LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Hardware
User Name
Password
Linux - Hardware This forum is for Hardware issues.
Having trouble installing a piece of hardware? Want to know if that peripheral is compatible with Linux?

Notices

Reply
 
Search this Thread
Old 02-23-2008, 01:34 PM   #1
marozsas
Senior Member
 
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,393
Blog Entries: 1

Rep: Reputation: 63
How to disable a USB memory stick per user basis ?


Hi !

This question is quite the opposite we used to see around here.

I need to deny access to usb memory sticks for some users and not for others.
I can't disable entire USB sub-system, because the mouse and keyborads are usb connected.

The purpose is to limit information stealing. Those machines don't have internet access, floppy drive, printers, cd-r/dvd-r drives or wireless devices.

I need to deny access to usb mass storage devices like usb memory sticks and usb hard drives, based on his/her login name.

Any ideas ?

The distro can be Fedora 8 or openSuSE, in fact, any rpm based distro is fine.
 
Old 02-23-2008, 05:19 PM   #2
aus9
Guru
 
Registered: Oct 2003
Posts: 5,056

Rep: Reputation: Disabled
1) can person A, remove the usb memory and take it to another machine where they have root powers?....if so, any permissions you placed on the folder are lost

2) but passphrase or other key encryption may be the way to go....encrypt the folder and its contents.....will still be encrypted on the other machine that person a tries root powers on.
 
Old 02-23-2008, 06:30 PM   #3
dive
Senior Member
 
Registered: Aug 2003
Location: UK
Distribution: Slackware
Posts: 3,203

Rep: Reputation: 292Reputation: 292Reputation: 292
I think it may be possible to create a new group, say 'usbplug'. Change the udev rules to mount usb sticks with that as a group. Then put in the people that you like into that group. I'm no udev expert so I can't be more specific, but it should be possible.
 
Old 02-23-2008, 07:29 PM   #4
aus9
Guru
 
Registered: Oct 2003
Posts: 5,056

Rep: Reputation: Disabled
dive

did u know your worm link is a duplicate of david?
 
Old 02-25-2008, 08:26 AM   #5
marozsas
Senior Member
 
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,393
Blog Entries: 1

Original Poster
Rep: Reputation: 63
Quote:
Originally Posted by aus9 View Post
1) can person A, remove the usb memory and take it to another machine where they have root powers?....if so, any permissions you placed on the folder are lost
No, none has root password. just regular users.

Quote:
Originally Posted by aus9 View Post
2) but passphrase or other key encryption may be the way to go....encrypt the folder and its contents.....will still be encrypted on the other machine that person a tries root powers on.
They must have access to the files to do their work.
The information is volatile, so it is not good for more than 3 days.
The problem is stealing a big list of secrecy data at once.
The main concern is to copy that big file and use it within in the next few days.
The partial knowledge of information is not a concern. If the person try to write down the info in a piece of paper it becomes evident, due the time to do that.
 
Old 02-25-2008, 08:31 AM   #6
marozsas
Senior Member
 
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,393
Blog Entries: 1

Original Poster
Rep: Reputation: 63
Quote:
Originally Posted by dive View Post
I think it may be possible to create a new group, say 'usbplug'. Change the udev rules to mount usb sticks with that as a group. Then put in the people that you like into that group. I'm no udev expert so I can't be more specific, but it should be possible.
Yes, this should work. The problem is I don't have experience with udev, so I think I need to break some systems before I managed to change the udev rules to allow only a group to mount usb storage devices.

If anyone following this thread have any information regarding to changing the way udev rules work, would be nice.

thanks in advance,
 
Old 02-25-2008, 08:48 AM   #7
Emerson
Senior Member
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~
Posts: 3,177

Rep: Reputation: Disabled
Run ls -l on your USB device, it already may have a group like plugdev.
 
Old 02-25-2008, 09:07 AM   #8
marozsas
Senior Member
 
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,393
Blog Entries: 1

Original Poster
Rep: Reputation: 63
Quote:
Originally Posted by Emerson View Post
Run ls -l on your USB device, it already may have a group like plugdev.
No, device is root:disk and mount point is user:root....
 
Old 02-25-2008, 09:39 AM   #9
b0uncer
Guru
 
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131

Rep: Reputation: Disabled
Quote:
Originally Posted by marozsas View Post
The partial knowledge of information is not a concern. If the person try to write down the info in a piece of paper it becomes evident, due the time to do that.
What if this person had a cellphone camera, or something even smaller, and clicked it trough the sensitive information? Nowadays you can get a cheap, but relatively good-quality camera (as in "the information can be read from the resulting images even if it's not perfect quality") fit into very small size, carry it along without noticing and shoot pictures without nobody knowing. In some cases the manufacturer apparently "hard-codes" the clicking sound into the device so that you can't take a picture without making a noise that reveals you, but that's not the case everywhere - many big companies sell phones and other things that contain a silent camera.

Well, back to the original question. I would have suggested removing USB ports completely, but probably some people still need to use them, now that I read the post more in depth. The next best way then is probably to set up a special group, as suggested, that has access to the USB sticks (or even mounting devices in general). But if it's really important, the primary thing would be to be able to trust the users - if you know some part of your users are potentially going to steal the information, you should not allow them to access the machine anyway.

Also remember to secure the software channels, such as ssh.
 
Old 02-25-2008, 09:53 AM   #10
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 114Reputation: 114
Yes, setting up a udev rule is definitely the way to go. You probably would want to set the rule to execute an external program that you build to check the username and group. The rule checks the return code from the program, and if the return is 0 the result was true (presumably this means that the user is allowed to mount the usb stick)

The command man udev will get you started.

edit: I guess there is an option in Udev to check the group of the user, but I have never used it.

Last edited by jiml8; 02-25-2008 at 11:41 AM.
 
Old 02-25-2008, 04:55 PM   #11
aus9
Guru
 
Registered: Oct 2003
Posts: 5,056

Rep: Reputation: Disabled
No, none has root password. just regular users.

Reply

sorry not what I meant....I pull the usb stick and take it to a computer that I control.....that I set up.....where I know the root password.

I can then copy all contents fairly quickly if usb 2...to my hard drive and return stick.


If each user has a key to only their encrypted folder.......I can only steal what I can get into.
 
Old 02-26-2008, 06:46 AM   #12
marozsas
Senior Member
 
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,393
Blog Entries: 1

Original Poster
Rep: Reputation: 63
Quote:
Originally Posted by aus9 View Post
No, none has root password. just regular users.

Reply

sorry not what I meant....I pull the usb stick and take it to a computer that I control.....that I set up.....where I know the root password.

I can then copy all contents fairly quickly if usb 2...to my hard drive and return stick.


If each user has a key to only their encrypted folder.......I can only steal what I can get into.
I known this sounds strange, but the information the user has access is worthless if the access is just partial.

I'm sorry I can't provide more detail, but the point is I need to prevent the transport of all data out of this environment.

Doesn't matter if the user has access to it locally. In fact, it has access and it uses that information all day long.

I've tried to mess with udev without success so far.
I' ve tried to change files like /etc/udev/rules.d/60-persistent-storage.rules but I was unable to create a conditional mount, based on group id or whatever.

I keep trying....

thanks so far,
 
Old 02-26-2008, 07:11 AM   #13
aus9
Guru
 
Registered: Oct 2003
Posts: 5,056

Rep: Reputation: Disabled
fair enough I am no longer flogging the usb stick dead horse.

Without a life story, can you explain if the usb drives are shared by network or locally to each machine.

Do in fact each user, have access to NFS or samba or any cable network etc.

The reason I ask is, you make no mention of local hard drives. If you have root password you could allocate to the usb drive...permissions for folders for each user.....ditto if hard drive...but then I am guessing each user needs some input from the other user so if local hard drive...you really need a network.

is that being too intrusive?
 
Old 02-26-2008, 07:31 AM   #14
aus9
Guru
 
Registered: Oct 2003
Posts: 5,056

Rep: Reputation: Disabled
d/load udev pdf
http://linuxvm.org/present/WAVV/udev.pdf

2 howto to create rules and change group permissions
http://www.reactivated.net/writing_udev_rules.html
 
Old 02-26-2008, 08:20 AM   #15
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
I think for SuSE you would use the policy kit to restrict removable drive access.

Last edited by jschiwal; 02-26-2008 at 08:23 AM.
 
  


Reply

Tags
deny, devices, mass, storage, usb


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
*** USB external hard drive and USB memory stick linux_2007_ Linux - General 1 07-17-2007 04:20 PM
USB memory, Compact Flash, Memory Stick energiza Linux - Hardware 2 08-22-2006 09:29 PM
Missing memory in USB stick, flash memory, removable hd etc bamboo_spider Linux - Newbie 3 06-14-2006 05:39 PM
USB Memory Stick freddie_leaf Slackware 15 11-09-2004 01:41 AM
USB Memory Stick jmdlcar Linux - Hardware 1 01-09-2004 07:03 PM


All times are GMT -5. The time now is 03:42 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration