Mounting FS read-only for specific user (or root)
a-bb at gmx.net
Fri Feb 22 19:14:04 UTC 2008
> On Thursday 21 February 2008 20:32:37 Andrew Bradford wrote:
>> Erik Norgaard escribió:
>>> I assume the reasoning for this is you want to preserve permissions
>>> and attributes on your backup, so you can't solve this simply by
>>> setting permissions appropriately.
>> Yes, exactly. Users need to be able to see their own backups, and
>> nobody else's.
> Isn't this what acl's are for? See setfacl(8). I haven't looked into it in
> great detail but seems to me that if you make a subdir owned by the user for
> each backup root for that user and set the acl to only be accessible by user,
> it should work.
After playing around with this for a bit, I took Erik's suggestion of
mounting the backup directory rw in a root-specific area. I didn't
think it would work, but my understanding of the permission structure in
UNIX is flawed, and it does work :)
The setup, for those interested, is as follows:
disk2 mounted read-write in /root/.backup
/root/.backup mounted using nullfs read-only in /backups
drwx------ root wheel /root
drwxr-xr-x root wheel /root/.backup
drwxr-xr-x root wheel /backups
This way, the permissions on /root prevents normal users from writing to
the backup mount underneath it, even though they may own files and have
write permissions on those files.
The permissions of the mount point allow users to view the contents and
restore files, but not write to it because the nullfs mount (/backups)
is read-only. General users are unable to write to the read-write mount
point (/root/.backup) because the permission of the parent directory
(/root) is 700.
This allows the backup process to write to the backup filesystem, yet
still prevents normal users from writing to it.
I think this setup could be improved as I'm simply relying on file
permissions to keep the backup filesystem read-only for normal users.
The problem is not having the ability to mount a filesystem read-write
for a specific user -- regardless of the permissions of files on that
Thanks Erik and Mel for the help with this!
More information about the freebsd-questions