This document describes how FAT and VFAT file system permissions work in Linux with a focus on configuring them for Wine. Introduction ------------ Linux is able to access DOS and Windows file systems using either the FAT (older 8.3 DOS filesystems) or VFAT (newer Windows 95 or later long filename filesystems) modules. Mounted FAT or VFAT filesystems provide the primary means for which existing applications and their data are accessed through Wine for dual boot (Linux + Windows) systems. Wine maps mounted FAT filesystems, such as "/c", to driver letters, such as "c:", as indicated by the wine.conf file. The following excerpt from a wine.conf file does this: [Drive C] Path=/c Type=hd Although VFAT filesystems are preferable to FAT filesystems for their long filename support the term "FAT" will be used throughout the remainder of this document to refer to FAT filesystems and their derivatives. Also, "/c" will be used as the FAT mount point in examples throughout this document. Most modern Linux distributions either detect or allow existing FAT file systems to be configured so that can be mounted, in a location such as /c, either persistently (on bootup) or on an as needed basis. In either case, by default, the permissions will probably be configured so that they look something like: ~>cd /c /c>ls -l -rwxr-xr-x 1 root root 91 Oct 10 17:58 autoexec.bat -rwxr-xr-x 1 root root 245 Oct 10 17:58 config.sys drwxr-xr-x 41 root root 16384 Dec 30 1998 windows where all the files are owned by "root", are in the "root" group and are only writable by "root" (755 permissions). This is restrictive in that it requires that Wine be run as root in order for applications to be able to write to any part of the filesystem. There three major approaches to overcoming the restrictive permissions mentioned in the previous paragraph: 1) Run Wine as root 2) Mount the FAT filesystem with less restrictive permissions 3) Shadow the FAT filesystem by completely or partially copying it Each approach will be discusses in the following "Running Wine as root", "Mounting FAT filesystems" and "Shadowing FAT filesystems" sections. Running Wine as root -------------------- Running Wine as root is the easiest and most thorough way of giving applications that Wine runs unrestricted access to FAT files systems. Running wine as root also allows applications to do things unrelated to FAT filesystems, such as listening to ports that are less than 1024. Running Wine as root is dangerous since there is no limit to what the application can do to the system. Mounting FAT filesystems ------------------------ The FAT filesystem can be mounted with permissions less restrictive than the default. This can be done by either changing the user that mounts the FAT filesystem or by explicitly changing the permissions that the FAT filesystem is mounted with. The permissions are inherited from the process that mounts the FAT filesystem. Since the process that mounts the FAT filesystem is usually a startup script running as root the FAT filesystem inherits root's permissions. This results in the files on the FAT filesystem having permissions similar to files created by root. For example: ~>whoami root ~>touch root_file ~>ls -l root_file -rw-r--r-- 1 root root 0 Dec 10 00:20 root_file which matches the owner, group and permissions of files seen on the FAT filesystem except for the missing 'x's. The permissions on the FAT filesystem can be changed by changing root's umask (unset permissions bits). For example: ~>umount /c ~>umask 022 ~>umask 073 ~>mount /c ~>cd /c /c>ls -l -rwx---r-- 1 root root 91 Oct 10 17:58 autoexec.bat -rwx---r-- 1 root root 245 Oct 10 17:58 config.sys drwx---r-- 41 root root 16384 Dec 30 1998 windows Mounting the FAT filesystem with a umask of 000 gives all users complete control over the it. Explicitly specifying the permissions of the FAT filesystem when it is mounted provides additional control. There are three mount options that are relevant to FAT permissions: "uid", "gid" and "umask". They can each be specified when the filesystem is manually mounted. For example: ~>umount /c ~>mount -o uid=500 -o gid=500 -o umask=002 /c ~>cd /c /c>ls -l -rwxrwxr-x 1 sle sle 91 Oct 10 17:58 autoexec.bat -rwxrwxr-x 1 sle sle 245 Oct 10 17:58 config.sys drwxrwxr-x 41 sle sle 16384 Dec 30 1998 windows which gives "sle" complete control over /c. The options listed above can be made permanent by adding them to the /etc/fstab file: ~>grep /c /etc/fstab /dev/hda1 /c vfat uid=500,gid=500,umask=002,exec,dev,suid,rw 1 1 Note that the umask of 002 is common in the user private group file permission scheme. On FAT file systems this umask assures that all files are fully accessible by all users in the specified group (gid). Shadowing FAT filesystems ------------------------- Shadowing provides a finer granularity of control. Parts of the original FAT filesystem can be copied so that the application can safely work with those copied parts while the application continue to directly read the remaining parts. This is done with symbolic links. For example, consider a system where an application named "AnApp" must be able to read and write to the c:\windows and c:\AnApp directories as well as have read access to the entire FAT filesystem. On this system the FAT filesystem has default permissions which should not be changed for security reasons or can not be changed due to lack of root access. On this system a shadow directory might be set up in the following manner: ~>cd / />mkdir c_shadow />cd c_shadow /c_shadow>ln -s /c_/* . /c_shadow>rm windows AnApp /c_shadow>cp -R /c_/{windows,AnApp} . /c_shadow>chmod -R 777 windows AnApp /c_shadow>perl -p -i -e 's|/c$|/c_shadow|g' /usr/local/etc/wine.conf The above gives everyone complete read and write access to the "windows" and "AnApp" directories while only root has write access to all other directories. --- Steven Elliott (elliotsl@mindspring.com)