Is it possible to decleratively manage the permissions for mountpoints?

I have a secondary hard drive that I want to be accessible to every user. I want to mount it in a user-neutral location, but also want to avoid /mnt, as it is sometimes used for temporary mounting, so I chose /media/root/$label instead. However, now, the top-level of the disk is not ownly owned by root, but also has permission o=, meaning I can’t create folders in it without wheel membership. I know I could manually intervene and alter the mode of the mountpoint imperatively, but I’d like a more declarative, Nixy solution. Is there a way to make the mountpoint accessible to all users? Is the restriction to only root because of the directory I’ve chosen to place it in? Is there some subtle way the permissions are configured?


Let’s start first with looking at the mounted FS, what is it? I never had any problems using Linux filesystems, permissions have been just taken from the disk.

Filesystems that are not aware of the Linux permission system, like fat* or NTFS require some extra lifting though.

The drive is an ext4 filesystem. I didn’t know the root folder / in ext4 had its own mode. Is that the case? Doesn’t it adopt the mode of the mountpoint?

So what permissions are on /media/root and /media, both of them have to be o+rx at least that your users can see them and discover their contents.

After testing this with a remount, it seems that it does indeed have its own mode. Thanks.

~$ stat --format '%A %u %g %n' /{,media/{,root/{,external-data/}}}
drwxr-xr-x 0 0 /
drwxr-xr-x 0 0 /media/
drwxr-xr-x 0 0 /media/root/
drwxrwxr-x 0 1 /media/root/external-data/

This works now. I just needed to modify the permission on the root of the drive. I thought that would mean changing the mode of the mountpoint itself, but it doesn’t. Thanks.

You might be able to use systemd.tmpfiles.rules to manage the folders permissions declaratively.

I don’t really see how that solves whatever problem I still have left.

(At the moment, I feel my problem is solved—I was merely averse to changing the mountpoint permissions non-decleratively. The only thing that’s still kind of a problem is that I’m not declaring the drive’s permissions themselves decleratively. That’d be neat)

The name is a bit misleading, it is not only about temporary files, but also is able to create folder hirarchies and make sure they exist with certain permissions.

Though how that workks exactly is beyond my knowledge, but I have to admit, I’m always astonished what some users do with that.

d /media/run 0755 root root seems to be a viable option, but I have to be honest, I have no experience using tmpfiles.d.

Please read its documentation before blindly applying that rule.

And again, the drive itself does not have any extra permissions. As it is a linux understood filesystem the User-IDs, Group-IDs and permissions will be taken from the mounted file system.

Though as I have said already, to give everyone access to the mounted partitions, the permissions on the parents of the mountpoints have to be correct as well, which can be managed using tools like systemd-tmpfiles.d.

1 Like