Remove permission to FAT32 boot partition
-
- White ninja
- Posts: 25
- Joined: 29 Feb 2024, 21:52
- Distribution: Porteus 5.01
Remove permission to FAT32 boot partition
Hello! Please excuse my poor understanding of the concepts and the vocabulary I'm using, I am learning Porteus but it is still a big mystery for me.
I am trying to do something that appears simple, but nothing I have tried have worked.
I have installed the /boot files on a fat32 partition and the /porteus files on an ext4 partition. I am trying to remove access to the fat32 partition to regular users : I don't want them to be able to stash a document there in a Windows session and then be able to retrieve it from their Porteus session.
I have tried various scripts in rc.local to be runned at boot. I tried to remove permissions in fstab, but it says there is no fstab. I tried copy2ram cheatcode + unmount the fat32 partition, but it says the partition is not mounted (although it is in the file explorer after booting). I tried chattr to make the partition immutable, but it does not find the path to the partition.
Maybe it is me that is entering this all wrong. Anyway, if somebody has any idea how to cut access to that booting partition, I will take anything at this point.
Thanks!
I am trying to do something that appears simple, but nothing I have tried have worked.
I have installed the /boot files on a fat32 partition and the /porteus files on an ext4 partition. I am trying to remove access to the fat32 partition to regular users : I don't want them to be able to stash a document there in a Windows session and then be able to retrieve it from their Porteus session.
I have tried various scripts in rc.local to be runned at boot. I tried to remove permissions in fstab, but it says there is no fstab. I tried copy2ram cheatcode + unmount the fat32 partition, but it says the partition is not mounted (although it is in the file explorer after booting). I tried chattr to make the partition immutable, but it does not find the path to the partition.
Maybe it is me that is entering this all wrong. Anyway, if somebody has any idea how to cut access to that booting partition, I will take anything at this point.
Thanks!
- Ed_P
- Contributor
- Posts: 8374
- Joined: 06 Feb 2013, 22:12
- Distribution: Cinnamon 5.01 ISO
- Location: Western NY, USA
Remove permission to FAT32 boot partition
It sounds like you're installing the Porteus files onto a removable drive and when you boot the removable drive you want to restrict access to the drive's FAT32 partition. What about access to the machine's hardrive when Porteus is booted, how are you planning to limit that? Can that approach be used for the FAT32 drive also?Argo Navis wrote: ↑26 Mar 2024, 01:12I have installed the /boot files on a fat32 partition and the /porteus files on an ext4 partition. I am trying to remove access to the fat32 partition to regular users : I don't want them to be able to stash a document there in a Windows session and then be able to retrieve it from their Porteus session.
Ed
-
- White ninja
- Posts: 25
- Joined: 29 Feb 2024, 21:52
- Distribution: Porteus 5.01
Remove permission to FAT32 boot partition
That's the thing precisely: in order to prevent the mounting of the machine's hardrive, I use the cheatcode noauto. User's permissions prevent mounting of hardrive, internal or external, so in order to mount the machine's hardrive, user has to enter admin password. But it does not apply to the FAT32 partition with the boot directory. It comes mounted and user can unmount and mount at will, no password asked.
After that I tried using cheatcode copy2ram so that I could unmount the booting partition, with a script in rc.local to unmount the fat32 partition after the booting process is done. That did not work either, it says in the partition is not found, although it is definitely mounted and accessible once the desktop has loaded.
(By the way, how can I see the information displayed during booting once the desktop gui has loaded? It goes too fast and I can't read everything?)
After that I tried using cheatcode copy2ram so that I could unmount the booting partition, with a script in rc.local to unmount the fat32 partition after the booting process is done. That did not work either, it says in the partition is not found, although it is definitely mounted and accessible once the desktop has loaded.
(By the way, how can I see the information displayed during booting once the desktop gui has loaded? It goes too fast and I can't read everything?)
- Ed_P
- Contributor
- Posts: 8374
- Joined: 06 Feb 2013, 22:12
- Distribution: Cinnamon 5.01 ISO
- Location: Western NY, USA
Remove permission to FAT32 boot partition
Can you post it?Argo Navis wrote: ↑27 Mar 2024, 12:31a script in rc.local to unmount the fat32 partition after the booting process is done.
Basically there are 4 logs are in the /var/log/folder that should prove helpful. This is a script I have used to review them that may help.Argo Navis wrote: ↑27 Mar 2024, 12:31how can I see the information displayed during booting once the desktop gui has loaded?
Code: Select all
#!/bin/sh
if [ `whoami` != "root" ]; then
echo "Enter root's password"
su -c "sh $0 $1 $2"
exit
fi
# https://forum.porteus.org/viewtopic.php?p=87985#p87985 - Blaze
# dmesg --level=err,warn -L=never #-L = colorize messages (auto, always or never
LOG=syslog
#LOG=porteus-livedbg
#LOG=messages
#LOG=Xorg.0.log
GREP=firmware
#GREP=adv-lite
#GREP=wifi
#GREP=TouchPad
#GREP=save.dat
if [ "$1" != "" ]; then GREP=$1; fi
echo "cat /var/log/$LOG | grep $GREP "
cat /var/log/$LOG | grep $GREP
read && exit
Ed
-
- White ninja
- Posts: 25
- Joined: 29 Feb 2024, 21:52
- Distribution: Porteus 5.01
Remove permission to FAT32 boot partition
The way I tried to remove the permissions to mount partitions is by adding this file : /changes/etc/polkit-1/localauthority/50-local.d/10-udisks2.pklaCan you post it?
with this code:
Code: Select all
Identity=unix-user:*
Action=org.freedesktop.udisks2.filesystem-mount
ResultAny=no
ResultInactive=no
ResultActive=no
Then, in rc.local, I added this line to unmount the fat32 partition after having booted with copy2ram :
Code: Select all
umount /dev/disk/by-uuid/D939-BF33
*Edited* I managed to read really fast, as I could find anything relevant in the logs, and the message at boot is actually "umount /dev/disk/by-uuid/D939-BF33: mount point not specified".
-
- Full of knowledge
- Posts: 400
- Joined: 02 Jan 2011, 18:41
- Distribution: Porteus 5.0-RC1
- Location: In a hayfield
Remove permission to FAT32 boot partition
@Argo Navis
I use the following command in /etc/rc.d/rc.local so regular users will not be able to mount the fat32 partition:
The command removes the word "users", so only root can mount the partition. Also, using the "noauto" cheatcode, the partition won't be mounted after booting.
Did you specify /etc/fstab?Argo Navis wrote: ↑26 Mar 2024, 01:12I tried to remove permissions in fstab, but it says there is no fstab.
I use the following command in /etc/rc.d/rc.local so regular users will not be able to mount the fat32 partition:
Code: Select all
sed -i 's/vfat users,/vfat /g' /etc/fstab
The command removes the word "users", so only root can mount the partition. Also, using the "noauto" cheatcode, the partition won't be mounted after booting.
- Ed_P
- Contributor
- Posts: 8374
- Joined: 06 Feb 2013, 22:12
- Distribution: Cinnamon 5.01 ISO
- Location: Western NY, USA
Remove permission to FAT32 boot partition
Once booted the drive doesn't need the uuid name, the drive has been found and mounted. unmount /mtn/disk/sda1 or sda2 or sdb1 should work better.Argo Navis wrote: ↑27 Mar 2024, 22:19Then, in rc.local, I added this line to unmount the fat32 partition after having booted with copy2ram :Code: Select all
umount /dev/disk/by-uuid/D939-BF33
Ed
-
- White ninja
- Posts: 25
- Joined: 29 Feb 2024, 21:52
- Distribution: Porteus 5.01
Remove permission to FAT32 boot partition
I tried your line of code and it does not change anything, the fat partition is still mounted and accessible. If I look at the partition's permissions, it still says the owner is 'guest'.I use the following command in /etc/rc.d/rc.local so regular users will not be able to mount the fat32 partition:
The command removes the word "users", so only root can mount the partition. Also, using the "noauto" cheatcode, the partition won't be mounted after booting.Code: Select all
sed -i 's/vfat users,/vfat /g' /etc/fstab
I does not help that I can't see the output of the scripts I put in rc.local. I tried looking in /var/log, but there is a lot of lines of codes among many files and I can't find anything relevant to rc.local.
For example, I tried another approach of making a reference copy of all directories and files in the boot partition. I added a script (see below) to rc.local to erase all files and directories in the fat32 partition, then to copy back the reference files. It did not work, my 'smuggled file' is still there. I am pretty sure I made mistakes in my code, but I cannot look at any output, so I don't know what to correct.
Code: Select all
rm -rf /mnt/sda1/*
cp -r /etc/rc.d/bootbkp/* /mnt/sda1
- Ed_P
- Contributor
- Posts: 8374
- Joined: 06 Feb 2013, 22:12
- Distribution: Cinnamon 5.01 ISO
- Location: Western NY, USA
Remove permission to FAT32 boot partition
What are "reference files" and why copy them back?Argo Navis wrote: ↑28 Mar 2024, 19:07to rc.local to erase all files and directories in the fat32 partition, then to copy back the reference files.
Argo Navis wrote: ↑28 Mar 2024, 19:07I does not help that I can't see the output of the scripts I put in rc.local.
Manually execute the commands, and scripts, in a terminal window.
I may be wrong but I think you want:Argo Navis wrote: ↑28 Mar 2024, 19:07Code: Select all
rm -rf /mnt/sda1/* cp -r /etc/rc.d/bootbkp/* /mnt/sda1
Code: Select all
rm -rf /mnt/sda1/
cp -r /etc/rc.d/bootbkp/* /mnt/sda1/
Ed
-
- White ninja
- Posts: 25
- Joined: 29 Feb 2024, 21:52
- Distribution: Porteus 5.01
Remove permission to FAT32 boot partition
@Ed_P : Yes, you are right, that small change fixed it! When I run this script in terminal, it works. But then, if i put it in rc.local, nothing happens...
I think the problem lies with the order in which booting occurs and rc.local gets called. I tried another approach. I made a whitelist of all the files I wanted to keep in the boot partition and wrote a script to remove any other file: If I run this script in terminal, it works perfectly. But if I call the same script in rc.local, the extra files are not deleted, although echo "Cleanup complete!" does print to the console.
So is it possible that a script in rc.local will not touch to the booting partition, even if I use cheatcode copy2ram?
I think the problem lies with the order in which booting occurs and rc.local gets called. I tried another approach. I made a whitelist of all the files I wanted to keep in the boot partition and wrote a script to remove any other file:
Code: Select all
#!/bin/bash
# Define whitelist
WHITELIST=(
"/mnt/sda1/EFI/boot/bootx64.efi"
"/mnt/sda1/EFI/boot/chain.c32"
"/mnt/sda1/EFI/boot/ldlinux.e64"
"/mnt/sda1/EFI/boot/libcom32.c32"
"/mnt/sda1/EFI/boot/libmenu.c32"
"/mnt/sda1/EFI/boot/libutil.c32"
"/mnt/sda1/EFI/boot/linux.c32"
"/mnt/sda1/EFI/boot/menu.c32"
"/mnt/sda1/EFI/boot/syslinux.c32"
"/mnt/sda1/EFI/boot/syslinux.cfg"
"/mnt/sda1/EFI/boot/vesamenu.c32"
"/mnt/sda1/boot/syslinux/isolinux.boot"
"/mnt/sda1/boot/syslinux/isolinux.bin"
"/mnt/sda1/boot/syslinux/chain.c32"
"/mnt/sda1/boot/syslinux/extlinux.conf"
"/mnt/sda1/boot/syslinux/initrd.xz"
"/mnt/sda1/boot/syslinux/isolinux.cfg"
"/mnt/sda1/boot/syslinux/ldlinux.c32"
"/mnt/sda1/boot/syslinux/libcom32.c32"
"/mnt/sda1/boot/syslinux/libutil.c32"
"/mnt/sda1/boot/syslinux/lilo.conf"
"/mnt/sda1/boot/syslinux/plpbt"
"/mnt/sda1/boot/syslinux/porteus.cfg"
"/mnt/sda1/boot/syslinux/splash.png"
"/mnt/sda1/boot/syslinux/pxelinux.0"
"/mnt/sda1/boot/syslinux/reboot.c32"
"/mnt/sda1/boot/syslinux/syslinux.cfg"
"/mnt/sda1/boot/syslinux/vesamenu.c32"
"/mnt/sda1/boot/syslinux/vmlinuz"
)
# Define mount point of BOOT partition
BOOT_PARTITION="/mnt/sda1"
# Traverse through BOOT partition
find "$BOOT_PARTITION" -type f | while read -r file; do
if ! [[ " ${WHITELIST[*]} " =~ " $file " ]]; then
echo "Removing $file"
rm "$file"
fi
done
echo "Cleanup complete!"
So is it possible that a script in rc.local will not touch to the booting partition, even if I use cheatcode copy2ram?
- Ed_P
- Contributor
- Posts: 8374
- Joined: 06 Feb 2013, 22:12
- Distribution: Cinnamon 5.01 ISO
- Location: Western NY, USA
Remove permission to FAT32 boot partition
Which one? The rm one or the cp one?
Well:Argo Navis wrote: ↑30 Mar 2024, 00:23So is it possible that a script in rc.local will not touch to the booting partition,
I don't think what you are attempting is part of the booting/initialization process. And I think your latest script is overboard for wanting to dismount a drive. But impressive coding./etc/rc.d/rc.local wrote: # /etc/rc.d/rc.local: Local system initialization script.
Create a script that dismounts the mounted boot drive. Test it in terminal. Then create a .desktop file that executes the script and put it in /home/guest/.config/autostart (or /etc/xdg/autostart) folder. This is a desktop file I use when booting:
Touchpad.desktop
Code: Select all
[Desktop Entry]
Name=Touchpad
Exec=sh /home/guest/touchpad.sh X
Icon=/usr/share/pixmaps/porteus/tools.png
Terminal=false
Type=Application
Name[en_US]=Touchpad
StartupNotify=false
Once you get the script and desktop files to work, move the script to the /root and change the desktop's exec to "Exec=sh /root/".... This way users without root access can't see it.
Ref your whitelist script: what happens if the USB drive mounts as sdb1?
Ed