LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-18-2006, 06:58 AM   #1
pavangogineni
LQ Newbie
 
Registered: Aug 2006
Posts: 17

Rep: Reputation: 0
Question Disable mounting removable media


Hi,

I would like to disable mounting the removable media like CD-Rom, USB, Floppy etc.. on the server.

How can I achieve it. Also how to enable it whenever I required?

I am using RHEL 4 AS version.
 
Old 10-18-2006, 07:04 AM   #2
carl0ski
Member
 
Registered: Sep 2004
Location: Melbourne, Victoria Australia
Distribution: Support those that support you :)
Posts: 872
Blog Entries: 12

Rep: Reputation: 30
Quote:
Originally Posted by pavangogineni
Hi,

I would like to disable mounting the removable media like CD-Rom, USB, Floppy etc.. on the server.

How can I achieve it. Also how to enable it whenever I required?

I am using RHEL 4 AS version.
do you Disable auto mount or prevent mounting period?

If you disable or uninstall HAL (engine that scans for new disks)
USB cd/dvd wont be mounted unless you use the full mount -t command.
 
Old 10-18-2006, 08:16 AM   #3
matthewg42
Senior Member
 
Registered: Oct 2003
Location: UK
Distribution: Kubuntu 12.10 (using awesome wm though)
Posts: 3,530

Rep: Reputation: 63
It's a bit of a hack, and it'll probably end up making lots of warning/error messages in the system logs, and it is only for USB devices, but IF your setup has the usb_storage kernel module compiled as a module (and not simply built into the kernel itself), you can blacklist the usb_module kernel module. I tried it, and it works on Ubuntu.

In Ubuntu this can be done by creating a file in /etc/modprobe.d (with any name), containing:

Code:
blacklist usb_storage
Not sure how to do the same thing in RHEL. Anyone know?

Last edited by matthewg42; 10-18-2006 at 08:18 AM.
 
Old 10-19-2006, 01:42 AM   #4
pavangogineni
LQ Newbie
 
Registered: Aug 2006
Posts: 17

Original Poster
Rep: Reputation: 0
Here I would like to disable automount and also using command (mount -t .......).
That is whenever anyone tries to mount any USB/CD/any removable media to copy some data it shouldn't allow them to do so.
Only I (superuser) want to enable mounting it whenever I required.

Is there anything possible to lock the mount process to work only for UID 0 or something like that???
If so is there any problem when the system boots??
I tried to rename the mount command and it worked fine. But when the system boots it fails to locate the "mount" command to mount the disks and it hangs. Where are the modifications I need to do this.

Last edited by pavangogineni; 10-19-2006 at 01:46 AM.
 
Old 10-19-2006, 02:08 AM   #5
carl0ski
Member
 
Registered: Sep 2004
Location: Melbourne, Victoria Australia
Distribution: Support those that support you :)
Posts: 872
Blog Entries: 12

Rep: Reputation: 30
Quote:
Originally Posted by pavangogineni
Here I would like to disable automount and also using command (mount -t .......).
That is whenever anyone tries to mount any USB/CD/any removable media to copy some data it shouldn't allow them to do so.
Only I (superuser) want to enable mounting it whenever I required.

Is there anything possible to lock the mount process to work only for UID 0 or something like that???
If so is there any problem when the system boots??
I tried to rename the mount command and it worked fine. But when the system boots it fails to locate the "mount" command to mount the disks and it hangs. Where are the modifications I need to do this.
Hey i just had an idea so great its Petarded

Code:
alias mount='echo "access to removable devices has been disabled"
Add this line to a startup script (after all devices have been mounted)
on Mandriva i have no idea else where
/etc/rc.local (the last list of command before prompt is shown)


this way noone can use mount
effects are not permanent and your drives will still mount at bootup.

Gatekeeper:~ # mount
access to removable devices has been disabled
Gatekeeper:~ #

Last edited by carl0ski; 10-19-2006 at 02:10 AM.
 
Old 10-19-2006, 03:04 AM   #6
pavangogineni
LQ Newbie
 
Registered: Aug 2006
Posts: 17

Original Poster
Rep: Reputation: 0
But what about automount???
 
Old 10-19-2006, 04:25 AM   #7
Lotharster
Member
 
Registered: Nov 2005
Posts: 144

Rep: Reputation: 15
Quote:
Originally Posted by carl0ski
Hey i just had an idea so great its Petarded

Code:
alias mount='echo "access to removable devices has been disabled"
This is very easy to circumvent: just call mount with its full path (/bin/mount).

The safe way to do this would be to edit /etc/fstab and add "nouser" to the usb storage line:
Code:
/dev/sda1       /media/usb      auto    nouser,noauto        0      0
This should effectively prevent anyone from mounting usb devices. The normal mount command with mount point and options can only be executed by root (at least on my system, ubuntu).

Regards,
Lothar
 
Old 10-19-2006, 11:24 AM   #8
evilDagmar
Member
 
Registered: Mar 2005
Location: Right behind you.
Distribution: NBG, then randomed.
Posts: 480

Rep: Reputation: 31
Quote:
Originally Posted by carl0ski
Hey i just had an idea so great its Petarded

Code:
alias mount='echo "access to removable devices has been disabled"
Add this line to a startup script (after all devices have been mounted)
on Mandriva i have no idea else where
/etc/rc.local (the last list of command before prompt is shown)


this way noone can use mount
effects are not permanent and your drives will still mount at bootup.

Gatekeeper:~ # mount
access to removable devices has been disabled
Gatekeeper:~ #
You used the words, not me, but this is a somewhat retarded solution which can be easily bypassed by someone invoking mount with it's full path, or by simply deleting the alias from the shell.
 
Old 10-19-2006, 11:26 AM   #9
evilDagmar
Member
 
Registered: Mar 2005
Location: Right behind you.
Distribution: NBG, then randomed.
Posts: 480

Rep: Reputation: 31
Quote:
Originally Posted by pavangogineni
Here I would like to disable automount and also using command (mount -t .......).
That is whenever anyone tries to mount any USB/CD/any removable media to copy some data it shouldn't allow them to do so.
Only I (superuser) want to enable mounting it whenever I required.

Is there anything possible to lock the mount process to work only for UID 0 or something like that???
If so is there any problem when the system boots??
I tried to rename the mount command and it worked fine. But when the system boots it fails to locate the "mount" command to mount the disks and it hangs. Where are the modifications I need to do this.
If you kill off (or simply don't run) the automounter that takes care of auto-mounting, and if you'r e not using HAL/dbus there's nothing else that's likely to be able to automatically mount things.

Users can not, by default, mount anything. As long as you don't have anything in /etc/fstab saying they can mount media, only root will be able to do this.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Removable Media Problem PipeDreams Linux - General 9 08-09-2007 06:46 AM
Problem with auto-mounting of removable media ggeeoo Linux - Hardware 2 01-27-2006 06:16 PM
mounting removable media matthewa Linux - Hardware 2 11-12-2005 10:44 PM
How to mount a removable media using C skie_knite007 Programming 1 10-02-2005 01:49 AM
Mounting removable media george_mercury Linux - General 1 07-28-2004 12:14 PM


All times are GMT -5. The time now is 11:27 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration