Mounting FS read-only for specific user (or root)

Andrew Bradford a-bb at
Fri Feb 22 19:14:04 UTC 2008

Mel wrote:
> On Thursday 21 February 2008 20:32:37 Andrew Bradford wrote:
>> Erik Norgaard escribió:
>>> I assume the reasoning for this is you want to preserve permissions
>>> and attributes on your backup, so you can't solve this simply by
>>> setting permissions appropriately.
>> Yes, exactly.  Users need to be able to see their own backups, and
>> nobody else's.
> Isn't this what acl's are for? See setfacl(8). I haven't looked into it in 
> great detail but seems to me that if you make a subdir owned by the user for 
> each backup root for that user and set the acl to only be accessible by user, 
> it should work.
After playing around with this for a bit, I took Erik's suggestion of 
mounting the backup directory rw in a root-specific area.  I didn't 
think it would work, but my understanding of the permission structure in 
UNIX is flawed, and it does work :)

The setup, for those interested, is as follows:

disk2 mounted read-write in /root/.backup
/root/.backup mounted using nullfs read-only in /backups

drwx------ root wheel /root
drwxr-xr-x root wheel /root/.backup
drwxr-xr-x root wheel /backups

This way, the permissions on /root prevents normal users from writing to 
the backup mount underneath it, even though they may own files and have 
write permissions on those files.

The permissions of the mount point allow users to view the contents and 
restore files, but not write to it because the nullfs mount (/backups) 
is read-only.  General users are unable to write to the read-write mount 
point (/root/.backup) because the permission of the parent directory 
(/root) is 700.

This allows the backup process to write to the backup filesystem, yet 
still prevents normal users from writing to it.

I think this setup could be improved as I'm simply relying on file 
permissions to keep the backup filesystem read-only for normal users.  
The problem is not having the ability to mount a filesystem read-write 
for a specific user -- regardless of the permissions of files on that 

Thanks Erik and Mel for the help with this!


More information about the freebsd-questions mailing list