masterkilla
asked on
[LINUX] how to deny usb flash drive access but allow other usb peripherals
In previous windows environments I noticed that USB flash drive functionality was denied as company policy. How can I do the same thing on Linux (mandriva) in the same fashion that a large organisation would implement this?
I came across the command:
lsusb -s [[bus]:][devnum]
How would I apply this to the below lsusb list? I don't understand how I should input the bus and devnum e.g. lsusb -s 003:002 did not work.
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 0bda:0158 Realtek Semiconductor Corp. USB 2.0 multicard reader
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 002: ID 064e:a104 Suyin Corp.
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 002: ID 045e:0039 USB FLASH DRIVE
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 007 Device 002: ID 08ff:1600 AuthenTec, Inc. AES1600
Bus 007 Device 003: ID 056a:0093 Wacom Co., Ltd
I came across the command:
lsusb -s [[bus]:][devnum]
How would I apply this to the below lsusb list? I don't understand how I should input the bus and devnum e.g. lsusb -s 003:002 did not work.
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 0bda:0158 Realtek Semiconductor Corp. USB 2.0 multicard reader
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 002: ID 064e:a104 Suyin Corp.
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 002: ID 045e:0039 USB FLASH DRIVE
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 007 Device 002: ID 08ff:1600 AuthenTec, Inc. AES1600
Bus 007 Device 003: ID 056a:0093 Wacom Co., Ltd
you can disable it in kernel, but it need recompile it, also
rmmod usb_storage must work
also if mandriva users work into nautilus:
use:
apps>nautilus>preferences>
if users can access to root, on their computer, you can remove storage.ko by self:
(to not allow modprobe it back)
mv /lib/modules/$(uname -r)/kernel/drivers/usb/sto
and update the initramfs
update-initramfs -k all -c -v
you can also restrict all users to mount any devices, by
chmod 000 /media
so no one can use automount..
rmmod usb_storage must work
also if mandriva users work into nautilus:
use:
apps>nautilus>preferences>
if users can access to root, on their computer, you can remove storage.ko by self:
(to not allow modprobe it back)
mv /lib/modules/$(uname -r)/kernel/drivers/usb/sto
and update the initramfs
update-initramfs -k all -c -v
you can also restrict all users to mount any devices, by
chmod 000 /media
so no one can use automount..
lastest is most fastest)) but you can't also mount any media devices, also if you have logical disc
Read about udev rules, and made one that accept only devices that must be used on USB port.
compile the kernel with the option obj-m for USB storage devices so that u can unmount Usb storage module.
do rmmod usb_storage now your mass storage module is unmounted.
do rmmod usb_storage now your mass storage module is unmounted.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Try it on a test machine and see if it will meet your needs, but if it is a server do not run it as you would need to have access to the usb storage one day.
modprobe -r usb_storage