[vox-tech] HOWTO: How to secure a shared FAT partition.

Ken Bloom vox-tech@lists.lugod.org
Sun, 03 Mar 2002 12:15:05 -0800 

I wanted to share this interesting Windows 2000 hack with you. Before 
you shout me off the list for suggesting such a thing, I need to say 
that I find this procedure to be very useful for securely sharing files 
between Windows 2000 and Linux on my dual boot machine, and that aside 
from that I cannot find any other useful reason for this trick.

This hack is a method of securing a FAT partition behind NTFS security 
in Windows 2000. Little-known to most people, Windows 2000 has a feature 
that allows one to mount a volume in a folder, similar to the way we 
mount filesystems under Linux. To make use of this feature, follow the 
following steps.

1.    Boot into Windows 2000. If your computer already has Windows 2000, 
you're fine you do not need to reboot before starting this. Be sure you 
are logged in as a system administrator.

2.    Find an appropriate place on the directory tree of one of your 
NTFS partitions to mount the FAT partition. Keep in mind that Windows 
2000 does not allow you to actually assign permissions to the mountpoint 
- you will assign the protection permissions to the directory above the 
mountpoint. Therefore, instead of setting up a mountpoint like 
c:\mount\my_fat_drive, set up a mountpoint like 
c:\mount\my_fat_drive\actual_mount . Also, keep in mind that Windows 
doesn't let you mount anything in a folder on a FAT partition - you must 
use an NTFS partition.

3.    Create all of the directories needed to reach the mountpoint, 
including the acutal directory where you plan to mount the drive - the 
mounting feature of Windows 2000 works like Linux mountpoints: the mount 
replaces an existing folder. In my example, you would need to create the 
folders c:\mount\, c:\mount\my_fat_drive\,and  
c:\mount\my_fat_drive\actual_mount.

4.    Go to the Computer Management administration tool. This tool can 
be found by opening up the Control Panels folder, double-clicking the 
Administrative Tools folder, and double clicking Computer Management. In 
the left pane of this window, go to Disk Management.

5.    Right-click on the graphical representation of the partition you 
want, and choose an optiont that is similar to "Assign Drive Letters"

6.    Remove all drive letters from the box (drive letters can't be 
secured) and add the folder that you have designated for the mountpoint 
(in this case c:\mount\my_fat_drive\actual_mount ).

Alternatively, if you dislike the graphical tool, you can use the 
windows mountvol command from the commandline instead of performing 
steps 4 thru 6. Information about the mountvol command can be found at 
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/winxppro/proddocs/mountvol.asp

7.    Assign permissions to the directory above the mount point (in this 
case c:\mount\my_fat_drive\ ). Anybody that has no access whatsoever to 
this directory will have no access to the mountpoint it contains. Anyone 
to whom you give full control over this directory will have full control 
over the FAT partition (note that he still can't unmount the partition). 
I haven't tested what happens if you give a user read-only access to the 
directory. I am uncertain as to whether or not he will have read-write 
access to the FAT partition.

8.    Reboot the computer. The mountpoint appears immediately when you 
finish assigning the mountpoint, but the drive letter won't go away 
until you reboot the computer.


I used this on my computer to create a read-write documents folder that 
was inaccessible to anybody else who uses my system (which should be 
nobody, but nonetheless). I mounted my fat partition on linux using the 
uid, gid, and umask (I used umask=077) options to assign permissions to 
linux users to access the partition.


Please note that anybody who boots your computer off a windows boot disk 
or off a bootable linux CD (like demolinux) can still mount your fat 
partition and get read/write access. The simple fact here, however, is 
that if somebody has a bootable linux CD, they can get read/write access 
to every file on your ext2, ext3, or resierfs partitions, so you need to 
make sure you have a physical security policy in place anyway to prevent 
this from happening.

I thought I'd share this with all of you so that if anybody finds it 
useful, they know about it. I am not sure which versions of XP this 
works on, as I do not have XP to test it on.