Those who work with users in institutions that require certain restrictions, either to guarantee a level of security, or by some idea or order "from above" (as we say here), many times need to implement some access restrictions on computers, here I will talk specifically about restricting or controlling access to USB storage devices.
Restrict USB using modprobe (didn't work for me)
This is not exactly a new practice, it consists of adding the usb_storage module to the blacklist of the kernel modules that are loaded, it would be:
echo usb_storage> $ HOME / blacklist sudo mv $ HOME / blacklist /etc/modprobe.d/
Then we restart the computer and that's it.
Disable USB by removing kernel driver (didn't work for me)
Another option would be to remove the USB driver from the kernel, for this we execute the following command:
sudo mv /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb* /root/
We reboot and ready.
This will move the file containing the USB drivers used by the kernel to another folder (/ root /).
If you want to undo this change, it will be enough with:
sudo mv /root/usb* /lib/modules/$(uname -r)/kernel/drivers/usb/storage/
Restrict access to USB devices by changing / media / permissions (IF it worked for me)
This is so far the method that certainly works for me. As you should know, USB devices are mounted on / media / o… if your distro uses systemd, they are mounted on / run / media /
What we will do is change the permissions to / media / (or / run / media /) so that ONLY the root user can access its content, for this it will be enough:
sudo chmod 700 /media/
or ... if you use Arch or any distro with systemd:
sudo chmod 700 /run/media/
Once this is done, the USB devices when connected will be mounted, but no notification will appear to the user, nor will they be able to directly access the folder or anything.
The end!
There are some other ways explained on the net, for example using Grub ... but, guess what, it didn't work for me either 🙂
I post so many options (even though not all of them worked for me) because an acquaintance of mine bought a digital camera at a online store technology products in Chile, he remembered that script spy-usb.sh that a while ago I explained hereI remember, it serves to spy on USB devices and steal information from these) and asked me if there was any way to prevent information from being stolen from his new camera, or at least some option to block USB devices on his home computer.
Anyway, although this is not a protection for your camera against all the computers in which you can connect it, at least it will be able to protect the home PC from the removal of sensitive information through USB devices.
I hope it has been (as always) useful for you, if anyone knows of any other method to deny access to USB in Linux and of course, it works without problems, let us know.
Another possible way to avoid mounting a usb storage could be by changing the rules in udev http://www.reactivated.net/writing_udev_rules.html#example-usbhdd, by modifying the rule so that only root can mount usb_storage devices, I think it will be a "fancy" way. Cheers
In the Debian wiki they say not to block modules directly in the /etc/modprobe.d/blacklist (.conf) file, but in an independent one that ends in .conf: https://wiki.debian.org/KernelModuleBlacklisting . I don't know if things are different in Arch, but without having tried it on USBs on my computer, it works like this with, for example, bumblebee and pcspkr.
And I think Arch does use the same method, right? https://wiki.archlinux.org/index.php/kernel_modules#Blacklisting .
I think a better option by changing permissions would be to create a specific group for / media, for example "pendrive", assign that group to / media and give permissions 770, so we could control who can use what is mounted on / media by adding the user to the group «pendrive», I hope you have understood 🙂
Hello, KZKG ^ Gaara, for this case we can use policykit, with this we would achieve that when inserting a USB device the system asks us to authenticate as user or root before mounting it.
I have some notes on how I did it, in the course of Sunday tomorrow I post it.
Greetings.
Giving continuity to the message about using policykit and given that at the moment I have not been able to post (I suppose due to the changes that have occurred in Desdelinux Let's UseLinux) I leave you how I did to prevent users from mounting their USB devices. This under Debian 7.6 with Gnome 3.4.2
1.- Open the file /usr/share/polkit-1/actions/org.freedesktop.udisks.policy
2.- We look for the section «»
3.- We change the following:
"And it is"
per:
"Auth_admin"
Ready!! this will require you to authenticate as root when trying to mount a USB device.
References:
http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
http://scarygliders.net/2012/06/20/a-brief-guide-to-policykit/
http://lwn.net/Articles/258592/
Greetings.
In step 2 I don't understand which section you mean "I'm a beginner."
thanks for the help.
Another method: add the "nousb" option to the kernel boot command line, which involves editing the grub or lilo config file.
nousb - Disable the USB subsystem.
If this option is present, the USB subsystem will not be initialized.
How to keep in mind that only the root user has permissions to mount USB devices and the other users do not.
Thank you.
How to keep in mind that out-of-the-box distros (like the one you use) automatically mount USB devices, either Unity, Gnome or KDE ... either using policykit or dbus, because it is the system that mounts them, not the user.
For nothing 😉
And if I want to cancel the effect of
sudo chmod 700 / media /
What should I put in the terminal to regain access to the USB?
Thank you
That does not work if you connect your mobile with a USB cable.
sudo chmod 777 / media / to re-enable.
Greetings.
This is not feasible. They should only mount the USB in a directory other than / media.
If disabling the USB module does not work for you, you should see which module is used for your USB ports. maybe you are disabling the wrong one.
Definitely the easiest way, I've been looking for one for a while and I couldn't think of the one that was under my nose. Thank you so much
Definitely the easiest way. I've been looking for one for a while and I couldn't think of the one that was right under my nose. Thank you so much