diff --git a/copyparty/authsrv.py b/copyparty/authsrv.py
index b3b6f892..1db96b77 100644
--- a/copyparty/authsrv.py
+++ b/copyparty/authsrv.py
@@ -238,8 +238,12 @@ class AuthSrv(object):
                 with open(cfg_fn, "rb") as f:
                     self._parse_config_file(f, user, mread, mwrite, mount)
 
-        # -h says our defaults are CWD at root and read/write for everyone
-        vfs = VFS(os.path.abspath("."), "", ["*"], ["*"])
+        if not mount:
+            # -h says our defaults are CWD at root and read/write for everyone
+            vfs = VFS(os.path.abspath("."), "", ["*"], ["*"])
+        elif not "" in mount:
+            # there's volumes but no root; make root inaccessible
+            vfs = VFS(os.path.abspath("."), "", [], [])
 
         maxdepth = 0
         for dst in sorted(mount.keys(), key=lambda x: (x.count("/"), len(x))):
diff --git a/tests/test_vfs.py b/tests/test_vfs.py
index e0ca4d13..8ba378a5 100644
--- a/tests/test_vfs.py
+++ b/tests/test_vfs.py
@@ -225,11 +225,11 @@ class TestVFS(unittest.TestCase):
         self.assertEqual(au.user["a"], "123")
         self.assertEqual(au.user["asd"], "fgh:jkl")
         n = au.vfs
-        # root was not defined, so PWD with everyone r/w
+        # root was not defined, so PWD with no access to anyone
         self.assertEqual(n.vpath, "")
         self.assertEqual(n.realpath, td)
-        self.assertEqual(n.uread, ["*"])
-        self.assertEqual(n.uwrite, ["*"])
+        self.assertEqual(n.uread, [])
+        self.assertEqual(n.uwrite, [])
         self.assertEqual(len(n.nodes), 1)
         n = n.nodes["dst"]
         self.assertEqual(n.vpath, "dst")