Change permissions in /dev/mapper not working

Support Kernel
1

I use several disks (internal and usb) containing sensitive data. All disks are encrypted.

When I open a device with cryptsetup the uncrypted device will be mapped to dev/mapper/some-device with user and group root. When I inspect the permissions, I see rwx for all users. Therefore anyone can read my data.

Then I tried to change the permissions, either manually with

sudo chmod 770 some-device

Or via a udev rule:

KERNEL=="dm-*", SUBSYSTEM=="block", ACTION=="add", ENV{DM_NAME}=="some-device", OWNER="me", GROUP="me", MODE="0770"

Both paths do not succeed. The permissions remain always 777.

What am I missing here?

This is my system:

~ >>> inxi --admin --verbosity=8 --filter --no-host --width                                                            
System:
  Kernel: 6.12.12-2-MANJARO arch: x86_64 bits: 64 compiler: gcc v: 14.2.1
    clocksource: tsc avail: hpet,acpi_pm
    parameters: BOOT_IMAGE=/boot/vmlinuz-6.12-x86_64
    root=UUID=4c2ea2f1-3cfa-4377-8778-97f19f2453fe rw quiet
    cryptdevice=UUID=ac37595d-5b67-408c-82b8-547a678e97e6:luks-ac37595d-5b67-408c-82b8-547a678e97e6
    root=/dev/mapper/luks-ac37595d-5b67-408c-82b8-547a678e97e6
    udev.log_priority=3
  Desktop: KDE Plasma v: 6.2.5 tk: Qt v: N/A info: frameworks v: 6.10.0
    wm: kwin_x11 with: krunner vt: 2 dm: SDDM Distro: Manjaro base: Arch Linux
Machine:
  Type: Desktop System: MSI product: MS-7798 v: 1.0
    serial: <superuser required>
  Mobo: MSI model: B75MA-P45 (MS-7798) v: 1.0 serial: <superuser required>
    uuid: <superuser required> UEFI: American Megatrends v: 1.9 date: 09/30/2013
Battery:
  Device-1: hidpp_battery_0 model: Logitech M720 Triathlon Multi-Device Mouse
    serial: <filter> charge: 55% (should be ignored) rechargeable: yes
    status: discharging
Memory:
  System RAM: total: 24 GiB available: 23.4 GiB used: 4.54 GiB (19.4%)
  Message: For most reliable report, use superuser + dmidecode.
  Array-1: capacity: 32 GiB slots: 4 modules: 4 EC: None
    max-module-size: 8 GiB note: est.
  Device-1: ChannelA-DIMM0 type: DDR3 detail: synchronous size: 4 GiB
    speed: 1333 MT/s volts: N/A width (bits): data: 64 total: 64
    manufacturer: Corsair part-no: CML8GX3M2A1600C9 serial: N/A
  Device-2: ChannelA-DIMM1 type: DDR3 detail: synchronous size: 8 GiB
    speed: 1333 MT/s volts: N/A width (bits): data: 64 total: 64
    manufacturer: Hynix/Hyundai part-no: HMT41GU6AFR8A-PB serial: <filter>
  Device-3: ChannelB-DIMM0 type: DDR3 detail: synchronous size: 4 GiB
    speed: 1333 MT/s volts: N/A width (bits): data: 64 total: 64
    manufacturer: Corsair part-no: CML8GX3M2A1600C9 serial: N/A
  Device-4: ChannelB-DIMM1 type: DDR3 detail: synchronous size: 8 GiB
    speed: 1333 MT/s volts: N/A width (bits): data: 64 total: 64
    manufacturer: Hynix/Hyundai part-no: HMT41GU6AFR8A-PB serial: <filter>
PCI Slots:
  Permissions: Unable to run dmidecode. Root privileges required.
CPU:
  Info: model: Intel Core i5-3450S bits: 64 type: MCP arch: Ivy Bridge
    gen: core 3 level: v2 built: 2012-15 process: Intel 22nm family: 6
    model-id: 0x3A (58) stepping: 9 microcode: 0x21
  Topology: cpus: 1x dies: 1 clusters: 4 cores: 4 smt: <unsupported> cache:
    L1: 256 KiB desc: d-4x32 KiB; i-4x32 KiB L2: 1024 KiB desc: 4x256 KiB
    L3: 6 MiB desc: 1x6 MiB
  Speed (MHz): avg: 1601 min/max: 1600/2800 scaling: driver: intel_cpufreq
    governor: schedutil cores: 1: 1601 2: 1601 3: 1601 4: 1601 bogomips: 22410
  Flags: acpi aes aperfmperf apic arat arch_perfmon avx bts clflush cmov
    constant_tsc cpuid cpuid_fault cx16 cx8 de ds_cpl dtes64 dtherm dts epb
    ept erms est f16c flexpriority flush_l1d fpu fsgsbase fxsr ht ibpb ibrs
    lahf_lm lm mca mce md_clear mmx monitor msr mtrr nonstop_tsc nopl nx pae
    pat pbe pcid pclmulqdq pdcm pebs pge pln pni popcnt pse pse36 pti pts
    rdrand rdtscp rep_good sep smep ss ssbd sse sse2 sse4_1 sse4_2 ssse3 stibp
    syscall tm tm2 tpr_shadow tsc tsc_deadline_timer vme vmx vnmi vpid xsave
    xsaveopt xtopology xtpr
  Vulnerabilities:
  Type: gather_data_sampling status: Not affected
  Type: itlb_multihit status: KVM: VMX disabled
  Type: l1tf mitigation: PTE Inversion; VMX: conditional cache flushes, SMT
    disabled
  Type: mds mitigation: Clear CPU buffers; SMT disabled
  Type: meltdown mitigation: PTI
  Type: mmio_stale_data status: Unknown: No mitigations
  Type: reg_file_data_sampling status: Not affected
  Type: retbleed status: Not affected
  Type: spec_rstack_overflow status: Not affected
  Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via
    prctl
  Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer
    sanitization
  Type: spectre_v2 mitigation: Retpolines; IBPB: conditional; IBRS_FW;
    STIBP: disabled; RSB filling; PBRSB-eIBRS: Not affected; BHI: Not affected
  Type: srbds status: Vulnerable: No microcode
  Type: tsx_async_abort status: Not affected
Graphics:
  Device-1: NVIDIA GF108 [GeForce GT 430] driver: nvidia v: 390.157
    alternate: nouveau,nvidia_drm non-free: series: 390.xx+
    status: legacy (EOL~2022-11-22) last: release: 390.157 kernel: 6.0
    xorg: 1.21 arch: Fermi code: GF1xx process: 40/28nm built: 2010-2016 pcie:
    gen: 2 speed: 5 GT/s lanes: 16 ports: active: none off: DVI-I-1
    empty: HDMI-A-1,VGA-1 bus-ID: 01:00.0 chip-ID: 10de:0de1 class-ID: 0300
  Display: x11 server: X.Org v: 21.1.15 with: Xwayland v: 24.1.5
    compositor: kwin_x11 driver: X: loaded: nvidia gpu: nvidia display-ID: :0
    screens: 1
  Screen-1: 0 s-res: 2560x1440 s-dpi: 108 s-size: 602x342mm (23.70x13.46")
    s-diag: 692mm (27.26")
  Monitor-1: DVI-I-1 res: mode: 2560x1440 hz: 60 scale: 100% (1) dpi: 109
    size: 597x336mm (23.5x13.23") diag: 685mm (26.97") modes: N/A
  API: EGL v: 1.5 platforms: gbm: drv: kms_swrast
  API: OpenGL v: 4.5 compat-v: 4.6.0 vendor: nvidia mesa v: 390.157
    glx-v: 1.4 direct-render: yes renderer: GeForce GT 430/PCIe/SSE2
    memory: 1000 MiB
  API: Vulkan Message: No Vulkan data available.
  Info: Tools: api: clinfo, eglinfo, glxinfo, vulkaninfo
    de: kscreen-console,kscreen-doctor gpu: nvidia-smi wl: wayland-info
    x11: xdpyinfo, xprop, xrandr
Audio:
  Device-1: Intel 7 Series/C216 Family High Definition Audio
    vendor: Micro-Star MSI driver: snd_hda_intel v: kernel bus-ID: 00:1b.0
    chip-ID: 8086:1e20 class-ID: 0403
  Device-2: NVIDIA GF108 High Definition Audio driver: snd_hda_intel
    v: kernel pcie: gen: 2 speed: 5 GT/s lanes: 16 bus-ID: 01:00.1
    chip-ID: 10de:0bea class-ID: 0403
  API: ALSA v: k6.12.12-2-MANJARO status: kernel-api with: aoss
    type: oss-emulator tools: alsactl,alsamixer,amixer
  Server-1: JACK v: 1.9.22 status: off tools: N/A
  Server-2: PipeWire v: 1.2.7 status: active with: 1: pipewire-pulse
    status: active 2: pipewire-media-session status: active 3: pipewire-alsa
    type: plugin tools: pactl,pw-cat,pw-cli
Network:
  Device-1: Realtek RTL8111/8168/8211/8411 PCI Express Gigabit Ethernet
    vendor: Micro-Star MSI driver: r8169 v: kernel pcie: gen: 1 speed: 2.5 GT/s
    lanes: 1 port: d000 bus-ID: 03:00.0 chip-ID: 10ec:8168 class-ID: 0200
  IF: enp3s0 state: down mac: <filter>
  Device-2: NetGear WNDA4100 802.11abgn 3x3:3 [Ralink RT3573]
    driver: rt2800usb type: USB rev: 2.0 speed: 480 Mb/s lanes: 1 mode: 2.0
    bus-ID: 1-4:4 chip-ID: 0846:9012 class-ID: 0000 serial: <filter>
  IF: wlp0s20u4 state: up mac: <filter>
  IP v4: <filter> type: dynamic noprefixroute scope: global
    broadcast: <filter>
  IP v6: <filter> type: dynamic noprefixroute scope: global
  IP v6: <filter> type: dynamic noprefixroute scope: global
  IP v6: <filter> type: noprefixroute scope: link
  Info: services: NetworkManager, systemd-timesyncd, wpa_supplicant
  WAN IP: <filter>
Bluetooth:
  Device-1: Cambridge Silicon Radio Bluetooth Dongle (HCI mode) driver: btusb
    v: 0.8 type: USB rev: 2.0 speed: 12 Mb/s lanes: 1 mode: 1.1 bus-ID: 1-1:2
    chip-ID: 0a12:0001 class-ID: e001
  Report: rfkill ID: hci0 rfk-id: 0 state: up address: see --recommends
Logical:
  Message: No logical block device data found.
  Device-1: bitlk_mobi_stick maj-min: 254:3 type: Crypto dm: dm-3
    size: 119.01 GiB
  Components:
  p-1: sdd1 maj-min: 8:49 size: 119.01 GiB
  Device-2: bitlk_daniel_stick maj-min: 254:4 type: Crypto dm: dm-4
    size: 30 GiB
  Components:
  p-1: sdd2 maj-min: 8:50 size: 30 GiB
  Device-3: bitlk_bibliothek_stick maj-min: 254:5 type: Crypto dm: dm-5
    size: 30 GiB
  Components:
  p-1: sdd3 maj-min: 8:51 size: 30 GiB
  Device-4: bitlk_wiki_stick maj-min: 254:6 type: Crypto dm: dm-6
    size: 30 GiB
  Components:
  p-1: sdd4 maj-min: 8:52 size: 30 GiB
  Device-5: luks-ac37595d-5b67-408c-82b8-547a678e97e6 maj-min: 254:0
    type: LUKS dm: dm-0 size: 232.59 GiB
  Components:
  p-1: sda2 maj-min: 8:2 size: 232.59 GiB
  Device-6: luks-aa7c5077-2732-494c-8f37-9d6d9852f1d5 maj-min: 254:1
    type: LUKS dm: dm-1 size: 465.76 GiB
  Components:
  p-1: sdb1 maj-min: 8:17 size: 465.76 GiB
  Device-7: luks-97478fb5-267e-493d-8774-49eef2f55050 maj-min: 254:2
    type: LUKS dm: dm-2 size: 465.76 GiB
  Components:
  p-1: sdc1 maj-min: 8:33 size: 465.76 GiB
RAID:
  Message: No RAID data found.
Drives:
  Local Storage: total: 1.37 TiB used: 858.35 GiB (61.2%)
  SMART Message: Unable to run smartctl. Root privileges required.
  ID-1: /dev/sda maj-min: 8:0 vendor: Samsung model: SSD 860 EVO 250GB
    size: 232.89 GiB block-size: physical: 512 B logical: 512 B speed: 6.0 Gb/s
    tech: SSD serial: <filter> fw-rev: 4B6Q scheme: GPT
  ID-2: /dev/sdb maj-min: 8:16 vendor: Western Digital
    model: WD5000AZRX-00A8LB0 size: 465.76 GiB block-size: physical: 4096 B
    logical: 512 B speed: 3.0 Gb/s tech: N/A serial: <filter> fw-rev: 1A01
    scheme: GPT
  ID-3: /dev/sdc maj-min: 8:32 vendor: Samsung model: SSD 860 EVO 500GB
    size: 465.76 GiB block-size: physical: 512 B logical: 512 B speed: 3.0 Gb/s
    tech: SSD serial: <filter> fw-rev: 1B6Q scheme: GPT
  ID-4: /dev/sdd maj-min: 8:48 vendor: Samsung model: Flash Drive FIT
    size: 239.02 GiB block-size: physical: 512 B logical: 512 B type: USB
    rev: 3.1 spd: 5 Gb/s lanes: 1 mode: 3.2 gen-1x1 tech: SSD serial: <filter>
    fw-rev: 1100 scheme: GPT
  SMART Message: Unknown USB bridge. Flash drive/Unsupported enclosure?
  Optical-1: /dev/sr0 vendor: HL-DT-ST model: DVDRAM GH24NS90 rev: IN01
    dev-links: cdrom
  Features: speed: 12 multisession: yes audio: yes dvd: yes
    rw: cd-r,cd-rw,dvd-r,dvd-ram state: running
Partition:
  ID-1: / raw-size: 232.59 GiB size: 227.88 GiB (97.98%)
    used: 94.61 GiB (41.5%) fs: ext4 dev: /dev/dm-0 maj-min: 254:0
    mapped: luks-ac37595d-5b67-408c-82b8-547a678e97e6 label: System
    uuid: 4c2ea2f1-3cfa-4377-8778-97f19f2453fe
  ID-2: /boot/efi raw-size: 300 MiB size: 299.4 MiB (99.80%)
    used: 472 KiB (0.2%) fs: vfat dev: /dev/sda1 maj-min: 8:1 label: NO_LABEL
    uuid: 04E7-F02F
  ID-3: /run/media/schatzi/Bibliothek raw-size: 30 GiB size: 30 GiB (100.00%)
    used: 8.32 GiB (27.7%) fs: fuseblk dev: /dev/dm-5 maj-min: 254:5
    mapped: bitlk_bibliothek_stick label: N/A uuid: N/A
  ID-4: /run/media/schatzi/Daniel raw-size: 30 GiB size: 30 GiB (100.00%)
    used: 15.5 GiB (51.7%) fs: fuseblk dev: /dev/dm-4 maj-min: 254:4
    mapped: bitlk_daniel_stick label: N/A uuid: N/A
  ID-5: /run/media/schatzi/Data raw-size: 465.76 GiB
    size: 457.38 GiB (98.20%) used: 382.84 GiB (83.7%) fs: ext4 dev: /dev/dm-2
    maj-min: 254:2 mapped: luks-97478fb5-267e-493d-8774-49eef2f55050
    label: Data uuid: aea89950-6192-4055-8c45-0991f2477684
  ID-6: /run/media/schatzi/Extra raw-size: 465.76 GiB
    size: 457.38 GiB (98.20%) used: 316.99 GiB (69.3%) fs: ext4 dev: /dev/dm-1
    maj-min: 254:1 mapped: luks-aa7c5077-2732-494c-8f37-9d6d9852f1d5
    label: Extra uuid: 61a2cc0c-2b1f-46e2-a956-a42b5e447f2a
  ID-7: /run/media/schatzi/Mobi raw-size: 119.01 GiB
    size: 119.01 GiB (100.00%) used: 34.44 GiB (28.9%) fs: fuseblk dev: /dev/dm-3
    maj-min: 254:3 mapped: bitlk_mobi_stick label: N/A uuid: N/A
  ID-8: /run/media/schatzi/Wiki raw-size: 30 GiB size: 30 GiB (100.00%)
    used: 5.65 GiB (18.8%) fs: fuseblk dev: /dev/dm-6 maj-min: 254:6
    mapped: bitlk_wiki_stick label: N/A uuid: N/A
Swap:
  Kernel: swappiness: 60 (default) cache-pressure: 100 (default) zswap: no
  ID-1: swap-1 type: file size: 8 GiB used: 256 KiB (0.0%) priority: -2
    file: /swapfile
Unmounted:
  ID-1: /dev/sdd1 maj-min: 8:49 size: 119.01 GiB fs: bitlocker label: N/A
    uuid: N/A
  ID-2: /dev/sdd2 maj-min: 8:50 size: 30 GiB fs: bitlocker label: N/A
    uuid: N/A
  ID-3: /dev/sdd3 maj-min: 8:51 size: 30 GiB fs: bitlocker label: N/A
    uuid: N/A
  ID-4: /dev/sdd4 maj-min: 8:52 size: 30 GiB fs: bitlocker label: N/A
    uuid: N/A
  ID-5: /dev/sdd5 maj-min: 8:53 size: 30 GiB fs: bitlocker label: N/A
    uuid: N/A
USB:
  Hub-1: 1-0:1 info: hi-speed hub with single TT ports: 4 rev: 2.0
    speed: 480 Mb/s (57.2 MiB/s) lanes: 1 mode: 2.0 chip-ID: 1d6b:0002
    class-ID: 0900
  Device-1: 1-1:2 info: Cambridge Silicon Radio Bluetooth Dongle (HCI mode)
    type: bluetooth driver: btusb interfaces: 2 rev: 2.0
    speed: 12 Mb/s (1.4 MiB/s) lanes: 1 mode: 1.1 power: 100mA
    chip-ID: 0a12:0001 class-ID: e001
  Hub-2: 1-3:3 info: Realtek 4-Port USB 2.0 Hub ports: 2 rev: 2.1
    speed: 480 Mb/s (57.2 MiB/s) lanes: 1 mode: 2.0 chip-ID: 0bda:5412
    class-ID: 0900
  Device-1: 1-4:4 info: NetGear WNDA4100 802.11abgn 3x3:3 [Ralink RT3573]
    type: Network driver: rt2800usb interfaces: 1 rev: 2.0
    speed: 480 Mb/s (57.2 MiB/s) lanes: 1 mode: 2.0 power: 450mA
    chip-ID: 0846:9012 class-ID: 0000 serial: <filter>
  Hub-3: 2-0:1 info: super-speed hub ports: 4 rev: 3.0
    speed: 5 Gb/s (596.0 MiB/s) lanes: 1 mode: 3.2 gen-1x1 chip-ID: 1d6b:0003
    class-ID: 0900
  Hub-4: 2-3:2 info: Realtek 4-Port USB 3.0 Hub ports: 2 rev: 3.0
    speed: 5 Gb/s (596.0 MiB/s) lanes: 1 mode: 3.2 gen-1x1 chip-ID: 0bda:0412
    class-ID: 0900
  Device-1: 2-3.1:3 info: Silicon Motion - Taiwan (formerly Feiya ) Flash
    Drive type: mass storage driver: usb-storage interfaces: 1 rev: 3.1
    speed: 5 Gb/s (596.0 MiB/s) lanes: 1 mode: 3.2 gen-1x1 power: 304mA
    chip-ID: 090c:1000 class-ID: 0806 serial: <filter>
  Hub-5: 3-0:1 info: full speed or root hub ports: 2 rev: 2.0
    speed: 480 Mb/s (57.2 MiB/s) lanes: 1 mode: 2.0 chip-ID: 1d6b:0002
    class-ID: 0900
  Hub-6: 3-1:2 info: Intel Integrated Rate Matching Hub ports: 6 rev: 2.0
    speed: 480 Mb/s (57.2 MiB/s) lanes: 1 mode: 2.0 chip-ID: 8087:0024
    class-ID: 0900
  Hub-7: 4-0:1 info: full speed or root hub ports: 2 rev: 2.0
    speed: 480 Mb/s (57.2 MiB/s) lanes: 1 mode: 2.0 chip-ID: 1d6b:0002
    class-ID: 0900
  Hub-8: 4-1:2 info: Intel Integrated Rate Matching Hub ports: 6 rev: 2.0
    speed: 480 Mb/s (57.2 MiB/s) lanes: 1 mode: 2.0 chip-ID: 8087:0024
    class-ID: 0900
  Hub-9: 4-1.5:3 info: Huasheng USB2.0 HUB ports: 4 rev: 2.0
    speed: 480 Mb/s (57.2 MiB/s) lanes: 1 mode: 2.0 power: 100mA
    chip-ID: 214b:7250 class-ID: 0900
  Hub-10: 4-1.5.3:4 info: Monterey BakkerElkhuizen Wired Keyboard S-board
    840 Design USB-Hub ports: 3 rev: 2.0 speed: 480 Mb/s (57.2 MiB/s) lanes: 1
    mode: 2.0 power: 100mA chip-ID: 0566:3020 class-ID: 0900
  Device-1: 4-1.5.3.2:5 info: Logitech Unifying Receiver
    type: keyboard,mouse,HID driver: logitech-djreceiver,usbhid interfaces: 3
    rev: 2.0 speed: 12 Mb/s (1.4 MiB/s) lanes: 1 mode: 1.1 power: 98mA
    chip-ID: 046d:c52b class-ID: 0300
  Device-2: 4-1.5.3.3:6 info: Monterey BakkerElkhuizen Wired Keyboard
    S-board 840 Design type: keyboard,HID driver: hid-generic,usbhid
    interfaces: 2 rev: 1.1 speed: 1.5 Mb/s (183 KiB/s) lanes: 1 mode: 1.0
    power: 100mA chip-ID: 0566:3013 class-ID: 0300
Sensors:
  System Temperatures: cpu: 36.0 C mobo: N/A
  Fan Speeds (rpm): N/A
Repos:
  Packages: pm: pacman pkgs: 1789 libs: 442 tools: pamac pm: flatpak pkgs: 0
  Active pacman repo servers in: /etc/pacman.d/mirrorlist
    1: http://ftp.snt.utwente.nl/pub/linux/manjaro/stable/$repo/$arch
    2: https://ftp.psnc.pl/linux/manjaro/stable/$repo/$arch
    3: https://mirrors.cicku.me/manjaro/stable/$repo/$arch
    4: https://ftpmirror1.infania.net/mirror/manjaro/stable/$repo/$arch
    5: https://bd.mirror.vanehost.com/Manjaro/stable/$repo/$arch
    6: https://mirror.hostiko.network/manjaro/stable/$repo/$arch
    7: https://mirror.archlinux.tw/Manjaro/stable/$repo/$arch
    8: https://mirror.phoepsilonix.love/manjaro/stable/$repo/$arch
Processes:
  CPU top: 5 of 330
  1: cpu: 12.7% command: python pid: 13785 mem: 42.1 MiB (0.1%)
  2: cpu: 7.4% command: rsync pid: 13915 mem: 41.5 MiB (0.1%)
  3: cpu: 7.3% command: firefox pid: 1461 mem: 782.6 MiB (3.2%)
  4: cpu: 7.2% command: firefox pid: 7866 mem: 526.2 MiB (2.1%)
  5: cpu: 3.9% command: Xorg pid: 810 mem: 142.4 MiB (0.5%)
  Memory top: 5 of 330
  1: mem: 782.6 MiB (3.2%) command: firefox pid: 1461 cpu: 7.3%
  2: mem: 576.2 MiB (2.4%) command: plasmashell pid: 995 cpu: 0.4%
  3: mem: 526.2 MiB (2.1%) command: firefox pid: 7866 cpu: 7.2%
  4: mem: 378.8 MiB (1.5%) command: firefox pid: 4415 cpu: 1.0%
  5: mem: 347.6 MiB (1.4%) command: firefox pid: 7988 cpu: 2.3%
Info:
  Processes: 330 Power: uptime: 2h 23m states: freeze,mem,disk suspend: deep
    avail: s2idle wakeups: 0 hibernate: platform avail: shutdown, reboot,
    suspend, test_resume image: 9.33 GiB services: org_kde_powerdevil,
    power-profiles-daemon, upowerd Init: systemd v: 257 default: graphical
    tool: systemctl
  Compilers: clang: 19.1.7 gcc: 14.2.1 Shell: Zsh v: 5.9 default: Bash
    v: 5.2.37 running-in: konsole inxi: 3.3.37
~ >>>
2

Even though the device is readwrite for everyone - it is the decrypted block device and it is the decrypted partition’s filesystem dictating the permissions.

The same goes for your unlocked and mounted device partitions - the partition filesystem dictates the permission.

 $ ls -l /dev/mapper
total 0
crw------- 1 root root 10, 236 Mar  4 12:22 control
lrwxrwxrwx 1 root root       7 Mar  4 12:22 swap -> ../dm-1
lrwxrwxrwx 1 root root       7 Mar  4 12:22 system -> ../dm-0
3

Did you tried to access it as an not privileged user? If not please show us.

Btw. usually in /dev/mapper/ are just symlinks, you should check the permissions of the target device file not the link.

4

Ok, thanks!

What would you do then to restrict the partitions to dedicated user access then?

5 
sudo chown $USER:$USER /path/to/mountpoint -R
6

My bad:

lrwxrwxrwx 1 root root       7  4. Mär 09:47 luks-aa7c5077-2732-494c-8f37-9d6d9852f1d5 -> ../dm-1

I conducted:

>>> less /dev/mapper/luks-aa7c5077-2732-494c-8f37-9d6d9852f1d5   <<tab>>

This has offered and revealed the content of the files from the current path. Coincidently I was executing from the very same partition.

Sorry!

Long story short: There is no need to secure via permissions in /dev/mapper. Right?

Thanks for the snippet. I am aware of sudo chown $USER:$USER /path/to/mountpoint -R, but if permissions are still a+rx or a+rwx or similar, the files are still accessible. What should I do here? Or is my understanding wrong?

7

:warning: It is surprisingly easy to wreck your system by changing permissions.

Please educate yourself on linux access control → File permissions and attributes - ArchWiki

To change permissions all files and folders in the mount point so only the owner has access - you use the following in addition to the above

chmod go-rwx /path/to/mountpoint -R

:warning: do not ever do this on the system root

8

Ok, thanks a lot!

You anticipated my fear:

Most of all because there is no going back after changing permissions. I feel that you don’t recommend doing this.

Follow-up question: The mount point has this permissions:

drwxr-x---+ 8 root root 160  4. Mär 12:25 myuser

Is this effectively protecting my data from other users access?

How do you setup multi-user system with distinct data partitions?

9

Before doing anything on your data - do some testing.

Creaate a test folder with a nested folder and some files in each.

Then try the various permissions to learn what effect they have.

10

Ok, thanks for the hint: I cannot traverse the mount point’s root /run/media/myuser, when employing a different user.

This is also holds for the home folder:

drwx------ 50 myuser myuser 4096  4. Mär 12:29 myuser

I’d say understood.

Coming back to the /dev/mapper/, I am again confused:

lrwxrwxrwx 1 root root       7  4. Mär 09:47 luks-97478fb5-267e-493d-8774-49eef2f55050 -> ../dm-2
lrwxrwxrwx 1 root root       7  4. Mär 09:47 luks-aa7c5077-2732-494c-8f37-9d6d9852f1d5 -> ../dm-1
lrwxrwxrwx 1 root root       7  4. Mär 09:47 luks-ac37595d-5b67-408c-82b8-547a678e97e6 -> ../dm-0

I’ll try to conclude:
Different story than the investigated mount point above. This is the block device and there is no filesystem mounted, yet? Somehow just a blob here?

11

This is just a link! Permissions on links have (nearly) no effect on the target.

You need to check the permissions of the “device file”. For example

ls -l /dev/dm-0

The permissions for the file system and the files it contains are a completely different story. They have nothing to do with each other.
You need to distinguish between a link, a device file and normal files on a file system. (the list is not complet there are other file types)

12

Ok, this looks logical, now:

brwxrwx--- 1 root disk 254, 3  4. Mär 12:52 /dev/dm-3

Thanks a lot for the help!

(One final side note: I started with chatgpt, which suggested to chmod in /dev/mapper. You defeated AI!)

13

Because we know what we are doing.

1 Like
14

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.