KNOW HOW fstab
File Systems
Fstab in the dark
uring the boot process the The file system table (fstab) contains information on the partitions and
/etc/fstab file is read by the
volumes that need to be inserted into the directory tree on starting up the
Dmount command in an init script
and implemented line by line. It includes
system. The table allows the administrator to enhance the security of a
entries for device files, CD-Rom drives
and hard disk partitions which are
multi-user system by applying various options. BY ANDREAS KNEIB
available for immediate access after the
system initialization.
The administrator can use the
configuration in this file to assign mount
points to drives and partitions, to specify
the file system or regulate the access bits
via access bits. Let us take a closer look
at the entries in Listing 1.
The fact that the entries are divided
into six columns is immediately
apparent. The first column, (fs_spec),
contains the device file name belonging
to the partition. The second column,
(fs_file), contains the mount point, that
is the position where the medium is
inserted into the directory tree.
The third column, (fs_vfstype), is used
to define the file system type. Table 1
contains a list of some of the available
system types.
The entries in the fourth column,
(fs_mntops), define access to the
volume. As you can see in Listing 1, this
column can contain multiple, comma
separated options. These statements are system, refers to the entry in column is assigned for file systems such as
also available in the command line, if five, (fs_freq), for its configuration data. CD-ROMs that do not need to be checked
you supply them as mount command Refer to the dump manpages for by fsck.
line options. additional details on the functionality Now let s add a few examples to the
The manpages for this command also provided by this backup tool. rudimentary /etc/fstab in Listing 1.
provide detailed information on the Like its predecessor, the last column
CD-ROM and DVD
various parameters. You can refer to is also read by a program. In this case
Table 2 for an initial overview of the it tells the fsck command how to check After taking a quick look at the contents
mount options. the consistency of the file system. The of our two tables, it should be no
The dump program that creates a root directory is tagged with a 1, any problem to define an entry that allows us
backup of the data on an Ext2 file other file systems with a 2. A value of 0 to mount the CD-ROM drive  at least for
home users with stand-alone computers,
as we will see:
Listing 1: fstab example
# The following lines are designed to explain and implement assignments
/dev/cdrom /cdrom auto U
# (fs_spec) (fs_file) (fs_vfstype) (fs_mntops) (fs_freq) (fs_passno)
ro,noauto,user,exec 0 0
# [1] [2] [3] [4] [5] [6]
/dev/hda1 /boot ext2 defaults 1 2
Let s look at the syntax of the line. The
/dev/hda2 / ext2 defaults 1 1
/dev/cdrom entry specifies the device
proc /proc proc defaults 0 0
name of the drive. In this case,
52 February 2003 www.linux-magazine.com
fstab KNOW HOW
/dev/cdrom is a symbolic link that In this case the ro has
Listing 2: Virtual file systems
points to the proper device file (for been omitted, to allow
example /dev/hdc). The /cdrom field write access to the
devpts /dev/pts devpts defaults 0 0
indicates the mount point in the floppy. But the exec
usbdevfs /proc/bus/usb usbdevfs defaults 0 0
directory tree. option has been
proc /proc proc defaults 0 0
In this case the drive is mounted removed to prevent
directly below the root directory in users from starting
/cdrom. Some distributions collate programs stored on floppy disks. -P  less + /^[ ]*umask  bash for
mount points for removable media additional information on using masked
From Process Administration
below /mnt or /media. file privileges.
to USB
You could choose the file system type The quiet, iocharset=, and uni_xlate
iso9660 instead of auto if you are The system stores various internal kernel options are interesting in this context.
experiencing difficulty mounting DVDs. administration data in files. This They specify error handling and
The ro option permits read only access to principle applies both to the proc file character set management. As these
the mounted medium. system and USB devices (usbdevfs). aspects are beyond the scope of this
The noauto entry does not bind the devpts is now the base for pseudo article, refer to the mount manpages for
drive on starting the system, but waits terminals operations. further details.
for an explicit mount /cdrom command All of these files provide interfaces Let us now move on to the next
in the shell. The user allows any user to used by emulators, such as xterm. To candidate, Windows XP, where we will
issue the mount command. The same allow devices and processes to run be applying a more stringent level of file
applies to users executing programs smoothly after booting the system, three system security.
on the CD, as stipulated by the exec virtual file systems must be added to the
keyword; if noexec is stipulated, it is configuration, as shown in Listing 2. /dev/hda4 /winxp ntfs U
impossible to start programs, although ro,uid=999,gid=555,user 0 0
Taming Windows
the x attributes normally required to do
so are present. Whether or not you The following section looks into the As Windows XP, NT, and 2000 use the
decide to use these options depends on security of DOS and Windows partitions. NTFS file system, only read-only access
your approach to secure administration. We will be mounting a Windows 98 (ro) is currently available (the driver
You can create a similar entry for a partition first. Read and write access to is also capable of write access, but this
floppy drive: this section of the directory tree should is currently experimental and disabled
be available to every user. Additionally, in the standard kernel). The uid=
/dev/fd0 /floppy auto U the file system will be activated by a and gid= options are used here.
noauto,user 0 0 mount /win98 command, issued by root: These abbreviations are short for
User Identification (UID) and Group
Table 1: Common file /dev/hda3 /win98 vfat U Identification (GID).
noauto,umask=0 0 0 Explanation: The /etc/passwd contains
system types
a list of all users, which includes details
auto Assign file system automatically
The umask option in this entry has not on the number assigned to a user and
ext2 ext2 file system
been discussed previously. As Table 2 the user s group memberships. You can
ext3 ext3 file system
shows, the option sets inverse file also ascertain these values by typing id
reiserfs Reiser file system
privileges. What does that mean? Just or id username:
jfs IBM Journaling file system
like the chmod command, umask works
minix Minix file system
with octal numbers. The access bits are [andreas]~ > id
vfat Windows 95,Windows 98 or DOS
file system
calculated by subtracting the desired file uid=500(andreas) gid=100(users)
ntfs Windows NT/2000/XP file system
privileges from seven, and assigning the Groups=100(users),[...],42U
msdos MS-DOS Floppy/Partitions
result as the umask. (trusted)
umsdos MS-DOS with Unix add-ons
The access privileges for the modes
hpfs OS/2 file system
read, write and execute (octal 7) are thus The UID/GID options allow you to assign
xiafs Xia file system
assigned by entering 0, r-x (octal 5) by a user and group ID to each Windows XP
swap Swap files/partitions
entering 2, and rw- (octal 6) by typing a file. Now, all you need to do is launch
usbdevfs USB device administration
1. As Windows 98 does not support umask and create an appropriate group,
devpts Pseudo terminals
access privileges for files, we can use to allow for a more granular access
proc Process administration
Linux access bits to impose an extra control of Windows.
iso9660 DVDs/CD-ROMs
level of security.
udf Universal Disk Format (DVDs)
Samba and NFS
In this case we are applying fairly
nfs Network File System
lax security privileges, since umask=0 Let us stick with Windows for the time
smbfs Server Message Block Protocol
will allow any user to read, write and being and investigate Microsoft s own
ignore (ignore partition)
execute any file. You can type man variant of a network directory. The
www.linux-magazine.com February 2003 53
KNOW HOW fstab
Figure 1: Mounting the subscription CD in the directory tree Figure 2: Refusing access
counterpart to the Network File System linux1:/out /nfs nfs U on the Web at [2]. However, quota
(NFS) commonly found on Unix is the user,noauto 0 0 support must be compiled into the
Server Message Block or SMB. A kernel, if you intend to use quotas.
Windows server can use this protocol This causes the computer to export the As a full description of configuring this
to provide access to its data. You will /out directory as linux1. The directory program is beyond the scope of this
need to install Samba, to access external must be entered in the /etc/exports file article, we will be focusing on the entries
Windows computers via Linux. The on this computer, however, we will not in /etc/fstab. The usrquota option is
smbclient tool provides access to shared be looking into NFS at this stage. provided to restrict the amount of space
Windows directories. But it is a lot easier available to users. The option is entered
Users in Command
to mount the directory in the local immediately after the defaults entry and
directory tree: Files in MP3 format are a good idea. You affects the /home partition:
can listen to them, list, manage and
//win/C /winc smbfs U collect them. And above all else, you can /dev/hda5 /home ext2 U
user,noauto 0 0 waste a lot of space on the file system defaults,usrquota 1 1
with them. What options are available to
This entry allows the C directory on the the administrator to prevent individual You can replace usrquota by grpquota to
win computer to be accessed by any user user collections from getting out of apply quotas to groups:
in the /winc directory on Linux. control? The answer is, use quotas [1].
However, the user will be prompted Quotas allow the system administrator /dev/hda6 /usr ext2 U
for a password after issuing the mount to restrict the amount of storage capacity defaults,grpquota 1 1
command. Although users can supply a available to groups and individual users.
username parameter when issuing the You can define the quotas with either If required, you can apply both settings
mount command (-o username=tux, dynamic or hard limits. to a single partition:
password=pw), you might like to Quotas use separate configuration files
simplify this task: to manage partitions, and are simple to /dev/hda6 /var ext2 U
apply. The original HOWTO is available defaults,usrquota,grpquota 1 1
//win/C /winc smbfs U
user,noauto,username="tux",U A separation of system and user data can
Table 2: Overview of
password="pw" 0 0 be achieved by defining appropriate
mount options
partitions for your Linux installation.
defaults defaults:rw,suid, dev,exec,auto,nouser
You might be a little confused at this This allows for ease of administrative
and async
point, because you have not been able exec allows binary and script execution intervention. Also, a well-planned fstab
to find the username and password noexec prevents binary and script execution structure will save an administrator
user allows a user to mount the file system
commands in man mount. The program headaches  especially when under time
noauto must be mounted by the mount command
actually runs smbmount at this point, pressure with things going wrong. %
ro mounts the file system in read-only mode
and the smbmount manpages are where
rw mounts the file system in read-write mode
you should be looking for further details
INFO
umask= inverse bitmask of the access privileges
on this topic.
[1] Quotas: http://www.sourceforge.net/
(e.g. for FAT file systems)
The configuration required to mount a
projects/linuxquota
uid= User ID of the data
directory via the Network File System
gid= Group ID of the data [2] Quota Howto: http://www.tldp.org/
(NFS) is similar and can be seen if we
HOWTO/mini/Quota.html
sync Synchronous I/O Operations
use the following:
54 February 2003 www.linux-magazine.com