[Solved] SD Card Privileges

$ inxi --full --verbosity=7 --filter --no-host
System:    Kernel: 5.4.64-1-MANJARO x86_64 bits: 64 compiler: gcc v: 10.2.0 Desktop: KDE Plasma 5.19.5 tk: Qt 5.15.0 
           wm: kwin_x11 dm: SDDM Distro: Manjaro Linux 
Machine:   Type: Laptop System: Dell product: Latitude E7470 v: N/A serial: <filter> Chassis: type: 9 serial: <filter> 
           Mobo: Dell model: 0T6HHJ v: A00 serial: <filter> UEFI [Legacy]: Dell v: 1.22.8 date: 10/08/2019 
Battery:   ID-1: BAT0 charge: 44.0 Wh condition: 44.0/55.0 Wh (80%) volts: 8.4/7.6 model: Samsung SDI DELL 1W2Y26A 
           type: Li-poly serial: <filter> status: Full 
Memory:    RAM: total: 7.59 GiB used: 1.70 GiB (22.4%) 
           RAM Report: permissions: Unable to run dmidecode. Root privileges required. 
CPU:       Topology: Dual Core model: Intel Core i7-6600U bits: 64 type: MT MCP arch: Skylake rev: 3 L2 cache: 4096 KiB 
           bogomips: 22408 
           Speed: 500 MHz min/max: 400/3400 MHz Core speeds (MHz): 1: 500 2: 500 3: 500 4: 501 
           Flags: 3dnowprefetch abm acpi adx aes aperfmperf apic arat arch_perfmon art avx avx2 bmi1 bmi2 bts clflush 
           clflushopt cmov constant_tsc cpuid cpuid_fault cx16 cx8 de ds_cpl dtes64 dtherm dts epb ept ept_ad erms est f16c 
           flexpriority flush_l1d fma fpu fsgsbase fxsr hle ht hwp hwp_act_window hwp_epp hwp_notify ibpb ibrs ida intel_pt 
           invpcid invpcid_single lahf_lm lm mca mce md_clear mmx monitor movbe mpx msr mtrr nonstop_tsc nopl nx pae pat pbe 
           pcid pclmulqdq pdcm pdpe1gb pebs pge pln pni popcnt pse pse36 pti pts rdrand rdseed rdtscp rep_good rtm sdbg sep 
           smap smep smx ss ssbd sse sse2 sse4_1 sse4_2 ssse3 stibp syscall tm tm2 tpr_shadow tsc tsc_adjust 
           tsc_deadline_timer vme vmx vnmi vpid x2apic xgetbv1 xsave xsavec xsaveopt xsaves xtopology xtpr 
Graphics:  Device-1: Intel Skylake GT2 [HD Graphics 520] vendor: Dell Latitude E7470 driver: i915 v: kernel bus ID: 00:02.0 
           chip ID: 8086:1916 
           Display: x11 server: X.Org 1.20.8 compositor: kwin_x11 driver: modesetting alternate: fbdev,intel,vesa 
           resolution: 1920x1080 s-dpi: 96 
           OpenGL: renderer: Mesa Intel HD Graphics 520 (SKL GT2) v: 4.6 Mesa 20.1.7 direct render: Yes 
Audio:     Device-1: Intel Sunrise Point-LP HD Audio vendor: Dell Latitude E7470 driver: snd_hda_intel v: kernel 
           bus ID: 00:1f.3 chip ID: 8086:9d70 
           Sound Server: ALSA v: k5.4.64-1-MANJARO 
Network:   Device-1: Intel Wireless 8260 driver: iwlwifi v: kernel port: f040 bus ID: 01:00.0 chip ID: 8086:24f3 
           IF: wlp1s0 state: up mac: <filter> 
           IP v4: <filter> type: dynamic noprefixroute scope: global broadcast: <filter> 
           IP v6: <filter> type: noprefixroute scope: link 
           Device-2: Intel driver: N/A port: f040 bus ID: 02:00.0 chip ID: 8086:093c 
           WAN IP: <filter> 
Drives:    Local Storage: total: 267.50 GiB used: 12.29 GiB (4.6%) 
           ID-1: /dev/mmcblk0 vendor: SanDisk model: SL32G size: 29.03 GiB serial: <filter> scheme: MBR 
           ID-2: /dev/nvme0n1 vendor: Toshiba model: THNSN5256GPU7 NVMe 256GB size: 238.47 GiB speed: 31.6 Gb/s lanes: 4 
           serial: <filter> rev: 57DA4103 scheme: MBR 
           Message: No Optical or Floppy data was found. 
RAID:      Message: No RAID data was found. 
Partition: ID-1: / size: 225.06 GiB used: 12.25 GiB (5.4%) fs: ext4 dev: /dev/nvme0n1p1 label: N/A 
           uuid: f522c942-6c24-4067-bc07-6d99e20a6e94 
           ID-2: /run/media/kmale/Katie-SD-32GB size: 28.45 GiB used: 43.9 MiB (0.2%) fs: ext4 dev: /dev/mmcblk0p1 
           label: Katie-SD-32GB uuid: 2c27da91-965b-4318-a8e1-41c2e044d7cc 
Swap:      ID-1: swap-1 type: partition size: 8.80 GiB used: 0 KiB (0.0%) priority: -2 dev: /dev/nvme0n1p2 label: N/A 
           uuid: 6f2f966f-aa1d-4403-8982-85dab59f4073 
Unmounted: Message: No unmounted partitions found. 
USB:       Hub: 1-0:1 info: Full speed (or root) Hub ports: 12 rev: 2.0 speed: 480 Mb/s chip ID: 1d6b:0002 
           Device-1: 1-7:2 info: Broadcom 5880 type: Smart Card driver: N/A interfaces: 4 rev: 1.1 speed: 12 Mb/s 
           chip ID: 0a5c:5834 serial: <filter> 
           Device-2: 1-9:3 info: Elan Micro Touchscreen type: HID driver: hid-multitouch,usbhid interfaces: 1 rev: 2.0 
           speed: 12 Mb/s chip ID: 04f3:2247 
           Hub: 2-0:1 info: Full speed (or root) Hub ports: 6 rev: 3.0 speed: 5 Gb/s chip ID: 1d6b:0003 
Sensors:   System Temperatures: cpu: 47.0 C mobo: N/A 
           Fan Speeds (RPM): cpu: 0 
Info:      Processes: 181 Uptime: 1h 05m Init: systemd v: 246 Compilers: gcc: 10.2.0 Packages: pacman: 1218 Shell: Bash 
           v: 5.0.18 running in: yakuake inxi: 3.1.05 

Hey all,
This may be a dumb question but I recently formatted an SD card to keep in my wife’s laptop in ext4. When I formatted it using gparted it is owned by the root.

I know I can modify the owner to my wife’s user and she can have full access to it but since it is removable I would prefer her to have to elevate privileges and put in a password to access/modify it.

Is there a simple way to do this? Thanks!

You have to stop thinking along the logic of Microsoft Windows. Any storage device that has a POSIX-compatible filesystem like ext4 on it should never have its access determined on the whole device.

The filesystem on the device is transparently mounted into the directory hierarchy, and the permissions and ownership on the individual files and directories on the mounted filesystem will determine who can do what to which files and which directories.

If you insist that your wife enter a password for accessing the filesystem on the device, then look into encryption. KDE Plasma offers Vaults ─ the package is called plasma-vault and can be found in the repository.

1 Like

Weird logic without any bearing on data security: any unencrypted filesystem can be accessed from another machine when the sd card is removed.

1 Like

Gotcha, makes sense, I guess I was just a little confused as to why I could not access the information easily.

What filesystem and owner (if any) would be best for this situation? I just want to mostly store pictures and documents. Nothing that needs to be secure. Thanks.

Well, the owner is whoever owns the directory that the device is mounted on. If it is mounted to a directory in the root of the tree, then the owner will be the root account. If it’s mounted in a directory under your home, then under normal circumstances, you would be the owner, because you’re the one who’ll be creating that directory.

What is more important, however, is the group. You can create a group to which both you and your wife belong, and make this group the one that owns the directory that the device will be mounted on ─ best would be a directory outside of your home, but I’ll get back to this in a moment ─ and then set the permissions so that the SGID bit is on. That way, all (new) files stored in that directory ─ and thus: on the device ─ will be saved with that group, instead of the primary group of the person who creates the file.

Now, to give you an example ─ and this is what I said I’d get back to in the paragraph above ─ I prefer that all movies, TV series and music files on my computer are available to all user accounts. As such, I use directories under /srv for that.

/srv is a root-owned directory in the root of the tree, and if you look on your system ─ this is typical for Arch, Manjaro and other Arch-derivatives ─ you will find two directories in there, i.e. /srv/ftp and /srv/www. Most other distributions put those two under /var and don’t use /srv, even though /srv is officially listed in the File Hierarchy Standard 3.0. Wikipedia has an article on this standard as well… :arrow_down:

So you will see that /srv is a directory intended for “services offered by the system”. I consider a file share that all user accounts must have access to to fall under that description, and so I’ve created a /srv/mmedia directory, with subdirectories for movies, series, concert videos and music.

Therefore, in your case, I would recommend that you mount that SD card to such a subdirectory as well, e.g. /srv/share, and that you create a user group called share, which you make yourself and your wife’s account members of ─ it doesn’t have to become your primary user group. :arrow_down:

sudo groupadd share
sudo usermod -a your_user_name -G share
sudo usermod -a your_wife -G share
sudo mkdir /srv/share
sudo chown root:share /srv/share
sudo chmod 2775 /srv/share

You will then also need to make sure that the device always gets mounted at /srv/share. This means that you must edit /etc/fstab and include a permanent record for the partition on the device. Given that it’s a removable device, we will set it to noauto,nofail. So you’ll have to manually mount it, but that’s easily done from within the file manager, or by way of the command line.

The line in /etc/fstab should look something like the following… :arrow_down:

/dev/whatever_the_partition_is   /srv/share   ext4  noauto,nofail,defaults,sync     0    0

Now, if your wife is going to use this device on a separate computer, then you’ll need to repeat the steps as here-above on her computer as well. But there’s also a caveat.

See, the first user account created in Manjaro has UID 1000. This means that on your computer, UID 1000 is you, and on your wife’s computer, UID 1000 is her. So when she mounts the device on her computer, the files that you put on there while the device was in your computer will now be owned by her, and the files that appeared to be owned by her while the device was in your computer will now appear to be owned by you instead.

I don’t know how important this is, and had this been a corporate network with multiple workstations, then a serious system administrator would have foreseen such a scenario, and would have created your accounts with consistent UIDs across all workstations in the network. But this is not the case here and now, and so you will be looking at the oddity of alternating user names ─ after all, to the operating system, it isn’t your user name that identifies you, but your numerical UID.

But either way, it should be a workable solution. :wink:

1 Like

Thank you sir! What a great explanation with a lot of info. I greatly appreciate the time you took with your response. Blessings!

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.