Restrict the use of USB devices in Linux

Those who work with users in institutions that require certain restrictions, either to guarantee a level of security, or by some idea or order "from above" (as we say here), many times need to implement some access restrictions on computers, here I will talk specifically about restricting or controlling access to USB storage devices.

Restrict USB using modprobe (didn't work for me)

This is not exactly a new practice, it consists of adding the usb_storage module to the blacklist of the kernel modules that are loaded, it would be:

echo usb_storage> $ HOME / blacklist sudo mv $ HOME / blacklist /etc/modprobe.d/

Then we restart the computer and that's it.

Clarify that although everyone shares this alternative as the most effective solution, in my Arch it did not work for me

Disable USB by removing kernel driver (didn't work for me)

Another option would be to remove the USB driver from the kernel, for this we execute the following command:

sudo mv /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb* /root/

We reboot and ready.

This will move the file containing the USB drivers used by the kernel to another folder (/ root /).

If you want to undo this change, it will be enough with:

sudo mv /root/usb* /lib/modules/$(uname -r)/kernel/drivers/usb/storage/

This way didn't work for me either, for some reason the USBs kept working for me.

Restrict access to USB devices by changing / media / permissions (IF it worked for me)

This is so far the method that certainly works for me. As you should know, USB devices are mounted on / media / o… if your distro uses systemd, they are mounted on / run / media /

What we will do is change the permissions to / media / (or / run / media /) so that ONLY the root user can access its content, for this it will be enough:

sudo chmod 700 /media/

or ... if you use Arch or any distro with systemd:

sudo chmod 700 /run/media/

Of course, they must take into account that only the root user has permissions to mount USB devices, because then the user could mount the USB in another folder and circumvent our restriction.

Once this is done, the USB devices when connected will be mounted, but no notification will appear to the user, nor will they be able to directly access the folder or anything.

The end!

There are some other ways explained on the net, for example using Grub ... but, guess what, it didn't work for me either 🙂

I post so many options (even though not all of them worked for me) because an acquaintance of mine bought a digital camera at a online store technology products in Chile, he remembered that script spy-usb.sh that a while ago I explained hereI remember, it serves to spy on USB devices and steal information from these) and asked me if there was any way to prevent information from being stolen from his new camera, or at least some option to block USB devices on his home computer.

Anyway, although this is not a protection for your camera against all the computers in which you can connect it, at least it will be able to protect the home PC from the removal of sensitive information through USB devices.

I hope it has been (as always) useful for you, if anyone knows of any other method to deny access to USB in Linux and of course, it works without problems, let us know.


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

14 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   SnKisuke said

    Another possible way to avoid mounting a usb storage could be by changing the rules in udev http://www.reactivated.net/writing_udev_rules.html#example-usbhdd, by modifying the rule so that only root can mount usb_storage devices, I think it will be a "fancy" way. Cheers

  2.   OtakuLogan said

    In the Debian wiki they say not to block modules directly in the /etc/modprobe.d/blacklist (.conf) file, but in an independent one that ends in .conf: https://wiki.debian.org/KernelModuleBlacklisting . I don't know if things are different in Arch, but without having tried it on USBs on my computer, it works like this with, for example, bumblebee and pcspkr.

    1.    OtakuLogan said

      And I think Arch does use the same method, right? https://wiki.archlinux.org/index.php/kernel_modules#Blacklisting .

  3.   rudamacho said

    I think a better option by changing permissions would be to create a specific group for / media, for example "pendrive", assign that group to / media and give permissions 770, so we could control who can use what is mounted on / media by adding the user to the group «pendrive», I hope you have understood 🙂

  4.   izkalotl said

    Hello, KZKG ^ Gaara, for this case we can use policykit, with this we would achieve that when inserting a USB device the system asks us to authenticate as user or root before mounting it.
    I have some notes on how I did it, in the course of Sunday tomorrow I post it.

    Greetings.

  5.   izkalotl said

    Giving continuity to the message about using policykit and in view of the fact that at the moment I have not been able to post (I suppose that due to the changes that happened in Desdelinux UsemosLinux) I leave you as I did to prevent users from mounting their USB devices. This under Debian 7.6 with Gnome 3.4.2

    1.- Open the file /usr/share/polkit-1/actions/org.freedesktop.udisks.policy
    2.- We look for the section «»
    3.- We change the following:

    "And it is"

    by:

    "Auth_admin"

    Ready!! this will require you to authenticate as root when trying to mount a USB device.

    References:
    http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
    http://scarygliders.net/2012/06/20/a-brief-guide-to-policykit/
    http://lwn.net/Articles/258592/

    Greetings.

    1.    Raidel celma said

      In step 2 I don't understand which section you mean "I'm a beginner."

      thanks for the help.

  6.   thisnameisfalse said

    Another method: add the "nousb" option to the kernel boot command line, which involves editing the grub or lilo config file.

    nousb - Disable the USB subsystem.
    If this option is present, the USB subsystem will not be initialized.

  7.   Raidel celma said

    How to keep in mind that only the root user has permissions to mount USB devices and the other users do not.

    Thank you.

    1.    KZKG ^ Gaara said

      How to keep in mind that out-of-the-box distros (like the one you use) automatically mount USB devices, either Unity, Gnome or KDE ... either using policykit or dbus, because it is the system that mounts them, not the user.

      For nothing 😉

  8.   Victor said

    And if I want to cancel the effect of
    sudo chmod 700 / media /

    What should I put in the terminal to regain access to the USB?

    Thank you

  9.   Anonymous said

    That does not work if you connect your mobile with a USB cable.

  10.   ruyzz said

    sudo chmod 777 / media / to re-enable.

    Greetings.

  11.   Maurel reyes said

    This is not feasible. They should only mount the USB in a directory other than / media.

    If disabling the USB module does not work for you, you should see which module is used for your USB ports. maybe you are disabling the wrong one.