I can not access my externally connected SSD from my 2nd user account!

nokia808 · March 1, 2021, 7:11pm

Hello dears.

I have on my Fedora 2 user accounts:

1st user account that created during fresh installation of Fedora 24 (I’m upgraded my OS using command line since that till now & currently I’m on Fedora 32). This account has “su” / “sudo” / “polkit” powers (full root power).
2nd user account that I created it in specific way so that to be an isolated user account that can I run within it Windows games & application through WineHQ safely from risks of viruses & other harmful programs that could be run by WineHQ. This 2nd user is called “wineuser”. By default fedora configured so that any newly created user will be of no ability to use “sudo”. I further expand security on my system by disable “su” also for every newly created user. I did this by:

sudo vi /etc/pam.d/su
then uncomment the following line:
#auth required pam_wheel.so use_uid
to be just
auth required pam_wheel.so use_uid

I’m already did that before creation of “wineuser”. So, “wineuser” has no “su” power.
I extended the security & isolation of “wineuser” by disable it from use polkit to achieve root power. I did this by run following command after creation of “wineuser”:
sudo setfacl -m u:wineuser:— /usr/libexec/polkit-gnome-authentication-agent-1

Due to large sizes of new Windows games, I bought new SSD that I run it by install it inside external enclosure & connect enclosure through it’s specific cable to my laptop build in USB port. I bought this new SSD to install Windows games within it by make WineHQ prefix set by default to this new SSD.

After I bought new SSD, I format it from within my 1st user account (which has full power user), & I selected Ext4 as a filesystem. It was formated correctly without error & has no problem regarding read/write with my 1st user account.

The problem started when I login to “wineuser” & connected new SSD to my laptop. “wineuser” has no any right neither to read nor to write to the new SSD. I discovered that Ext4 filesystem has user & group owner ship security layer … I did not know about this before ! When I launch my laptop then directly login to “wineuser” then connect a USB stick or memory card with FAT32 / exFAT / NTFS I has no problem neither in read nor in write. But when I connect new SSD (Ext4) & tried to open it I received error message “you has no permission to read/write from this drive”.

I run “getfacl” command while external SSD was connected to laptop while I was login to my 1st user account. The output is bellow:

$ getfacl /run/media/my1stusername/external_ssd_name
getfacl: Removing leading '/' from absolute path names
# file: run/media/my1stusername/external_ssd_name
# owner: my1stusername
# group: my1stusername
user::rwx
group::---
other::---

Then I powered my laptop OFF then powered it ON & login directly to “wineuser”. Then I run “getfacl” command from within “wineuser” while I’m connecting external SSD to laptop. It gavve me exactly exactly same output:

$ getfacl /run/media/wineuser/external_ssd_name
getfacl: Removing leading '/' from absolute path names
# file: run/media/wineuser/external_ssd_name
# owner: my1stusername
# group: my1stusername
user::rwx
group::---
other::---

I conclude at 1st that I can manage this issue by using “setfacl” command from within 1st user account while new SSD mounted on it as following:
sudo setfacl -m u:wineuser:rwx /run/media/my1stusername/external_ssd_name

But later on I stop myself from doing that due to the following concerns:

does the performing the “setfacl” command in the way given above can allow “wineuser” to penetrate the way to my 1st user account ?? I mean by that: does including the path
"/run/media/my1stusername/"
will open the door or a backdoor for “wineuser” to penetrate to my 1st user account ?? If yes, then I will never perform this because it will break every thing from which I created “wineuser”. I like “wineuser” to be completely separated from 1st user account [& any other user(s) that I may created in feature] & not penetrate to it (them).
if I apply “setfacl” command, then does it will continue to be valid if I change name of my SSD later on ?
is there a better alternative way than “setfacl” command without breaking isolation feature of “wineuser” ?

If “setfacl” is dangerous & no other way, then I’m very ready to re-format SSD using NTFS filesystem & get out from this headache. In fact what make me so stick to Ext4 filesystem is that I read in Internet it is slightly faster than NTFS filesystem.

Thank you for your kind support.

augenauf · March 1, 2021, 7:52pm

I would try as follows:

Make the entire file system (ext4) be owned by a new group, let’s say it’s called ‘driveowner’. Then add your ‘1stuser’ and ‘wineuser’ to ‘driveowner’ group.
So both users have read and write access.
Is that what you want?

nokia808 · March 2, 2021, 10:16am

Hi.

I know how to create new group & how to add user(s) to it:

sudo groupadd driveowner
sudo usermod -a -G driveowner 1stuser
sudo usermod -a -G driverowner wineuser

is this okay ?

but how can I “make the entire file system (ext4) be owned by a new proup” ?
I did not grasp this !
I found, just few hrs ago, the following 2 links:
permissions - Change ownership of external drive - Ask Ubuntu

Though there is a difference from my issue in above 2 links, but It seem - kindly correct to me if wrong - the following could work:

sudo chown -R wineuser:wineuser /run/media/my1stusername/external_ssd_name

it will change owner ship (both user & group) from 1stuser to wineuser WITHOUT allow “wineuser” to access a path, or I’m wrong ?? But I think it will make external SSD not accessible by 1stuser ??

And what about “-R” flag ? Do I need it in my case ?

augenauf · March 2, 2021, 10:51am

Sorry, that was really not well phrased. What I meant is to transfer group ownership of directories and files of the filesystem concerned (the mounted 2nd drive in your case), including all sub-directories.

Take a look here: https://linuxize.com/post/linux-chown-command/

Also, the link you posted has a sentence about “[…] change only the group […]”

chown :<group> <file>

In our example that would be:

chown -R :driveowner /mountpoint

Alternatively, there is a chgrp command:

chgrp -R driveowner /mountpoint

The complete documentation of both comannds can be found here for example:

nokia808 · March 2, 2021, 12:20pm

Dear @florian if I follow the method to create new group “driveowner” then do I have to change the permission of group for SSD also ? It seem to me yes because already permissions for group are already set to - - -
This will need to use additional command: chmod or I’m wrong ?
I think this will make things more complicated ?

Does, instead, it is enough to preform:
"sudo chown -R wineuser:wineuser /run/media/my1stusername/external_ssd_name
Is there a side effect from last command, which seem easier ??

ilikelinux · March 3, 2021, 1:45am

Please check man chown in terminal , under options you find more info about -R