Remove permission to FAT32 boot partition

Post#1 by **Argo Navis** » 26 Mar 2024, 01:12

Hello! Please excuse my poor understanding of the concepts and the vocabulary I'm using, I am learning Porteus but it is still a big mystery for me.

I am

trying to do something that appears simple, but nothing I have tried have worked.

I have installed the /boot files on a fat32 partition and the /porteus files on an ext4 partition. I am trying to remove access to the fat32 partition to regular users : I don't want them to be able to stash a document there in a Windows session and then be able to retrieve it from their Porteus session.

I have tried various scripts in rc.local to be runned at boot. I tried to remove permissions in fstab, but it says there is no fstab. I tried copy2ram cheatcode + unmount the fat32 partition, but it says the partition is not mounted (although it is in the file explorer after booting). I tried chattr to make the partition immutable, but it does not find the path to the partition.

Maybe it is me that is entering this all wrong. Anyway, if somebody has any idea how to cut access to that booting partition, I will take anything at this point.
Thanks!

Post#2 by **Ed_P** » 26 Mar 2024, 03:43

Argo Navis wrote: ↑
26 Mar 2024, 01:12
I have installed the /boot files on a fat32 partition and the /porteus files on an ext4 partition. I am trying to remove access to the fat32 partition to regular users : I don't want them to be able to stash a document there in a Windows session and then be able to retrieve it from their Porteus session.

It sounds like you're installing the Porteus files onto a removable drive and when you boot the removable drive you want to restrict access to the drive's FAT32 partition. What about access to the machine's hardrive when Porteus is booted, how are you planning to limit that?

Can that approach be used for the FAT32 drive also?

Post#3 by **Argo Navis** » 27 Mar 2024, 12:31

That's the thing precisely: in order to prevent the mounting of the machine's hardrive, I use the cheatcode noauto. User's permissions prevent mounting of hardrive, internal or external, so in order to mount the machine's hardrive, user has to enter admin password. But it does not apply to the FAT32 partition with the boot directory. It comes mounted and user can unmount and mount at will, no password asked.

After that I tried using cheatcode copy2ram so that I could unmount the booting partition, with a script in rc.local to unmount the fat32 partition after the booting process is done. That did not work either, it says in the partition is not found, although it is definitely mounted and accessible once the desktop has loaded.
(By the way, how can I see the information displayed during booting once the desktop gui has loaded? It goes too fast and I can't read everything?)

Post#4 by **Ed_P** » 27 Mar 2024, 19:03

Argo Navis wrote: ↑
27 Mar 2024, 12:31
a script in rc.local to unmount the fat32 partition after the booting process is done.

Can you post it?

Argo Navis wrote: ↑
27 Mar 2024, 12:31
how can I see the information displayed during booting once the desktop gui has loaded?

Basically there are 4 logs are in the /var/log/folder that should prove helpful. This is a script I have used to review them that may help.

Code: Select all

#!/bin/sh
if [ `whoami` != "root" ]; then
   echo "Enter root's password"
   su -c "sh $0 $1 $2"
   exit
fi

# https://forum.porteus.org/viewtopic.php?p=87985#p87985 - Blaze
# dmesg --level=err,warn -L=never   #-L = colorize messages (auto, always or never

LOG=syslog 
#LOG=porteus-livedbg
#LOG=messages
#LOG=Xorg.0.log

GREP=firmware
#GREP=adv-lite
#GREP=wifi
#GREP=TouchPad
#GREP=save.dat

if [ "$1" != "" ]; then GREP=$1; fi

echo "cat /var/log/$LOG  | grep $GREP "
cat /var/log/$LOG   | grep $GREP

read && exit

Change the LOG and GREP variables to fit your needs.

Post#5 by **Argo Navis** » 27 Mar 2024, 22:19

Can you post it?

The way I tried to remove the permissions to mount partitions is by adding this file : /changes/etc/polkit-1/localauthority/50-local.d/10-udisks2.pkla
with this code:

Code: Select all

Identity=unix-user:*
Action=org.freedesktop.udisks2.filesystem-mount
ResultAny=no
ResultInactive=no
ResultActive=no

It seems to work as I can't mount the machine's hardrive.

Then, in rc.local, I added this line to unmount the fat32 partition after having booted with copy2ram :

Code: Select all

umount /dev/disk/by-uuid/D939-BF33

I triple-checked the fat32 UUID. During booting, I get a message saying 'D939-BF33 is not mounted'. And then after booting, the partition is mounted and available in the file explorer.
*Edited* I managed to read really fast, as I could find anything relevant in the logs, and the message at boot is actually "umount /dev/disk/by-uuid/D939-BF33: mount point not specified".

Post#6 by **roadie** » 28 Mar 2024, 00:58

@Argo Navis

Argo Navis wrote: ↑
26 Mar 2024, 01:12
I tried to remove permissions in fstab, but it says there is no fstab.

Did you specify /etc/fstab?

I use the following command in /etc/rc.d/rc.local so regular users will not be able to mount the fat32 partition:

Code: Select all

sed -i 's/vfat users,/vfat /g' /etc/fstab

The command removes the word "users", so only root can mount the partition. Also, using the "noauto" cheatcode, the partition won't be mounted after booting.

Post#7 by **Ed_P** » 28 Mar 2024, 02:48

Argo Navis wrote: ↑
27 Mar 2024, 22:19
Then, in rc.local, I added this line to unmount the fat32 partition after having booted with copy2ram :
Code: Select all
umount /dev/disk/by-uuid/D939-BF33

Once booted the drive doesn't need the uuid name, the drive has been found and mounted. unmount /mtn/disk/sda1 or sda2 or sdb1 should work better.

Post#8 by **Argo Navis** » 28 Mar 2024, 19:07

I use the following command in /etc/rc.d/rc.local so regular users will not be able to mount the fat32 partition:
Code: Select all
sed -i 's/vfat users,/vfat /g' /etc/fstab
The command removes the word "users", so only root can mount the partition. Also, using the "noauto" cheatcode, the partition won't be mounted after booting.

I tried your line of code and it does not change anything, the fat partition is still mounted and accessible. If I look at the partition's permissions, it still says the owner is 'guest'.

I does not help that I can't see the output of the scripts I put in rc.local. I tried looking in /var/log, but there is a lot of lines of codes among many files and I can't find anything relevant to rc.local.

For example, I tried another approach of making a reference copy of all directories and files in the boot partition. I added a script (see below) to rc.local to erase all files and directories in the fat32 partition, then to copy back the reference files. It did not work, my 'smuggled file' is still there. I am pretty sure I made mistakes in my code, but I cannot look at any output, so I don't know what to correct.

Code: Select all

rm -rf /mnt/sda1/*
cp -r /etc/rc.d/bootbkp/* /mnt/sda1

Post#9 by **Ed_P** » 29 Mar 2024, 00:05

Argo Navis wrote: ↑
28 Mar 2024, 19:07
to rc.local to erase all files and directories in the fat32 partition, then to copy back the reference files.

What are "reference files" and why copy them back?

Argo Navis wrote: ↑
28 Mar 2024, 19:07
I does not help that I can't see the output of the scripts I put in rc.local.

Argo Navis wrote: ↑
28 Mar 2024, 19:07
I cannot look at any output,

Manually execute the commands, and scripts, in a terminal window.

Argo Navis wrote: ↑
28 Mar 2024, 19:07
Code: Select all
rm -rf /mnt/sda1/*
cp -r /etc/rc.d/bootbkp/* /mnt/sda1

I may be wrong but I think you want:

Code: Select all

rm -rf /mnt/sda1/
cp -r /etc/rc.d/bootbkp/* /mnt/sda1/

Post#10 by **Argo Navis** » 30 Mar 2024, 00:23

@Ed_P : Yes, you are right, that small change fixed it! When I run this script in terminal, it works. But then, if i put it in rc.local, nothing happens...

I think the problem lies with the order in which booting occurs and rc.local gets called. I tried another approach. I made a whitelist of all the files I wanted to keep in the boot partition and wrote a script to remove any other file:

Code: Select all

#!/bin/bash

# Define whitelist
WHITELIST=(
    "/mnt/sda1/EFI/boot/bootx64.efi"
    "/mnt/sda1/EFI/boot/chain.c32"
    "/mnt/sda1/EFI/boot/ldlinux.e64"
    "/mnt/sda1/EFI/boot/libcom32.c32"
    "/mnt/sda1/EFI/boot/libmenu.c32"
    "/mnt/sda1/EFI/boot/libutil.c32"
    "/mnt/sda1/EFI/boot/linux.c32"
    "/mnt/sda1/EFI/boot/menu.c32"
    "/mnt/sda1/EFI/boot/syslinux.c32"
    "/mnt/sda1/EFI/boot/syslinux.cfg"
    "/mnt/sda1/EFI/boot/vesamenu.c32"
    "/mnt/sda1/boot/syslinux/isolinux.boot"
    "/mnt/sda1/boot/syslinux/isolinux.bin"
    "/mnt/sda1/boot/syslinux/chain.c32"
    "/mnt/sda1/boot/syslinux/extlinux.conf"
    "/mnt/sda1/boot/syslinux/initrd.xz"
    "/mnt/sda1/boot/syslinux/isolinux.cfg"
    "/mnt/sda1/boot/syslinux/ldlinux.c32"
    "/mnt/sda1/boot/syslinux/libcom32.c32"
    "/mnt/sda1/boot/syslinux/libutil.c32"
    "/mnt/sda1/boot/syslinux/lilo.conf"
    "/mnt/sda1/boot/syslinux/plpbt"
    "/mnt/sda1/boot/syslinux/porteus.cfg"
    "/mnt/sda1/boot/syslinux/splash.png"
    "/mnt/sda1/boot/syslinux/pxelinux.0"
    "/mnt/sda1/boot/syslinux/reboot.c32"
    "/mnt/sda1/boot/syslinux/syslinux.cfg"
    "/mnt/sda1/boot/syslinux/vesamenu.c32"
    "/mnt/sda1/boot/syslinux/vmlinuz"
)

# Define mount point of BOOT partition
BOOT_PARTITION="/mnt/sda1"

# Traverse through BOOT partition
find "$BOOT_PARTITION" -type f | while read -r file; do
    if ! [[ " ${WHITELIST[*]} " =~ " $file " ]]; then
        echo "Removing $file"
        rm "$file"
    fi
done

echo "Cleanup complete!"

If I run this script in terminal, it works perfectly. But if I call the same script in rc.local, the extra files are not deleted, although echo "Cleanup complete!" does print to the console.

So is it possible that a script in rc.local will not touch to the booting partition, even if I use cheatcode copy2ram?

Post#11 by **Ed_P** » 30 Mar 2024, 01:08

Argo Navis wrote: ↑
30 Mar 2024, 00:23
@Ed_P : Yes, you are right, that small change fixed it!

Which one? The rm one or the cp one?

Argo Navis wrote: ↑
30 Mar 2024, 00:23
So is it possible that a script in rc.local will not touch to the booting partition,

Well:

/etc/rc.d/rc.local wrote: # /etc/rc.d/rc.local: Local system initialization script.

I don't think what you are attempting is part of the booting/initialization process. And I think your latest script is overboard

for wanting to dismount a drive. But impressive coding.

Create a script that dismounts the mounted boot drive. Test it in terminal. Then create a .desktop file that executes the script and put it in /home/guest/.config/autostart (or /etc/xdg/autostart) folder. This is a

desktop file I use when booting:
Touchpad.desktop

Code: Select all

[Desktop Entry]
Name=Touchpad
Exec=sh /home/guest/touchpad.sh X
Icon=/usr/share/pixmaps/porteus/tools.png
Terminal=false
Type=Application
Name[en_US]=Touchpad
StartupNotify=false

Added in 1 day 3 hours 54 minutes 16 seconds:
Once you get the script and desktop files to work, move the script to the /root and change the desktop's exec to "Exec=sh /root/".... This way users without root access can't see it.

Ref your whitelist script: what happens if the USB drive mounts as sdb1?