3

I would like to put network share mounts in /etc/fstab, but by default that file is world-readable which allows everyone to read the credentials I put into the mount options.

Is it safe to make /etc/fstab not readable by anyone other than root, e.g. owned by root:root with permissions 0640?

FWIW, I am using Debian Squeeze/Wheezy and Ubuntu LTS.

Sven
  • 98,649
  • 14
  • 180
  • 226
Rob
  • 234
  • 1
  • 3
  • 9
  • 1
    Why do you want to do this? Your question looks a bit like [an XY problem](http://meta.stackexchange.com/questions/66377/what-is-the-xy-problem). SvW has already shown you a good solution to one problem which might also be badly solved by making `fstab` 600. If you tell us what your actual problem is, rather than asking about one possible solution, we can probably be of more use. – MadHatter Feb 14 '14 at 11:01
  • You didn't, in fact, explain that; you merely said you wanted to put "*network share mounts in `/etc/fstab`*", and left us to infer that that problem was the making public of credentials which you didn't want shared. Now the problem is explicit, for which many thanks. For me, SvW's solution is the right thing to do. – MadHatter Feb 14 '14 at 12:33
  • It should be pretty obvious what what that means. – Rob Feb 14 '14 at 14:01
  • 3
    @Rob: No, it's not obvious. I had to made a guess what you might want and was right, but many people end up here having the strangest ideas without a good understanding of basic concepts. It's up to you to ask a clear, easy to understand question that doesn't leave room for interpretation. – Sven Feb 14 '14 at 14:12

2 Answers2

5

What share do you want to mount? Some allow to put credentials into external files only readable by root. This is the preferred way to handle this.

An example: CIFS/SMB knows the option credentials=filename where filename is a file with the following content: 

username=value
password=value
domain=value

See man mount.cifs for more information.

Sven
  • 98,649
  • 14
  • 180
  • 226
  • I'd go farther and guess that all mount types that require a password have a way to do this, since /etc/fstab is world-readable in every system I've ever seen. – Andrew Schulman Feb 14 '14 at 11:05
  • So why is it alright for the credentials file to be locked down, but not /etc/fstab? – Rob Feb 14 '14 at 12:25
  • 2
    @Rob: Because tools look up `/etc/fstab` for various reasons but don't need access to further files referenced in it. – Sven Feb 14 '14 at 14:26
  • @SvW: I've tried this, and it seems to work. Thanks. – Rob Feb 14 '14 at 15:07
-6

/etc/fstab is only a configuration file for the mount tool. Sometimes, some other filesystem tools can use it, too. It has nothing to do to the actually valid mount table in the kernel. That you can see in /proc/mounts on Linuxes (probably it is possible also on other unixes).

Thus, the majority of a Linux system will work without big problems. Some command line tools (df, mount, etc.) will work only as root - if you can live with it, it will be ok.

Note also, advantages has practically none, particularly not from a security view.

peterh
  • 4,953
  • 13
  • 30
  • 44
  • 6
    I strongly disagree, both with the plain wrong answer and the second paragraph. This site is exclusively about professional system administration and this means that things should be done *right* or not at all and if I have the feeling the question is about how to solve a problem the wrong way, I will ask about the problem and try to explain how to solve this better. After all, my goal is solve problems, not to answer questions. – Sven Feb 14 '14 at 14:31
  • 4
    The second paragraph, in particular, shows a lack of experience with this kind of on-line help forum. Many people (including myself) have thought of a poor solution to a given issue and gotten stuck on step 5 - actually explaining the overall issue allows people to point out better solutions that may bypass the initial specific question. – mpez0 Feb 14 '14 at 14:50
  • 1
    @mpez0 No. You show a lot of wish to control others. The only cause I mostly don't ask anything on forums is the people like you, who always try to force me to their solution and not helping me in mine. If you think he is on a bad way, you should _suggest_ him something, but the primary help should focus on his way and on his thinking. – peterh Feb 14 '14 at 15:35