing really wrong, I would need the hexadecimal display of NTFS ACL of parent directory for a more detailed explanation and a way, if any, to make the protections to appear more alike.

Regards

Jean-Pierre


Wed Apr 29, 2009 09:49
Profile

Joined: Tue Apr 28, 2009 12:01
Posts: 5
Post Re: mount option inherit not working
Hi Jean-Pierre

First of all: From a usability point of view I think that the result is more or less what I want. (The title of this post should be some thing different from "not working", I guess). So: thank you for this great feature I've been looking for since long!

For debug purposes I include the full secaudit output below. I recap:
  • /media/win/Users/creller/test created on Windows by user creller
  • /media/win/Users/creller/test/win.txt created on Windows by user creller
  • /media/win/Users/creller/test/tux.txt created on Linux by user creller
  • /media/win/Users/creller/test/windir created on Windows by user creller
  • /media/win/Users/creller/test/tuxdir created on Linux by user creller

Output of secaudit -v /media/win/Users/creller/test:
Code:
secaudit 1.3.4 : NTFS security data auditing
Directory /media/win/Users/creller/test     
        000000  01000480 bc000000 d8000000 00000000
        000010  14000000 0200a800 06000000 00002400
        000020  ff011f00 01050000 00000005 15000000
        000030  5b18ec4c 23932131 7e3ee85f e8030000
        000040  000b2400 00000010 01050000 00000005
        000050  15000000 5b18ec4c 23932131 7e3ee85f
        000060  e8030000 00001400 ff011f00 01010000
        000070  00000005 12000000 000b1400 00000010
        000080  01010000 00000005 12000000 00001800
        000090  ff011f00 01020000 00000005 20000000
        0000a0  20020000 000b1800 00000010 01020000
        0000b0  00000005 20000000 20020000 01050000
        0000c0  00000005 15000000 5b18ec4c 23932131
        0000d0  7e3ee85f e8030000 01050000 00000005
        0000e0  15000000 5b18ec4c 23932131 7e3ee85f
        0000f0  01020000
Computed hash : 0x8f14be60
Windows attrib : 0x10
** freeing unallocated memory in secaudit.c line 2108
** freeing unallocated memory in secaudit.c line 2108
building permissions
Interpreted Unix owner 1000, group 1000, mode 0700
Posix descriptor :
    acccnt 3
    defcnt 3
    firstdef 3
    mode : 0700
    tagsset : 0x25
Posix ACL :
    version 2
    flags 0x00
ace 0 : access  USR-O   -1 perms 0007 rwx
ace 1 : access  GRP-O   -1 perms 0000 ---
ace 2 : access  OTHER   -1 perms 0000 ---
ace 3 : default USER     0 perms 0000 ---
ace 4 : default GROUP 1000 perms 0000 ---
ace 5 : default MASK    -1 perms 0007 rwx
** freeing unallocated memory in secaudit.c line 5017
No errors were found


Output of secaudit -v /media/win/Users/creller/test/win.txt:
Code:
secaudit 1.3.4 : NTFS security data auditing
File /media/win/Users/creller/test/win.txt
        000000  01000480 6c000000 88000000 00000000
        000010  14000000 02005800 03000000 00002400
        000020  ff011f00 01050000 00000005 15000000
        000030  5b18ec4c 23932131 7e3ee85f e8030000
        000040  00001400 ff011f00 01010000 00000005
        000050  12000000 00001800 ff011f00 01020000
        000060  00000005 20000000 20020000 01050000
        000070  00000005 15000000 5b18ec4c 23932131
        000080  7e3ee85f e8030000 01050000 00000005
        000090  15000000 5b18ec4c 23932131 7e3ee85f
        0000a0  01020000
Computed hash : 0xdde65837
Windows attrib : 0x20
** freeing unallocated memory in secaudit.c line 2108
** freeing unallocated memory in secaudit.c line 2108
building permissions
Interpreted Unix owner 1000, group 1000, mode 0700
** freeing unallocated memory in secaudit.c line 5017
No errors were found


Output of secaudit -v /media/win/Users/creller/test/tux.txt:
Code:
secaudit 1.3.4 : NTFS security data auditing     
File /media/win/Users/creller/test/tux.txt       
        000000  01000480 6c000000 88000000 00000000
        000010  14000000 02005800 03000000 00002400
        000020  00000010 01050000 00000005 15000000
        000030  5b18ec4c 23932131 7e3ee85f e8030000
        000040  00001400 00000010 01010000 00000005
        000050  12000000 00001800 00000010 01020000
        000060  00000005 20000000 20020000 01050000
        000070  00000005 15000000 5b18ec4c 23932131
        000080  7e3ee85f e8030000 01050000 00000005
        000090  15000000 5b18ec4c 23932131 7e3ee85f
        0000a0  01020000
Computed hash : 0x6a2b0e72
Windows attrib : 0x80
** freeing unallocated memory in secaudit.c line 2108
** freeing unallocated memory in secaudit.c line 2108
building permissions
Interpreted Unix owner 1000, group 1000, mode 0770
Posix descriptor :
    acccnt 6
    defcnt 0
    firstdef 6
    mode : 0770
    tagsset : 0x3f
Posix ACL :
    version 2
    flags 0x00
ace 0 : access  USR-O   -1 perms 0007 rwx
ace 1 : access  USER     0 perms 0000 ---
ace 2 : access  GRP-O   -1 perms 0000 ---
ace 3 : access  GROUP 1000 perms 0000 ---
ace 4 : access  MASK    -1 perms 0007 rwx
ace 5 : access  OTHER   -1 perms 0000 ---
** freeing unallocated memory in secaudit.c line 5017
No errors were found


Output of secaudit -v /media/win/Users/creller/windir:
Code:
secaudit 1.3.4 : NTFS security data auditing                                 
Directory /media/win/Users/creller/test/windir/                             
        000000  01000480 bc000000 d8000000 00000000                         
        000010  14000000 0200a800 06000000 00002400                         
        000020  ff011f00 01050000 00000005 15000000                         
        000030  5b18ec4c 23932131 7e3ee85f e8030000                         
        000040  000b2400 00000010 01050000 00000005                         
        000050  15000000 5b18ec4c 23932131 7e3ee85f                         
        000060  e8030000 00001400 ff011f00 01010000                         
        000070  00000005 12000000 000b1400 00000010                         
        000080  01010000 00000005 12000000 00001800                         
        000090  ff011f00 01020000 00000005 20000000                         
        0000a0  20020000 000b1800 00000010 01020000                         
        0000b0  00000005 20000000 20020000 01050000
        0000c0  00000005 15000000 5b18ec4c 23932131
        0000d0  7e3ee85f e8030000 01050000 00000005
        0000e0  15000000 5b18ec4c 23932131 7e3ee85f
        0000f0  01020000
Computed hash : 0x8f14be60
Windows attrib : 0x10
** freeing unallocated memory in secaudit.c line 2108
** freeing unallocated memory in secaudit.c line 2108
building permissions
Interpreted Unix owner 1000, group 1000, mode 0700
Posix descriptor :
    acccnt 3
    defcnt 3
    firstdef 3
    mode : 0700
    tagsset : 0x25
Posix ACL :
    version 2
    flags 0x00
ace 0 : access  USR-O   -1 perms 0007 rwx
ace 1 : access  GRP-O   -1 perms 0000 ---
ace 2 : access  OTHER   -1 perms 0000 ---
ace 3 : default USER     0 perms 0000 ---
ace 4 : default GROUP 1000 perms 0000 ---
ace 5 : default MASK    -1 perms 0007 rwx
** freeing unallocated memory in secaudit.c line 5017
No errors were found


Output of secaudit -v /media/win/Users/creller/test/tuxdir:
Code:
secaudit 1.3.4 : NTFS security data auditing                                 
Directory /media/win/Users/creller/test/tuxdir/                             
        000000  01000480 6c000000 88000000 00000000                         
        000010  14000000 02005800 03000000 000b2400                         
        000020  00000010 01050000 00000005 15000000                         
        000030  5b18ec4c 23932131 7e3ee85f e8030000                         
        000040  000b1400 00000010 01010000 00000005                         
        000050  12000000 000b1800 00000010 01020000                         
        000060  00000005 20000000 20020000 01050000
        000070  00000005 15000000 5b18ec4c 23932131
        000080  7e3ee85f e8030000 01050000 00000005
        000090  15000000 5b18ec4c 23932131 7e3ee85f
        0000a0  01020000
Computed hash : 0x6a36a4d0
Windows attrib : 0x10
** freeing unallocated memory in secaudit.c line 2108
** freeing unallocated memory in secaudit.c line 2108
building permissions
Interpreted Unix owner 1000, group 1000, mode 0700
Posix descriptor :
    acccnt 3
    defcnt 3
    firstdef 3
    mode : 0700
    tagsset : 0x25
Posix ACL :
    version 2
    flags 0x00
ace 0 : access  USR-O   -1 perms 0007 rwx
ace 1 : access  GRP-O   -1 perms 0000 ---
ace 2 : access  OTHER   -1 perms 0000 ---
ace 3 : default USER     0 perms 0000 ---
ace 4 : default GROUP 1000 perms 0000 ---
ace 5 : default MASK    -1 perms 0007 rwx
** freeing unallocated memory in secaudit.c line 5017
No errors were found


I hope this is of use for you. I'm not enough expert to say much. From a access permission point of view this seems perfectly right.

Thank you for the support

Christoph


Wed Apr 29, 2009 13:15
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: mount option inherit not working
Hi Christoph,

You have pinpointed a real bug. Thank you for having reported it and having supplied useful information to locate it.

In your situation, Windows uses a "generic_all" flag which is ignored (and should not) in the inheritance process. As a consequence the inherited ACLs are generally wrong (both for Windows-type inheritance and Posix-type inheritance).

Please apply the attached path to acls.c to fix Windows-type inheritance (the one you are using). The Posix-ACL inheritance will be fixed later.

Attachment:
acls.patch.gz [353 Bytes]
Downloaded 887 times


Regards

Jean-Pierre


Wed Apr 29, 2009 18:05
Profile

Joined: Tue Apr 28, 2009 12:01
Posts: 5
Post Re: mount option inherit not working
Wow, that was quick!
Thank you very much Jean-Pierre.
I will apply the patch and report back. (I know you will be away for some weeks.)
Cheers
Christoph


Wed Apr 29, 2009 20:43
Profile

Joined: Tue Apr 28, 2009 12:01
Posts: 5
Post Re: mount option inherit not working
Hi Jean-Pierre,

With the patched driver I now have created a file tux2.txt and a directory tuxdir2, both created on Linux in /media/win/Users/creller/test.

What still puzzles me is the permission entries shown in Windows when I right-click the file (or subdirectory) and choose properties.

For all files and subdirectories created on Linux (tux.txt, tux2.txt, tuxdir, tuxdir2) each permission entry says "<not inherited>", while for all files and subdirectories created on Windows (win.txt, windir) all permission entries say "inherited from c:\Users\creller". The access rights are however the same in both cases. With one exception: tux2.txt has permission-flag "full control" not set.

As mentioned earlier, from a usability point of view this is just fine for me, since all access rights are correct.

Output of secaudit -v /media/win/Users/creller/test/tux2.txt:
Code:
secaudit 1.3.4 : NTFS security data auditing
File /media/win/Users/creller/test/tux2.txt
        000000  01000480 6c000000 88000000 00000000
        000010  14000000 02005800 03000000 00002400
        000020  bf011f00 01050000 00000005 15000000
        000030  5b18ec4c 23932131 7e3ee85f e8030000
        000040  00001400 bf011f00 01010000 00000005
        000050  12000000 00001800 bf011f00 01020000
        000060  00000005 20000000 20020000 01050000
        000070  00000005 15000000 5b18ec4c 23932131
        000080  7e3ee85f e8030000 01050000 00000005
        000090  15000000 5b18ec4c 23932131 7e3ee85f
        0000a0  01020000
Computed hash : 0x8de64ff7
Windows attrib : 0x80
** freeing unallocated memory in secaudit.c line 2108
** freeing unallocated memory in secaudit.c line 2108
building permissions
Interpreted Unix owner 1000, group 1000, mode 0700
** freeing unallocated memory in secaudit.c line 5017
No errors were found


Output of secaudit -v /media/win/Users/creller/test/tuxdir2:
Code:
secaudit 1.3.4 : NTFS security data auditing   
Directory /media/win/Users/creller/test/tuxdir2
        000000  01000480 6c000000 88000000 00000000
        000010  14000000 02005800 03000000 000b2400
        000020  ff011f00 01050000 00000005 15000000
        000030  5b18ec4c 23932131 7e3ee85f e8030000
        000040  000b1400 ff011f00 01010000 00000005
        000050  12000000 000b1800 ff011f00 01020000
        000060  00000005 20000000 20020000 01050000
        000070  00000005 15000000 5b18ec4c 23932131
        000080  7e3ee85f e8030000 01050000 00000005
        000090  15000000 5b18ec4c 23932131 7e3ee85f
        0000a0  01020000
Computed hash : 0xddf1f08d
Windows attrib : 0x10
** freeing unallocated memory in secaudit.c line 2108
** freeing unallocated memory in secaudit.c line 2108
building permissions
Interpreted Unix owner 1000, group 1000, mode 0700
Posix descriptor :
    acccnt 3
    defcnt 1
    firstdef 3
    mode : 0700
    tagsset : 0x25
Posix ACL :
    version 2
    flags 0x00
ace 0 : access  USR-O   -1 perms 0007 rwx
ace 1 : access  GRP-O   -1 perms 0000 ---
ace 2 : access  OTHER   -1 perms 0000 ---
ace 3 : default USR-O   -1 perms 0007 rwx
** freeing unallocated memory in secaudit.c line 5017
No errors were found


Regards,

Christoph


Thu Apr 30, 2009 09:22
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: mount option inherit not working
Hi Christoph,

In the latest release (2009.4.4AR.10), with the inherit option, the ACLs for new files should be more similar to those created by Windows. Be however aware that this enables dynamic inheritance from parent directories on Windows, whereas Linux only uses static inheritance, leading to differences in ACL interpretation, and poor security.

Regards

Jean-Pierre


Tue May 19, 2009 11:58
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Original forum style by Vjacheslav Trushkin.