[Discuss] USB thumbdrive, Linux only usage: FAT vs NTFS vs other? TRIM support?

[invalid at pizzashack.org (Derek Martin)]

On Tue, Feb 26, 2013 at 07:08:14PM -0500, Matthew Gillen wrote:
> On 2/25/2013 10:19 PM, Tom Metro wrote:
> > Matthew Gillen wrote:
> >> Create a single directory in the root of the thumb drive, and give that
> >> world-write and group-write, then give it set-group-ID bit ('chmod g+s
> >> dirname').
> >>
> >> Every file created will inherit the group-id of the original directory...
> > 
> > How does that help if the numeric GIDs vary from machine to machine?
> 
> It doesn't matter.  The files (even new ones you're attempting to write)
> always inherit the GID of the parent dir. It's just an integer.  True,
> it won't map to a readable name on some systems (or map to a different
> name), but the display name of the group doesn't matter, and won't stop
> you from reading and writing.  The permission system is based on the
> integer values.

You're missing the problem.  

You create the drive on your home Linux system.  On that system,
your UID and GID match, and are 500.  You create your SGID, world-
readable/writable directory.  You write files into it.

Now you want to use it on your work desktop, which is managed by your
IT department, and your UID is 8365, GID is 1020.  

Unless you also make all your FILES world readable and world writable
when you write them to the USB drive, you will not be able to read or
write those files when you plug it into your work desktop.

This WILL WORK, but in general this is bad practice, and may even be
against your company's security policy.  You'll either need to change
your umask when you want to use the drive, and change it back when you
switch back to using your machine's internal disk, which you'll no
doubt forget to do very frequently, OR, you can tediously manually
change the permissions on all the files you write to your thumb drive.
Blech.  Not to mention the fact that if you're using an application to
write the file, it may not even allow you to write files with 0666
permissions in the first place.  [Some security-concious internet
client programs don't allow this, for instance.]  So even if you
change your umask, you'll still have to check to see that the access
is fully permissive.

What you're suggesting is doable; but it is either horribly tedious,
or ignores good security practices.  Or both.  Granted, anyone who
gets physical access to your thumb drive has all your files (unless
you encrypt it), so that's not a real issue...  But in order to cope
with this scheme without a painful degree of tedium, you have to put
yourself in the habit of ignoring security considerations.  That's a
bad habit to be in, and in some extreme cases could even get you fired
(though admittedly, that's very unlikely for most of us).

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.