Disallow users to mount usb flash drives or HDD

FBorges22 · 05-21-2019, 11:50 AM

Hi there,

I am looking for a precise way to block the users from mount USB mass storage devices (i.e., flash drives, hard disks and etc) in my Debian 9 diskless stations.

I checked the PolicyKit instructions but I still have no idea in how to prevent the users from the users from mounting USB media.

Disabling the udisks2 service is not working and even if I can stop the udisks2 he can start again and allow the users to mount their removeable usb media normally. I need to secure my server and cannot allow anyone mount their media on the server.

Best regards,
F.Borges

teckk · 05-21-2019, 01:01 PM

Couple of thoughts

Remove the kernel module

Code:

mv /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko /home/somewhere

Use you own path, on arch something like

Code:

/usr/lib/modules/5.0.9-arch1-1-ARCH/kernel/drivers/usb/storage/usb-storage.ko.xz

Blacklist usb storage

Code:

cat /etc/modprobe.d/blacklist.conf
blacklist usb-storage

Or modprobe -r usb-storage

You can modprobe it back though.

Turn off usb in BIOS/UEFI

Deny access

Code:

chmod 000 /media

Grub, in grub.conf or menu.lst, add nousb to kernel line

lsusb to see whats attached, then

Code:

echo "disabled" > /sys/bus/usb/devices/usbX/power/wakeup
echo "suspend" > /sys/bus/usb/devices/usbX/power/level

On this arch box

Code:

cat /sys/bus/usb/devices/usb1/power/wakeup
disabled

I think that you could also do that with sysctl -w

Then there is

Code:

pacman -Si usbguard
...
Description     : Software framework for implementing USB device authorization
                  policies
Architecture    : x86_64
URL             : https://github.com/dkopecek/usbguard
Licenses        : GPL2
Groups          : None
Provides        : libusbguard.so=0-64
Depends On      : glibc  libqb  libqb.so=0-64  libsodium  libcap-ng  protobuf
                  polkit  dbus-glib
...
Download Size   : 394.82 KiB
Installed Size  : 1514.00 KiB
...

https://wiki.archlinux.org/index.php/USBGuard

proMusic · 05-21-2019, 10:53 PM

Check out usbguard

To start protecting your system, you can use the USBGuard shell command and its generate-policy sub-command to generate an initial policy for your system instead of writing one from scratch. The tool generates an allow policy for all devices currently connected to your system.

Code:

sudo apt-get update ; sudo apt-get install usbguard
usbguard generate-policy > rules.conf
sudo install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf
sudo systemctl restart usbguard

FBorges22 · 05-22-2019, 09:50 AM

Thanks for the help. I also successfully blocked the USB mounting with the policykit by adding the following rule at /etc/polkit-1/localauthority/50-local.d by creating the file disallow-mounting.pkla with the following contents:

Quote:

[Dissallow users to mount devices]
Identity=unix-group:users
Action=org.freedesktop.udisks2.*
ResultAny=no
ResultInactive=no
ResultActive=no

What do you think of the use of PolicyKit to block mounting all mass storage devices?