I run a system that users may log into either remotely or physically. Multiple users may be logged in simultaneously because of the remote access, but only one user can be physically logged in at a time.

With the current setup, however, if the physical user inserts a flash drive (which the OS mounts automatically) then the remote users gain access to the removable media.

Is there a way to restrict access to removable media so that only the physical user has access?

Yes, disable auto mount, and just manually mount the drive within your home directory.

Once the media is mounted, the normal linux user and group permissions apply. You could change permissions on the mount point, but that generally requires root. You could take a look at my devmon script for automatic mounting, which uses udisks. You could set that to change the permissions on the files after mount. Or another approach would be to only give limited users or groups access to the /media parent dir where the mount points show up.

Thanks! That sounds like a good option. However, I would prefer not to give the users mount privileges. Right now, the mount command is restricted to root. Is there a way to give them restricted mount privileges? Perhaps a super user script I could let them run to mount the device for them?

Great! I'll take a look at your script. As far as this other approach, would there be a way to make these privileges dynamic so that only the user that is locally logged in has access to /media while access is denied to the remote users?

You could always change the file permissions for the mount command

If you mean that whichever user(s) are logged in locally should have mount access, and that those users will change, that would be a little trickier. Probably mounting it in your /home dir would work best for that. Only way I can think of doing that without root would be to write a little daemon script that's always running as root and handles the mounting, but that would take some familiarity with scripting (it could listen to a pipe and take a specific action as root - eg mount to user's home folder - when a user sends a command to the pipe).

Also, I know consolekit has to do with giving specific permissions to locally logged users, but I don't know if that would be useful in this case - probably would be a lot of work to use it, but you could see if there is a polkit permission that pertains to this situation, since you probably already have consolekit active.