Controlling USB media access on Red Hat or Centos Linux 6.3
I'm trying to control which users can use USB media (mass storage devices such as USB memory sticks and hard-drives) on Red Hat/ Centos 6.3 Linux. I would like something that is network wide, so a group permission based scheme would be preferred, e.g. where a user is put in a group and that gives them read-only or read-write access, etc.
I have been told that mediad can be used to manage this but I can't figure out how. I've also come across cgroup/ cgconfig but cannot figure that out either. How should I go about achieving this? |
Quote:
chmod 764 making 'o' "others" as the universal "read-only" group. Then create one group e.g. 'writergroup' who thereby has r-w permissions to the volume. ~# groupadd -g 1200 writergroup ~# chown -R root:writergroup 'mountpoint' ~# chmod 764 'mountpoint' That should make "you" the owner, to have read, write, execute permissions; The 'writergroup' members to have read-write permissions to the volume; and The 'others' (regular users) only have the read permission but cannot write. You can now ignore all users who only have read access to the volume, and choose few to whom you may grant writing access: ~# gpasswd -M john,mary,magdalene,rashid,omar,abdul,mao_tzetung,brianAdam writergroup Done. Quote:
Quote:
Another trick: Set the previous case to chmod 740, create 'reader' group, chown the point as root:reader, by this only this group have access to it and only reading access; remount the same volume to another point and set it to be accessible exclusively by another group this time with different rights chmod it to 760. That way you have excluded 'others' (or regular users) from even reading the volume. Do not use " -R " switch as it will descend into the descendant folders and files. You have made the volume promiscuous, a security concern. Hope that helps. Good luck. |
Thanks.
With the USB devices in question, I don't know where the mountpoint will be, as it is created on the fly based on the volume label of the media inserted, e.g. /media/MyUsbStick. I was considering applying your strategy in a udev rule but that kicks in before the mountpoint is known and the device then automounts with 700 permissions, owned by the logged in user. I think this relates to automount but the auto.master man page doesn't help me figure out how to control the permissions of the mountpoint used. |
All times are GMT -5. The time now is 08:21 AM. |