Fedora make USB write only

Hello. I need to mount a usb device as mount only for cybersecurity purposes.
I have attempted the following

sudo mount -o rw /dev/sda1 /mnt/usb/{folder_path}
sudo chmod 222 /mnt/usb/{folder_path}

But looks like that no mater what i try the permissions are 755 all the time.

Is there anyway of fixing this?

One option could be to chmod the files on the drive itself rather than the mount, since if the drive would be remounted [by someone] then the original permissions would be lost. This would mean that it would be fully readable to the person (re)mounting it.

You can instead use a directory in the root of the drive that automatically adopts the desired permissions:

$ chmod -R 222 /mnt/usb/{folder_path}
$ chmod g+s /mnt/usb/{folder_path} 

All new files and directories created under {folder_path} will then automatically adopt the write permission scheme (or any other scheme that you prefer).

Edit: the g+s parameter above applies only to group permissions, you can set other types as desired. More information here:

https://linuxconfig.org/how-to-use-special-permissions-the-setuid-setgid-and-sticky-bits

1 Like

I am guessing at what you trying to do.

Swap thoses commands around.

sudo chmod 555 /mnt/usb/{folder_path}
sudo mount -o rw /dev/sda1 /mnt/usb/{folder_path}

Edit: fix perm from bad 222 to 555.

I think that is the way you make at least the top folder of the disk read-only.

A directory (any directory) that is read only cannot have any commands executed within that directory, not even ls or cd. It also may prevent user access to subdirectories.

I just tested by creating a directory chain on my system and found that even though I know the file path through that dir to the sub-dir it is impossible to see or move through that directory to subdirectories unless the execute bit is also set.

222 is write permissions for everyone, while 444 is read permissions.
However, the permissions would need to be minimum of 500 for even the user to access the directory and subdirs.

Files should be 444 for read permissions but directories must be 555 for read permissions.

1 Like

I do not need to access any info to this mount path, i just need to move a file into the usb device, nothing else. But despite all the previous recommendations i still cannot make it only writable. Can this be related to any SELinux rule?

A file can be write only.
A directory cannot since the system must be able to read the directory before it can write into it. The access a user has to that directory is exactly the access the system has in order to perform needed tasks.

Think of it like a file cabinet within an office. The secretary cannot organize the papers being filed without the ability to read the file folders. Just throwing something in with out being able to see where it is placed would lead to chaos. The system prevents that chaos by enforcing the need to read and execute actions within the directory before it can write there.

This is not related to selinux but is directly related to the linux file system permissions and that is based on unix permissions from more than 50 years back

You can remove the read permission for a directory. The effect is that you can’t list the contents of the directory, but you can create a file in it and you can remove it again. For opening a file in a directory you only need to execute permission.

Try it

mkdir /tmp/abc
chmod a-r /tmp/abc
ls -dl /tmp/abc
ls -l > /tmp/abc/def
cat /tmp/abc/def
ls /tmp/abc
rm /tmp/abc/def
rmdir /tmp/abc

understood thank you

However, at least for the owner, this same read permission denial does not apply to files in that directory nor sub-directories of that directory as is shown by the below.

$ mkdir /tmp/abc
$ chmod a-r /tmp/abc
$ mkdir /tmp/abc/def
$ ls > /tmp/abc/def/ghi
$ ls > /tmp/abc/jkl
$ cat /tmp/abc/def/ghi
CHECKSUM
SHA256SUMS.txt
ubuntu-24.04-preinstalled-desktop-arm64+raspi.img.xz
$ cat /tmp/abc/jkl
CHECKSUM
SHA256SUMS.txt
ubuntu-24.04-preinstalled-desktop-arm64+raspi.img.xz
$ ls -ld /tmp/abc
d-wx--x--x. 3 ME ME 80 Aug 22 09:24 /tmp/abc
$ ls -ld /tmp/abc/def
drwxr-xr-x. 2 ME ME 60 Aug 22 09:24 /tmp/abc/def
$ ls -ld /tmp/abc/def/ghi 
-rw-r--r--. 1 ME ME 77 Aug 22 09:25 /tmp/abc/def/ghi

The net effect is that I may not be able to get a listing of the contents of that directory but as long as I have the exact path & name of the files (and read permissions on the file itself) I can still access the content.

Permissions on the files and subdirectories depend upon the umask of the user that creates them. The default umask for most fedora users returned by the umask command is 0022 which means all directories created will have 755 permissions and all files will have 644 permissions.

For a USB device with a vfat file system you can mount with the option umask=444. Example

mount -oumask=444 /dev/sda1 /mnt

As root you get full access, but any other user can only create files or write to files.

1 Like

Would another user in that scenario still be able to remount the drive to another mount point without the umask?

They can. File managers usually are able to mount usb devices without special permission needed and then read everything on the device.