Restricting remote users from accessing removable media
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Restricting remote users from accessing removable media
I run a system that users may log into either remotely or physically. Multiple users may be logged in simultaneously because of the remote access, but only one user can be physically logged in at a time.
With the current setup, however, if the physical user inserts a flash drive (which the OS mounts automatically) then the remote users gain access to the removable media.
Is there a way to restrict access to removable media so that only the physical user has access?
Is there a way to restrict access to removable media so that only the physical user has access?
Once the media is mounted, the normal linux user and group permissions apply. You could change permissions on the mount point, but that generally requires root. You could take a look at my devmon script for automatic mounting, which uses udisks. You could set that to change the permissions on the files after mount. Or another approach would be to only give limited users or groups access to the /media parent dir where the mount points show up.
Yes, disable auto mount, and just manually mount the drive within your home directory.
Thanks! That sounds like a good option. However, I would prefer not to give the users mount privileges. Right now, the mount command is restricted to root. Is there a way to give them restricted mount privileges? Perhaps a super user script I could let them run to mount the device for them?
Or another approach would be to only give limited users or groups access to the /media parent dir where the mount points show up.
Great! I'll take a look at your script. As far as this other approach, would there be a way to make these privileges dynamic so that only the user that is locally logged in has access to /media while access is denied to the remote users?
Thanks! That sounds like a good option. However, I would prefer not to give the users mount privileges. Right now, the mount command is restricted to root. Is there a way to give them restricted mount privileges? Perhaps a super user script I could let them run to mount the device for them?
You could always change the file permissions for the mount command
Great! I'll take a look at your script. As far as this other approach, would there be a way to make these privileges dynamic so that only the user that is locally logged in has access to /media while access is denied to the remote users?
If you mean that whichever user(s) are logged in locally should have mount access, and that those users will change, that would be a little trickier. Probably mounting it in your /home dir would work best for that. Only way I can think of doing that without root would be to write a little daemon script that's always running as root and handles the mounting, but that would take some familiarity with scripting (it could listen to a pipe and take a specific action as root - eg mount to user's home folder - when a user sends a command to the pipe).
Also, I know consolekit has to do with giving specific permissions to locally logged users, but I don't know if that would be useful in this case - probably would be a lot of work to use it, but you could see if there is a polkit permission that pertains to this situation, since you probably already have consolekit active.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.