[Home]  [Links]  [grouch] 

FAT Permissions

FAT (File Allocation Table) filesystems, such as Windows or DOS, do not understand permissions. Everything is world readable, world writeable and world executable. This is fairly tolerable on a single-user system. It can lead to accidental damage to important system files, but is generally not a crippling problem. Trouble arises when you mount those partitions on a multi-user system. It really becomes a worry when anonymous connections are allowed to that system.

You can kludge around this limitation somewhat. When mounting a dossy partition, you can use the mount options for uid, gid and umask to give user ownership, group ownership and rwx permissions on a partition-wide level. Some examples will illustrate this better.

Suppose you have a group 'dos' with gid of 66 in your /etc/group file. These are people you trust with full use of dos on your system. They're competent, careful, understand the risks and are not likely to rewrite command.com or the registry.

A line in /etc/fstab:

/dev/hda1 /mnt/fat vfat defaults,gid=66 1 2

This gives group ownership to the dos group. But it doesn't provide protection from 'others' doing weird things to the directory.

change the line to:

/dev/hda1 /mnt/fat vfat defaults,gid=66,umask=002 1 2

This not only gives ownership to the dos group, but it takes away write privileges from others. Think of the 'umask=' option as a way to _mask out_ the permissions you don't want. In this case we are not masking out any permissions for 'user' or 'group', only for 'others'. User and group masks are 0. The '2' masks the permission in the 2's place for the octal representation of 'rwx'.

Permission              umask (bitmask of permissions NOT present)
bin oct char             bin oct
000  0  -r,-w,-x         111  7
001  1  -r,-w,+x         110  6
010  2  -r,+w,-x         101  5
011  3  -r,+w,+x         100  4
100  4  +r,-w,-x         011  3
101  5  +r,-w,+x         010  2
110  6  +r,+w,-x         001  1
111  7  +r,+w,+x         000  0
You use one of the oct digits to represent the permissions of each of 'user', 'group', 'others'.

So, a umask of 000 means the same as chmod 777, which gives everybody all permissions. A umask of 007 is the same as chmod 770, which gives user and group all permissions and gives others no permissions. A common permission set you will see is chmod 755, which gives the user all permissions, the group and others get read and execute (+r-w+x) permissions. The umask for this is 022. Another common set is chmod 644, user=+r+w-x, group=+r-w-x, others=+r-w-x. This is umask=133.

Just remember that you are dealing with the entire fat or vfat partition. Everything on that mounted partition will be treated as if it had the permissions given by the umask. I don't think a umask=777 would be very useful. :)