6

I've noticed that when I mount a FAT filesystem on Linux, all of the files have their executable permissions set. Why is this? There's almost no chance that you can or want to directly execute any program found on a FAT file system, and having the executable bit implicitly set for all files seems annoying to me.

I understand that FAT (and other filesystems as well) have no mode bits, and so the 777 mode I'm seeing on files is just simulated by the filesystem driver under Unix. My question is why 777 instead of 666?

Stephen Kitt
  • 411,918
  • 54
  • 1,065
  • 1,164
Edward Falk
  • 1,913
  • 15
  • 14
  • 2
    It's to allow executing them if you wanted to. Why would you decide to prevent anyone from running Unix programs on a FAT FS? It may not be ideal but it can surely work. – Julie Pelletier Sep 06 '16 at 01:03
  • Is that really the reason? Part of me feels that it's not worth the annoyance, and part feels that it's not worth the security risk. Would mounting noexec remove the annoying flag? – Edward Falk Sep 06 '16 at 01:05
  • Maybe take a look at the `mount` man page. Look for *Mount options for fat*. – larsks Sep 06 '16 at 01:12
  • I'm familiar with those options. I remember many years ago getting a FAT filesystem to mount without the exec flags, although I don't remember if it was `noexec` or `umask` that did the trick. I'm not really asking *how*, but *why*. – Edward Falk Sep 06 '16 at 01:27
  • I would suggest principle of least surprise. Upon mounting a filesystem that potentially has an executable you want to run, the default for most filesystems on Unix/Linux is that nothing special needs to be done to allow it. – James Sneeringer Sep 06 '16 at 05:02

1 Answers1

11

FAT may not be a POSIX-style filesystem, that doesn't mean that you shouldn't be allowed to store executables on it and run them directly from it. Because FAT doesn't store POSIX permissions, the only way this can happen (easily) is if the default mode used for files allows their execution...

In the past, when (V)FAT was still used as the main filesystem for other operating systems (DOS and Windows), and hard drives were smaller, it wasn't unusual to store Unix/Linux binaries on a FAT filesystem. (There's even a FAT variant which stores POSIX attributes in special files, so you could run Linux on a FAT filesystem.) Nowadays you can still end up doing so -- on USB keys for example.

If you're worried about the security implications, there are a number of options you can use. noexec and nodev are probably already set for removable filesystems on your distribution; dmask and fmask allow you to specifically determine the modes used. showexec will only set the executable bits on files with .bat, .com or .exe extensions. (Note that a file's permissions and the ability to execute it are separate...)

Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
Stephen Kitt
  • 411,918
  • 54
  • 1,065
  • 1,164