Hi !

This question is quite the opposite we used to see around here.

I need to deny access to usb memory sticks for some users and not for others.
I can't disable entire USB sub-system, because the mouse and keyborads are usb connected.

The purpose is to limit information stealing. Those machines don't have internet access, floppy drive, printers, cd-r/dvd-r drives or wireless devices.

I need to deny access to usb mass storage devices like usb memory sticks and usb hard drives, based on his/her login name.

Any ideas ?

The distro can be Fedora 8 or openSuSE, in fact, any rpm based distro is fine.

1) can person A, remove the usb memory and take it to another machine where they have root powers?....if so, any permissions you placed on the folder are lost

2) but passphrase or other key encryption may be the way to go....encrypt the folder and its contents.....will still be encrypted on the other machine that person a tries root powers on.

I think it may be possible to create a new group, say 'usbplug'. Change the udev rules to mount usb sticks with that as a group. Then put in the people that you like into that group. I'm no udev expert so I can't be more specific, but it should be possible.

dive

did u know your worm link is a duplicate of david?

No, none has root password. just regular users.

They must have access to the files to do their work.
The information is volatile, so it is not good for more than 3 days.
The problem is stealing a big list of secrecy data at once.
The main concern is to copy that big file and use it within in the next few days.
The partial knowledge of information is not a concern. If the person try to write down the info in a piece of paper it becomes evident, due the time to do that.

Yes, this should work. The problem is I don't have experience with udev, so I think I need to break some systems before I managed to change the udev rules to allow only a group to mount usb storage devices.

If anyone following this thread have any information regarding to changing the way udev rules work, would be nice.

thanks in advance,

Run ls -l on your USB device, it already may have a group like plugdev.

No, device is root:disk and mount point is user:root....

What if this person had a cellphone camera, or something even smaller, and clicked it trough the sensitive information? Nowadays you can get a cheap, but relatively good-quality camera (as in "the information can be read from the resulting images even if it's not perfect quality") fit into very small size, carry it along without noticing and shoot pictures without nobody knowing. In some cases the manufacturer apparently "hard-codes" the clicking sound into the device so that you can't take a picture without making a noise that reveals you, but that's not the case everywhere - many big companies sell phones and other things that contain a silent camera.

Well, back to the original question. I would have suggested removing USB ports completely, but probably some people still need to use them, now that I read the post more in depth. The next best way then is probably to set up a special group, as suggested, that has access to the USB sticks (or even mounting devices in general). But if it's really important, the primary thing would be to be able to trust the users - if you know some part of your users are potentially going to steal the information, you should not allow them to access the machine anyway.

Also remember to secure the software channels, such as ssh.

Yes, setting up a udev rule is definitely the way to go. You probably would want to set the rule to execute an external program that you build to check the username and group. The rule checks the return code from the program, and if the return is 0 the result was true (presumably this means that the user is allowed to mount the usb stick)

The command man udev will get you started.

edit: I guess there is an option in Udev to check the group of the user, but I have never used it.

No, none has root password. just regular users.

Reply

sorry not what I meant....I pull the usb stick and take it to a computer that I control.....that I set up.....where I know the root password.

I can then copy all contents fairly quickly if usb 2...to my hard drive and return stick.


If each user has a key to only their encrypted folder.......I can only steal what I can get into.

I known this sounds strange, but the information the user has access is worthless if the access is just partial.

I'm sorry I can't provide more detail, but the point is I need to prevent the transport of all data out of this environment.

Doesn't matter if the user has access to it locally. In fact, it has access and it uses that information all day long.

I've tried to mess with udev without success so far.
I' ve tried to change files like /etc/udev/rules.d/60-persistent-storage.rules but I was unable to create a conditional mount, based on group id or whatever.

I keep trying....

thanks so far,

fair enough I am no longer flogging the usb stick dead horse.

Without a life story, can you explain if the usb drives are shared by network or locally to each machine.

Do in fact each user, have access to NFS or samba or any cable network etc.

The reason I ask is, you make no mention of local hard drives. If you have root password you could allocate to the usb drive...permissions for folders for each user.....ditto if hard drive...but then I am guessing each user needs some input from the other user so if local hard drive...you really need a network.

is that being too intrusive?

d/load udev pdf
http://linuxvm.org/present/WAVV/udev.pdf

2 howto to create rules and change group permissions
http://www.reactivated.net/writing_udev_rules.html

I think for SuSE you would use the policy kit to restrict removable drive access.