How to disable a USB memory stick per user basis ?
Linux - HardwareThis forum is for Hardware issues.
Having trouble installing a piece of hardware? Want to know if that peripheral is compatible with Linux?
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to disable a USB memory stick per user basis ?
Hi !
This question is quite the opposite we used to see around here.
I need to deny access to usb memory sticks for some users and not for others.
I can't disable entire USB sub-system, because the mouse and keyborads are usb connected.
The purpose is to limit information stealing. Those machines don't have internet access, floppy drive, printers, cd-r/dvd-r drives or wireless devices.
I need to deny access to usb mass storage devices like usb memory sticks and usb hard drives, based on his/her login name.
Any ideas ?
The distro can be Fedora 8 or openSuSE, in fact, any rpm based distro is fine.
1) can person A, remove the usb memory and take it to another machine where they have root powers?....if so, any permissions you placed on the folder are lost
2) but passphrase or other key encryption may be the way to go....encrypt the folder and its contents.....will still be encrypted on the other machine that person a tries root powers on.
I think it may be possible to create a new group, say 'usbplug'. Change the udev rules to mount usb sticks with that as a group. Then put in the people that you like into that group. I'm no udev expert so I can't be more specific, but it should be possible.
1) can person A, remove the usb memory and take it to another machine where they have root powers?....if so, any permissions you placed on the folder are lost
No, none has root password. just regular users.
Quote:
Originally Posted by aus9
2) but passphrase or other key encryption may be the way to go....encrypt the folder and its contents.....will still be encrypted on the other machine that person a tries root powers on.
They must have access to the files to do their work.
The information is volatile, so it is not good for more than 3 days.
The problem is stealing a big list of secrecy data at once.
The main concern is to copy that big file and use it within in the next few days.
The partial knowledge of information is not a concern. If the person try to write down the info in a piece of paper it becomes evident, due the time to do that.
I think it may be possible to create a new group, say 'usbplug'. Change the udev rules to mount usb sticks with that as a group. Then put in the people that you like into that group. I'm no udev expert so I can't be more specific, but it should be possible.
Yes, this should work. The problem is I don't have experience with udev, so I think I need to break some systems before I managed to change the udev rules to allow only a group to mount usb storage devices.
If anyone following this thread have any information regarding to changing the way udev rules work, would be nice.
The partial knowledge of information is not a concern. If the person try to write down the info in a piece of paper it becomes evident, due the time to do that.
What if this person had a cellphone camera, or something even smaller, and clicked it trough the sensitive information? Nowadays you can get a cheap, but relatively good-quality camera (as in "the information can be read from the resulting images even if it's not perfect quality") fit into very small size, carry it along without noticing and shoot pictures without nobody knowing. In some cases the manufacturer apparently "hard-codes" the clicking sound into the device so that you can't take a picture without making a noise that reveals you, but that's not the case everywhere - many big companies sell phones and other things that contain a silent camera.
Well, back to the original question. I would have suggested removing USB ports completely, but probably some people still need to use them, now that I read the post more in depth. The next best way then is probably to set up a special group, as suggested, that has access to the USB sticks (or even mounting devices in general). But if it's really important, the primary thing would be to be able to trust the users - if you know some part of your users are potentially going to steal the information, you should not allow them to access the machine anyway.
Also remember to secure the software channels, such as ssh.
Yes, setting up a udev rule is definitely the way to go. You probably would want to set the rule to execute an external program that you build to check the username and group. The rule checks the return code from the program, and if the return is 0 the result was true (presumably this means that the user is allowed to mount the usb stick)
The command man udev will get you started.
edit: I guess there is an option in Udev to check the group of the user, but I have never used it.
sorry not what I meant....I pull the usb stick and take it to a computer that I control.....that I set up.....where I know the root password.
I can then copy all contents fairly quickly if usb 2...to my hard drive and return stick.
If each user has a key to only their encrypted folder.......I can only steal what I can get into.
I known this sounds strange, but the information the user has access is worthless if the access is just partial.
I'm sorry I can't provide more detail, but the point is I need to prevent the transport of all data out of this environment.
Doesn't matter if the user has access to it locally. In fact, it has access and it uses that information all day long.
I've tried to mess with udev without success so far.
I' ve tried to change files like /etc/udev/rules.d/60-persistent-storage.rules but I was unable to create a conditional mount, based on group id or whatever.
fair enough I am no longer flogging the usb stick dead horse.
Without a life story, can you explain if the usb drives are shared by network or locally to each machine.
Do in fact each user, have access to NFS or samba or any cable network etc.
The reason I ask is, you make no mention of local hard drives. If you have root password you could allocate to the usb drive...permissions for folders for each user.....ditto if hard drive...but then I am guessing each user needs some input from the other user so if local hard drive...you really need a network.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.