How to disable USB and Network access?

DrakeTungsten · 05-09-2012, 01:37 PM

How do I turn off USB (flash drive storage) and disable network access? I want to build a PC that is dedicated to just viewing a PDF document. I don't want the user to be able to copy the document to a flash drive or email it or otherwise copy it anywhere else. I do not have a Linux distro preference. The PC needs no other functionality other than displaying the document.

Kustom42 · 05-09-2012, 01:39 PM

You would have to look at setting up some module rules to disable the EHCI/UHCI modules which provide USB plug-n-play support, then set up IPtable rules to drop all outgoing and incoming connections.

Noway2 · 05-09-2012, 02:17 PM

LQ Search function on "disable USB", security forum only provides 54 hits besides this thread: http://www.linuxquestions.org/questi...archid=5286173

lithos · 05-09-2012, 02:23 PM

network could be disabled simply by not starting it at startup (chkconfig network off <-- in RHEL distro and Suse) and if maybe user would start it, then a "misconfigured" eth config files with no gateway pointing out to the internet would do.
- linux net config
- linux networking

Kustom42 · 05-09-2012, 03:43 PM

Lithos' solution to network is a better option than IPtables, not sure why I didn't think of that first.

273 · 05-09-2012, 04:03 PM

Could you not blacklist the network and USB drivers? In fact, can't you just compile the kernel without them?
Or just put glue in the network and USB ports?

chrism01 · 05-09-2012, 09:22 PM

The system may need to talk to itself (127.0.0.1), so I'd just go into the relevant dir and set 'ONBOOT=no' in the ifcfg-ethX file(s).
Only root can restart network usually, but check that.
As for USB, prob best to create a kernel with no USB support.
Glue is going a bit far unless you will never(!) need either of those fns.

DrakeTungsten · 05-09-2012, 10:13 PM

I would want USB functionality as on option for myself, at least to get the PDF file onto the hard drive, so I don't want to compile a kernel without USB support. (It's been over ten years since I compiled a kernel, but my memory of the experience is that it would be a last resort rather than one of a few "why not try this..." options.)

I was not familiar with the concept of black-listing drivers, nor was I aware that GRUB could pass parameters to the OS to disable hardware. One or both of these will likely be the way I go.

The simplicity of purposely misconfiguring the eth config files originally appealed to me. Although lithos was talking about doing so in relation to the gateway, I don't want the PC to have LAN access, so I thought about misconfiguring to give the machine an IP address that is not on my LAN, and make sure the user can't switch to DHCP, but then I realized that somebody could configure another machine on the network to be on the same subnet as my locked-down machine. So purposeful ethernet misconfiguration seems to be out.

Thanks for the replies.

Noway2 · 05-10-2012, 05:09 AM

Quote:

Originally Posted by DrakeTungsten

I would want USB functionality as on option for myself, at least to get the PDF file onto the hard drive, so I don't want to compile a kernel without USB support.

The first thing I would suggest trying is look at the groups and see if you have something one like plugdev. There is a little bit of variation between distributions, and whether or not they still use HAL (Hardware Abstraction Layer), and what not, but there is likely a group that you can unassign from users other than yourself that will prohibit them from mounting USB devices.

273 · 05-10-2012, 05:28 AM

Quote:

Originally Posted by chrism01

Glue is going a bit far unless you will never(!) need either of those fns.

Yes, sorry, I was being silly.

Kustom42 · 05-10-2012, 11:08 AM

Glue is awesome... I would also like to see the usb/nic plugs hooked up to a car battery so if they do try to plug something in ZAP!

cascade9 · 05-10-2012, 12:56 PM

Easiest way is to turn off USB and the network chip in the BIOS. (provided that you have a netowrk and USB support from the motherboard, if not just remove the USB and network controller cards).

Kustom42 · 05-10-2012, 01:27 PM

Quote:

Originally Posted by cascade9

Easiest way is to turn off USB and the network chip in the BIOS. (provided that you have a netowrk and USB support from the motherboard, if not just remove the USB and network controller cards).

Just don't forget the car battery...

chrism01 · 05-10-2012, 08:36 PM

Its irrelevant if someone adds another machine to the network; either this box has networking (over & above 127.0.0.1) or it doesn't.
If it doesn't (as you seem to want), then what's the problem?
I guess if you are paranoid & you have a DHCP server on the LAN, simply reserve the wanted/unwanted IP addr to the MAC address, then no-one else can steal it.
You can even reserve it as a static ip, which the DHCP server can also do.
Example 20.2 http://www.linuxtopia.org/online_boo...ng-server.html

Setting the ifcfg-eth0 file to have an entry 'ONBOOT=no' isn't 'mis-configuring' it, its simply telling the OS not to start it at boot time.
As long as you ensure that eg 'service network restart' and related cmds are only avail to root, you are gold.

I think you are over-thinking this...

As for USB, you can probably just comment it out in /etc/modprobe.conf (or /etc/modprobe.d/*.conf).

BTW, which distro & version are you using; we can give much better advice tuned to a specific OS/ver.

jschiwal · 05-13-2012, 12:46 AM

You can disable mounting of removable drives from the desktop using polkit rules. This assumes that the users don't have root access.
Mounting external drives manually would require root unless you configure particular devices in /etc/fstab with the "user" option.

Removing an internal cable to a usb port, or gluing shut the port, would also disable USB mice and keyboards.