LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Controlling USB media access on Red Hat or Centos Linux 6.3 (https://www.linuxquestions.org/questions/linux-security-4/controlling-usb-media-access-on-red-hat-or-centos-linux-6-3-a-4175436385/)

foogle 11-09-2012 04:48 AM
Controlling USB media access on Red Hat or Centos Linux 6.3
 
I'm trying to control which users can use USB media (mass storage devices such as USB memory sticks and hard-drives) on Red Hat/ Centos 6.3 Linux. I would like something that is network wide, so a group permission based scheme would be preferred, e.g. where a user is put in a group and that gives them read-only or read-write access, etc.

I have been told that mediad can be used to manage this but I can't figure out how. I've also come across cgroup/ cgconfig but cannot figure that out either.

How should I go about achieving this?

malekmustaq 11-09-2012 08:02 AM
Quote:
I would like something that is network wide, so a group permission based scheme would be preferred, e.g. where a user is put in a group and that gives them read-only or read-write access, etc.
There are three basic permission bits u-g-o: set the "read-only" group the lowest level 'o=4' doing this at the mount point:

chmod 764 making 'o' "others" as the universal "read-only" group.

Then create one group e.g. 'writergroup' who thereby has r-w permissions to the volume.

~# groupadd -g 1200 writergroup

~# chown -R root:writergroup 'mountpoint'
~# chmod 764 'mountpoint'

That should make "you" the owner, to have read, write, execute permissions;
The 'writergroup' members to have read-write permissions to the volume; and
The 'others' (regular users) only have the read permission but cannot write.

You can now ignore all users who only have read access to the volume, and choose few to whom you may grant writing access:

~# gpasswd -M john,mary,magdalene,rashid,omar,abdul,mao_tzetung,brianAdam writergroup

Done.

Quote:
I have been told that mediad can be used to manage this but I can't figure out how. I've also come across cgroup/ cgconfig but cannot figure that out either.
Excuse me. "cgroup" is not a toy in the userland. It was a system recently introduced by Linux Kernel coders to improve resource management and process accounting by the kernel. It is the plaything of the masters, but not for us.

Quote:
How should I go about achieving this?
"The magic is in the magician; not in the wand." as I frequently enjoy reading it from someone's signature here. So, do it now and do it yourself. Manipulate the 3 permission bits.

Another trick: Set the previous case to chmod 740, create 'reader' group, chown the point as root:reader, by this only this group have access to it and only reading access; remount the same volume to another point and set it to be accessible exclusively by another group this time with different rights chmod it to 760. That way you have excluded 'others' (or regular users) from even reading the volume. Do not use " -R " switch as it will descend into the descendant folders and files. You have made the volume promiscuous, a security concern.

Hope that helps.

Good luck.

foogle 11-09-2012 09:58 AM
Thanks.

With the USB devices in question, I don't know where the mountpoint will be, as it is created on the fly based on the volume label of the media inserted, e.g. /media/MyUsbStick. I was considering applying your strategy in a udev rule but that kicks in before the mountpoint is known and the device then automounts with 700 permissions, owned by the logged in user.

I think this relates to automount but the auto.master man page doesn't help me figure out how to control the permissions of the mountpoint used.


All times are GMT -5. The time now is 08:21 AM.