The user must allow others to write to their X session. [[ $DISPLAY ]] && /usr/bin/xhost +localhost
in ~/.bash_profile would do that.
Write a udev rule to run a script when the USB device is plugged in. Best guidance here
(it's a bit outdated. udevadm
has take over from some of the commands listed there).
The script can use dialog
or one of its equivalents (yad
is good) to interact with the user and request the password.
The script will be running as root so can do anything, including mounting the USB device and starting the file browser on the user's desktop (best to su
to the user when doing that).
Those steps do everything you asked for. You probably also want to check the password given ... ?