How to disable a USB memory stick per user basis ?
Linux - HardwareThis forum is for Hardware issues.
Having trouble installing a piece of hardware? Want to know if that peripheral is compatible with Linux?
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The machines are regular desktop computers with hard drives, sound (internal speaker), and usb keyboard and mouse.
They will run some distro in graphical mode (Fedora/openSuSE and Gnome probably), and a special application that read that big file they don't want to be copied outside of this environment.
Theses computers are in a network, no shares any kind, just to communicate to a database server. At some point, each user may generate a big file for local processing (due to network performance issues). This file is volatile, I mean, the information in this file is good until to the next 4-6 hours. And partial knowledge of this file is not a issue too.
Just the members of board of directors may copy data out of this environment.
The users don't have any administrative previleges.
And thanks for the links for documentation.I will read ASAP.
I've tried to mess with udev without success so far.
I' ve tried to change files like /etc/udev/rules.d/60-persistent-storage.rules but I was unable to create a conditional mount, based on group id or whatever.
I keep trying....
thanks so far,
I found udev to be a PITA, and I still find it to be a PITA even though I kind of have the hang of it.
You probably need to write your own rule, patterned off of persistent-storage.rules, but limited to devices on the USB bus and running ahead of that rule in the list.
I've made some progress, thanks to documentation aus9 pointed to me - Hey aus9 thank you !
What I did:
in the file 60-persistent-storage.rules there are several references to sd devices (KERNEL=="sd*[0-9]").
The first step was to identify which one of theses are "activated" or matched by a usb memory stick. To figure out this, I added at end of each line, the statement ENV{MYFLAG}="flag-<number>", I mean:
And in a console, running "udevmonitor --env | grep -i MYFLAG" I was able to identify several rules that match for each usb memory stick based on number of the flag they show. For instance, the rules with flag-1, flag-3 and flag-4 matched for the a dozen of memory sticks I tried with. (of course, I need to plug and unplug the usb memory stick to trigger the events and see any output of udevmonitor)
Then,in the selected rules, I put at end, another statement: OPTIONS+="ignore_device" which I learned in the documentation.
And, as result, the usb memory stick is not automatically mounted anymore, as expected.
In fact, this was my second attempt. The first was using the statements OWNER, GROUP and MODE, but looks like they don't worked for me....more investigation is necessary.
Now, what I need to do is to ignore the device or adjust the onwer/group/mode to restrict the access the way they need.
a good practical way of limiting misuse is to tell the people using the machines that monitoring software has been installed on their computer and that it logs all activity to their account name.
'Any employee found to be involved in the misuse of company data will be prosecuted under the full extent of the law.'(!)
this method is a powerful preventative measure regardless of whether there is monitoring software installed or not
I tried this on my cardreader. I created a new file /etc/udev/rules.d/91-local.rules
and added the following line:
KERNEL=="sd[c-f]*", GROUP="plugdev", MODE="0600"
All four devices sdc-sdf get plugdev group.
Yes, this work for the device node, but it is mounted anyway, because a root process mount this, not the user. Doesn't matter if I am member of group plugdev or not (and i am not). I tried even with mode=0000 and it is still mounted read-write to the user.
Would be nice, but looks like the only two ways to run a external program are with the PROGRAM statment that returns a name/string to create the device node and RUN+= directive that could do anything after the device is settle and mounted.
There are no conditional tests on this logic....
Using the RUN+= statement I was able to unmount the device after it was mounted, but there are a small window were the user could use the device. Using the jargon, it is a race condition, and I don't like this approach.
I am thinking to post a question at udev developers list to get some insights.
I find this very interesting. One should think that after it used to be such a pain to get everyone to mount their USB sticks in an automated fashion it should be easy as pie to go back there.
It was pretty helpful in the past. Now while I don't yet have a solution (just the suggestion to use the attribute 'Removable' to define which kind of block device not to mount), the document does imply that all rules found in /etc/udev/rules.d are evaluated, not just the first which applies; therefore it may well be possible that the rules your distribution uses as default will still apply even after you have set your own rule, so that you may give the device to a specific group, but a later rule gives it to everybody else (or the users group or whatever), too. You might therefore also want to identify the rules your distribution applies to removable devices and change or disable them.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.