PDA

View Full Version : block automount of usb pendrive in non-root user



Flako000
06-May-2013, 14:44
Hello,
I need to block/prevent automount of usb pendrive non-root users in SLED 10SP2.
It can be from gnome settings with gconftool or from nautilus options, but these are settings that the user can set their permissions (not what I need)
In SLES10SP2 I could set to ask the root password every time you insert a flash drive, setting with the command polkit-gnome-authorization.
I tried to read the hal configuration files, to do the same .. but I'm walking around without achieving anything ..

How I can prevent normal users (non-root) mount pendrive?

Thank you for reading ..

mikewillis
06-May-2013, 19:37
I've never tried it myself, but I've seen this discussed elsewhere and the usual suggestion is disable the usb-storage module. There's lots of guides on how to do this including one from the US government
http://www.nsa.gov/ia/_files/factsheets/I731-002R-2007.pdf


Is there any particular reason you are using SLED 10 SP2 years after it went End Of Life?

Flako000
06-May-2013, 22:07
Hello mikewillis
I disable the usb-storage module to analyze it, like udev rules, but I do not work because the root user should be able to use the USB flash drive.
And what use is simply a SECT SLED10SP2 management ... :)

mikewillis
07-May-2013, 12:22
I disable the usb-storage module to analyze it, like udev rules, but I do not work because the root user should be able to use the USB flash drive.

Sorry, you did say non-root and I did not mention that root can use a USB drive by manually loading the module.

$ insmod $(find "/lib/modules/$(uname -r)" -name usb-storage.ko)
Once they have finished they can then reboot, or unload the module

$ rmmod $(find "/lib/modules/$(uname -r)" -name usb-storage.ko)
Of course this assumes that a non-root use will not try and use a USB drive at the same time as root, but if root needs to use a USB drive they are presumably physically present in front of the machine and so no one else would be able to use it. I've tested this on SLED 11 SP2, but not SLED 10 SP2 because I don't have anything running SLED 10 SP2.


And what use is simply a SECT SLED10SP2 management ... :)
I'm sorry but I have no idea what the intended meaning of that sentence is.