FAQ SearchLogin
Tuxera Home
View unanswered posts | View active topics It is currently Sun Jun 13, 2021 14:17



Post new topic Reply to topic  [ 13 posts ] 
Ownership, Permissions and User Mapping woes 
Author Message

Joined: Fri Feb 10, 2012 19:37
Posts: 10
Post Ownership, Permissions and User Mapping woes
I have want I believe to be a pretty simple setup, but am having issues with the ownerships, permissions and User Mappings.

For Linux I have two main users, lets call them Admin and Anon. Admin is part of group 'wheel' and Anon is part of group 'staff'. When I create a new file I want it to take on the ownership of the active user. So if Admin creates a new text file, I want the ownership to be 'Admin wheel'. Same for Anon when he's logged in. Problem is, right now all files are given 'root admin' ownership and permissions set to 777 for access to everyone. Ideally I'd like permissions of files created by Admin to be 700 so Anon cannot access them. But files created by Anon to be 777 so Admin can access them.

Now on the Windows side. I also have a two user setup. A user with Administrator rights, the Administrator user. And a standard user called Anon. I want files created by Admin on the Linux side to be fully-controlled by Administrator on the Windows side. Also, I want a file created by Administrator in Windows to have the ownership of 'Admin wheel' for Linux and permissions set to 700.

Right now, my User Mapping file is something like this, where the first SID is for the Administrator user. The second is the Anon user in Windows. The 3rd SID is the Administrators group in Windows. And 4th SID is for the Interactive Users (standard) group.

Code:
Admin::S-1-5-21-487642363-1131151056-3707100398-500
Anon::S-1-5-21-487642363-1131151056-3707100398-1001
:wheel:S-1-5-32-544
:staff:S-1-5-4


My ntfs-3g.util options look like.

Code:
# Default mount options for the driver.
DEFAULT_NTFS_MOUNT_OPTIONS="auto_xattr,noatime,auto_cache"
NTFS_PERMISSIONS_OPTIONS=""


I appreciate any help figuring this out.


Fri Feb 10, 2012 19:53
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Ownership, Permissions and User Mapping woes
Hi,

Quote:
For Linux I have two main users, lets call them Admin and Anon. Admin is part of group 'wheel' and Anon is part of group 'staff'. When I create a new file I want it to take on the ownership of the active user. So if Admin creates a new text file, I want the ownership to be 'Admin wheel'. Same for Anon when he's logged in.

Ok so far, provided Admin and wheel are not root....
Quote:
Problem is, right now all files are given 'root admin' ownership and permissions set to 777 for access to everyone. Ideally I'd like permissions of files created by Admin to be 700 so Anon cannot access them. But files created by Anon to be 777 so Admin can access them.

You have to change ownership or permissions for files which were created before you set up the users' parameters. Permissions for new files are controlled by the umask parameter. In Admin's login script, you will put :
Code:
umask 077

and in Anon's login script, you will put :
Code:
umask 000

Quote:
Now on the Windows side. I also have a two user setup. A user with Administrator rights, the Administrator user. And a standard user called Anon.

To build a Linux-to-Windows mapping, you have to have the same organization of users and groups on both systems, otherwise you cannot control who can access what. The Windows administrator can only be mapped to root, and this is built-in (but the first Windows user has administrative rights though he is not the Administrator). If your two Linux (non-root) users have to be in different groups, they must be in different groups on Windows also.
Quote:
Also, I want a file created by Administrator in Windows to have the ownership of 'Admin wheel' for Linux and permissions set to 700.

Probably possible (if Administrator is the first user account, and Admin and wheel are not root).
Code:
Admin::S-1-5-21-487642363-1131151056-3707100398-500

This is strange. Normally Windows users have a SID whose last number is not less than 1000. This will probably be rejected.
Code:
Anon::S-1-5-21-487642363-1131151056-3707100398-1001

This is ok.
Code:
:wheel:S-1-5-32-544
:staff:S-1-5-4

These are not user SIDs, they are not mappable.

I suggest, dropping some of your constraints (assuming the first Windows user has a SID ending in 1000) :
Code:
Admin::S-1-5-21-487642363-1131151056-3707100398-1000
Anon::S-1-5-21-487642363-1131151056-3707100398-1001
:staff:S-1-5-21-487642363-1131151056-3707100398-513
::S-1-5-21-487642363-1131151056-3707100398-10000

The first Windows user will be mapped to Admin:staff, the second user will be mapped to Anon:staff (unless you set up two windows groups, with two user-type SID's). The last line may be useful for Linux system processes which have their own accounts (mail, printers, etc.). You will also have to set adequate permissions on Admin's directories to prevent Anon going there though he/she is in group staff.

Code:
DEFAULT_NTFS_MOUNT_OPTIONS="auto_xattr,noatime,auto_cache"

I do not know of any meaning for auto_xattr and auto_cache. If you want to use extended attributes, there is user_xattr (which is set by default).

Note : please create two files on Windows, one as "Administrator", the other as "Anon" and post the results of
Code:
ntfs-3g.secaudit -vv admin-file | grep 'dec S-1'
ntfs-3g.secaudit -vv anon-file | grep 'dec S-1'


Regards

Jean-Pierre


Fri Feb 10, 2012 23:35
Profile

Joined: Fri Feb 10, 2012 19:37
Posts: 10
Post Re: Ownership, Permissions and User Mapping woes
Thank you for the prompt reply. One thing that's not clear from your response is why I'd still be having new files created in Linux have the ownership of 'root admin', even when I'm creating them with non-root users Admin or Anon. I understand existing files will have the default ownership of 'root', but it's odd that newly created files are also root.

As for the user mapping. To avoid any issues, instead of trying to use the built-in Administrator user (which is that user SID of 500) in Windows, I created a new user, also with Administrator privileges, as Admin. This I wish to map to my non-root user in Linux also named Admin.

For the Windows user Anon, it's pretty straight forward, since he's a Standard user. The output of secaudit reveals the following.

Code:
Owner SID
    Local user-1004 SID
    O:hex S-1-5-15-1d10d4fb-436bfed0-dcf5dcee-3ec
    O:dec S-1-5-21-487642363-1131151056-3707100398-1004
Group SID
    Local users SID
    G:hex S-1-5-15-1d10d4fb-436bfed0-dcf5dcee-201
    G:dec S-1-5-21-487642363-1131151056-3707100398-513


But for the Admin user, which has Administrator privileges, it doesn't seem as straightforward.

Code:
Owner SID
    Local admins SID
    O:hex S-1-5-20-220
    O:dec S-1-5-32-544
Group SID
    Local users SID
    G:hex S-1-5-15-1d10d4fb-436bfed0-dcf5dcee-201
    G:dec S-1-5-21-487642363-1131151056-3707100398-513


It seems to be using the Administrators group (or Local admins SID) for the Owner SID. The owner SID is really S-1-5-21-487642363-1131151056-3707100398-1002. But I also wouldn't expect the group SID that Admin has (a Adminstrator account) to be the same as the Anon user (a Standard account). Seems odd that they'd both be 513. And if they are the same group, how would I handle the mapping to separate groups in Linux (Admin being wheel, and Anon being staff)?

Thanks!


Sat Feb 11, 2012 02:30
Profile

Joined: Fri Feb 10, 2012 19:37
Posts: 10
Post Re: Ownership, Permissions and User Mapping woes
Disregard that last part. The two users in Linux are both part of the 'staff' group, so that simplifies things. They will both map to the SID 513 in Windows. I guess the main question is why newly created files have 'root' ownership by default for my NTFS-3G mounted volume, and not the individual users that actually created them.


Sat Feb 11, 2012 02:48
Profile

Joined: Fri Feb 10, 2012 19:37
Posts: 10
Post Re: Ownership, Permissions and User Mapping woes
Hmm...seems as though the incorrect user mapping I had in the past was the source of all my problems. I fixed it and was able to touch a file in Linux and see that it had the correct user and group ownership. However, for some odd reason I restarted my system after all seemed good and now it's telling me that the NTFS-3G partition is a read-only partition in Linux. Now warnings or errors in the log file, nor did I change any mount options. Any ideas?


Sat Feb 11, 2012 03:09
Profile

Joined: Fri Feb 10, 2012 19:37
Posts: 10
Post Re: Ownership, Permissions and User Mapping woes
Just as a follow up. Seems when I have the read-only filesystem problems, the volume is mounted as the user which logged in and not as root as you would expect. So the ownership of say /Volumes/FILES is not root, but either Admin or Anon depending on how logged in.


Sat Feb 11, 2012 05:15
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Ownership, Permissions and User Mapping woes
Hi,

Quote:
One thing that's not clear from your response is why I'd still be having new files created in Linux have the ownership of 'root admin', even when I'm creating them with non-root users Admin or Anon.

On Linux, Linux rules are used. Newly created files are owned by the user who created them (and his/her default group).
Quote:
It seems to be using the Administrators group (or Local admins SID) for the Owner SID. The owner SID is really S-1-5-21-487642363-1131151056-3707100398-1002. But I also wouldn't expect the group SID that Admin has (a Adminstrator account) to be the same as the Anon user (a Standard account).

Your sample file was probably not created by a Windows user (even first user). It was probably created on Linux at a time no user mapping was set up. On a basic Windows installation, all users are in the same group (you need specific tools to create new groups).
Quote:
And if they are the same group, how would I handle the mapping to separate groups in Linux (Admin being wheel, and Anon being staff)?

You cannot, if the users are in the same group in Windows (which is the usual case), they have to be in the same group in Linux (a single group SID has to be translated to a single Linux gid).
Quote:
I guess the main question is why newly created files have 'root' ownership by default for my NTFS-3G mounted volume, and not the individual users that actually created them.

This should not be like that. Do not forget that the user mappings are processed at mount time. You have to unmount and mount again for the changes to take effect.
Quote:
Hmm...seems as though the incorrect user mapping I had in the past was the source of all my problems. I fixed it and was able to touch a file in Linux and see that it had the correct user and group ownership.

Good news.
Quote:
Just as a follow up. Seems when I have the read-only filesystem problems, the volume is mounted as the user which logged in and not as root as you would expect. So the ownership of say /Volumes/FILES is not root, but either Admin or Anon depending on how logged in.

This is generally the case for pluggable devices. It is a security measure to prevent malware. Is this a problem ? the device is assumed to be owned by the user who logs in. You can probably overcome this by creating an /etc/fstab entry designating the partition by its uuid (not sure about it).

Also note : the first-level directories have to be created by root, who can then change ownership and permissions to a normal user.

Regards

Jean-Pierre


Sat Feb 11, 2012 09:44
Profile

Joined: Fri Feb 10, 2012 19:37
Posts: 10
Post Re: Ownership, Permissions and User Mapping woes
It was not an external drive, but I got everything working now. I had moved my HOME directory to this other NTFS Volume, and in the process of tinkering with everything (well before my User Mapping file was finalized) I had probably screwed up all of my permissions in my $HOME. I decided to reformat the partition, copy over the correct User Mapping file and start from scratch. All seems to be working well now. Thanks for the help.


Sat Feb 11, 2012 16:49
Profile

Joined: Fri Feb 10, 2012 19:37
Posts: 10
Post Re: Ownership, Permissions and User Mapping woes
Looks like I spoke just a bit too soon :) Mostly everything is in fact working the way I won't with one minor hiccup

If I save a file in Linux with say the Admin user, the file permissions aren't set as I would expect in Windows. Executable (.exe) files if saved in Linux and then tried to run in Windows with the mapped Admin user, it complains that I don't have proper permissions to run the file. Same thing of archives, like a .zip file that contain an .exe. If saved from a website in Linux and then extracted and run in Windows, same executable permission problems.

I think this stems from the fact that a file created by the Admin user (an Administrator user) in Windows is assigned an owner SID of S-1-5-32-544, as shown by secaudit. This is despite the fact that the Admin user is really S-1-5-21-487642363-1131151056-3707100398-1002. Could I use S-1-5-32-544 in the User Mapping file? Is this a limitation of NTFS-3G, in that it doesn't support Administrator users in Windows? (meaning users with Administrator privileges. I'm not referring to the built-in user called Administrator)

Code:
Owner SID
    Local admins SID
    O:hex S-1-5-20-220
    O:dec S-1-5-32-544
Group SID
    Local users SID
    G:hex S-1-5-15-1d10d4fb-436bfed0-dcf5dcee-201
    G:dec S-1-5-21-487642363-1131151056-3707100398-513


Mon Feb 13, 2012 04:25
Profile

Joined: Fri Feb 10, 2012 19:37
Posts: 10
Post Re: Ownership, Permissions and User Mapping woes
OK, not sure if it was related to this. But I applied file permission changes to my FILES partition in Windows and all sub-folders and now when I save an .exe in Linux and try running in Windows there's no issues.

However, I'm still having problems with archives. But this does not seem to be a problem with NTFS-3G. When I save an archive, whether in Windows or Linux, onto my FILES partition and extract the files, the ownership of the extracted files is owned by Administrators in Windows and not my created Admin user. This prevents me from being able to run executables extracted from this archive. I've never had such a problem with users in Windows with Administrative privileges, so I have to imagine it's somehow related to all the tweaking I've done to get things working well with NTFS-3G.


Mon Feb 13, 2012 05:31
Profile

Joined: Fri Feb 10, 2012 19:37
Posts: 10
Post Re: Ownership, Permissions and User Mapping woes
I know I'm having a dialog with myself here, but I figured this could potentially help someone else down the road. Turns out that my FILES partition did not have Full Control given to the SYSTEM user for it and all files and folders in it. Now all is well.


Mon Feb 13, 2012 06:00
Profile
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: Ownership, Permissions and User Mapping woes
Hi,

Quote:
If I save a file in Linux with say the Admin user, the file permissions aren't set as I would expect in Windows. Executable (.exe) files if saved in Linux and then tried to run in Windows with the mapped Admin user, it complains that I don't have proper permissions to run the file. Same thing of archives, like a .zip file that contain an .exe. If saved from a website in Linux and then extracted and run in Windows, same executable permission problems.

Ok. Windows and Linux have different protection policies. Windows generally defaults to all files being executable (hence prone to malware), and Linux defaults to files not being executable. This policy is recorded in the directory into which a file is created, so if you want a directory for downloads in which the files are executable by default, you have to create this directory by Windows. In directories created by Linux, files downloaded by Windows will not be executable, and files downloaded by Linux are never executable.
(I need to put this into the FAQ)
Quote:
I think this stems from the fact that a file created by the Admin user (an Administrator user) in Windows is assigned an owner SID of S-1-5-32-544, as shown by secaudit.

That should not be the case. Such a file has probably been created by Linux root, or it has been created by a system-level service.
Quote:
Could I use S-1-5-32-544 in the User Mapping file? Is this a limitation of NTFS-3G, in that it doesn't support Administrator users in Windows? (meaning users with Administrator privileges. I'm not referring to the built-in user called Administrator)

Only users can be put into the mapping file. There is too much difference between the system services in Linux and Windows. The S-1-5-32-544 is reserved for root which maps to the built-in Windows Administrator, but you cannot log in as a Windows Administrator, you can only log in as a normal user (who may have administrative privileges). This is not a limitation of ntfs-3g, this is part of the Windows security policy.
Quote:
OK, not sure if it was related to this. But I applied file permission changes to my FILES partition in Windows and all sub-folders and now when I save an .exe in Linux and try running in Windows there's no issues.

Yes, this is what I meant above : you have set up directory rules for files being executable by default on Windows. Files downloaded by Windows will now be executable on Linux too. This is considered dangerous. Having a special directory for downloads is a safe measure.
Quote:
When I save an archive, whether in Windows or Linux, onto my FILES partition and extract the files, the ownership of the extracted files is owned by Administrators in Windows and not my created Admin user. This prevents me from being able to run executables extracted from this archive.

What kind of archiver are you using ? The ownership of a file is generally stored into the archive (at least with tar). If the file was owned by root when you created the archive, it remains owned by root when you extract it.
Quote:
so I have to imagine it's somehow related to all the tweaking I've done to get things working well with NTFS-3G.

Most probably your unarchiver wants to restore the original ownership (this is not possible on Windows).
Quote:
Turns out that my FILES partition did not have Full Control given to the SYSTEM user for it and all files and folders in it. Now all is well.

If you have a directory with a bad behavior caused by its inheritance rules, better recreate it (either on Windows or Linux depending on whether you want files being executable by default or not), move the files into the new directory, then rename the directory.

Regards

Jean-Pierre


Mon Feb 13, 2012 10:04
Profile

Joined: Fri Feb 10, 2012 19:37
Posts: 10
Post Re: Ownership, Permissions and User Mapping woes
I realize you probably started to respond to my earlier posts, but all of my frustrations boiled down to having funky permissions in Windows, including the executable issue. For one, all of my files had the EVERYONE user group setup on it which was causeing a lot of conflicts. I removed that, made sure SYSTEM had full control over everything, that Administrators had full control over everything, and set the Users user group to have basic read and executable permissions.

Long story short, once I got the proper User Mapping file squared away and fixed my Windows permissions everything worked out perfectly.


Mon Feb 13, 2012 16:18
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 13 posts ] 


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Original forum style by Vjacheslav Trushkin.