Using a vfat filesystem sanely in Linux

Here is how I set up my fstab to automatically mount my vfat partitions, owned by a single user, at boot:

/dev/hdg1 /home/nemesis/mnt/c vfat defaults,user,dmask=022,fmask=113,uid=nemesis,gid=disk,noatime 0 0

The mount point is under user nemesis's home directory and owned by the user.

The 'user' mount option allows the user owning the mount point to mount and unmount the volume. Even though it is mounted automatically at boot, this can still be handy. It also implies the 'noexec', 'nosuid' and 'nodev' options, meaning that execution of files is not permitted (WINE will still work), files with the suid bit are not allowed, and device special files are not allowed.

Since vfat (FAT32) has no concept of security, the ownership and permissions must be synthesized.

uid=nemesis means the user 'nemesis' will be the Unix owner of all files and directories in the filesystem.

gid=disk means that all files and directories will be under group 'disk'.

dmask=022 means that directories will have a mode of 755, corresponding to rwxr-xr-x.

umask=113 means that files will have a mode of 664, corresponding to rw-rw-r–.

This setup means that files will not be falsely flagged as executable while the noexec option disallows executing files. It also means that only user nemesis and group disk can write to the filesystem.

Unfortunately, the vfat driver has no 'sync' or even 'dirsync' support, so preventing data corruption in an unclean shutdown (i.e. due to a WINE/video driver crash) or in an unexpected media removal (i.e., a USB flash device) is impossible. Using autofs to manage removable vfat media is currently the best option.

The 'noatime' option prevents the vfat driver from updating the access time in the file metadata on each access, a typically useless source of overhead.

Leave a Reply