[vox-tech] HOWTO: How to secure a shared FAT partition.
Ken Bloom
vox-tech@lists.lugod.org
Sun, 03 Mar 2002 12:15:05 -0800
I wanted to share this interesting Windows 2000 hack with you. Before
you shout me off the list for suggesting such a thing, I need to say
that I find this procedure to be very useful for securely sharing files
between Windows 2000 and Linux on my dual boot machine, and that aside
from that I cannot find any other useful reason for this trick.
This hack is a method of securing a FAT partition behind NTFS security
in Windows 2000. Little-known to most people, Windows 2000 has a feature
that allows one to mount a volume in a folder, similar to the way we
mount filesystems under Linux. To make use of this feature, follow the
following steps.
1. Boot into Windows 2000. If your computer already has Windows 2000,
you're fine you do not need to reboot before starting this. Be sure you
are logged in as a system administrator.
2. Find an appropriate place on the directory tree of one of your
NTFS partitions to mount the FAT partition. Keep in mind that Windows
2000 does not allow you to actually assign permissions to the mountpoint
- you will assign the protection permissions to the directory above the
mountpoint. Therefore, instead of setting up a mountpoint like
c:\mount\my_fat_drive, set up a mountpoint like
c:\mount\my_fat_drive\actual_mount . Also, keep in mind that Windows
doesn't let you mount anything in a folder on a FAT partition - you must
use an NTFS partition.
3. Create all of the directories needed to reach the mountpoint,
including the acutal directory where you plan to mount the drive - the
mounting feature of Windows 2000 works like Linux mountpoints: the mount
replaces an existing folder. In my example, you would need to create the
folders c:\mount\, c:\mount\my_fat_drive\,and
c:\mount\my_fat_drive\actual_mount.
4. Go to the Computer Management administration tool. This tool can
be found by opening up the Control Panels folder, double-clicking the
Administrative Tools folder, and double clicking Computer Management. In
the left pane of this window, go to Disk Management.
5. Right-click on the graphical representation of the partition you
want, and choose an optiont that is similar to "Assign Drive Letters"
6. Remove all drive letters from the box (drive letters can't be
secured) and add the folder that you have designated for the mountpoint
(in this case c:\mount\my_fat_drive\actual_mount ).
Alternatively, if you dislike the graphical tool, you can use the
windows mountvol command from the commandline instead of performing
steps 4 thru 6. Information about the mountvol command can be found at
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/winxppro/proddocs/mountvol.asp
7. Assign permissions to the directory above the mount point (in this
case c:\mount\my_fat_drive\ ). Anybody that has no access whatsoever to
this directory will have no access to the mountpoint it contains. Anyone
to whom you give full control over this directory will have full control
over the FAT partition (note that he still can't unmount the partition).
I haven't tested what happens if you give a user read-only access to the
directory. I am uncertain as to whether or not he will have read-write
access to the FAT partition.
8. Reboot the computer. The mountpoint appears immediately when you
finish assigning the mountpoint, but the drive letter won't go away
until you reboot the computer.
I used this on my computer to create a read-write documents folder that
was inaccessible to anybody else who uses my system (which should be
nobody, but nonetheless). I mounted my fat partition on linux using the
uid, gid, and umask (I used umask=077) options to assign permissions to
linux users to access the partition.
Please note that anybody who boots your computer off a windows boot disk
or off a bootable linux CD (like demolinux) can still mount your fat
partition and get read/write access. The simple fact here, however, is
that if somebody has a bootable linux CD, they can get read/write access
to every file on your ext2, ext3, or resierfs partitions, so you need to
make sure you have a physical security policy in place anyway to prevent
this from happening.
I thought I'd share this with all of you so that if anybody finds it
useful, they know about it. I am not sure which versions of XP this
works on, as I do not have XP to test it on.