From: Greg KH <greg@kroah.com>
To: linux-hotplug@vger.kernel.org
Subject: Re: Restricting USB access
Date: Fri, 08 Oct 2010 14:35:14 +0000 [thread overview]
Message-ID: <20101008143514.GA16182@kroah.com> (raw)
In-Reply-To: <OFACC41AE7.587D1697-ON852577B5.006C93B7-852577B5.006D0ACC@hc-sc.gc.ca>
On Fri, Oct 08, 2010 at 10:25:31AM -0400, Ryan Lawrie wrote:
> Hi Greg,
>
> Mostly, we're concerned with portable USB drives. (We still want USB mice
> and keyboards to function properly) With openSUSE11.0 we were able to
> restrict all USB access (in the org.freedesktop.hal.storage.mount-removable
> file) and then add a list of privileged usernames into the policykit.conf
> file to override permissions for those people. This allowed our special
> users to use USB sticks while everyone else was unable to.
>
> I'm trying to figure out if PolicyKit is still working for openSUSE11.2
> (all the files seems to be there so I assumed that meant it was
> available .... but the system doesn't seem to care what I put into those
> files)
You should ask the policykit people about this, it's not really a
hotplug issue at all here. I'm not sure what they have changed over the
past few years in this area in that program.
> Could you give me some simple instructions on how to write a udev rule to
> do this (I've never worked with udev before) .... or direct me to a good
> tutorial website perhaps. I will do some more web hunting on that.
> (I guess I will have to take care of the CD burner also. I want that to be
> readable by everyone but not writable. Would udev rules work for this
> also?)
Well, block devices get "wierd" in that HAL is probably doing the
mounting of the device when it is seen by the system automatically. So
you need to tell it to only mount it 'read-only'. And I think that
falls back to policykit to handle properly, so I don't think writing a
udev here will help you out at all, sorry.
good luck,
greg k-h
next prev parent reply other threads:[~2010-10-08 14:35 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-07 19:50 Restricting USB access Ryan Lawrie
2010-10-07 20:50 ` Greg KH
2010-10-08 14:25 ` Ryan Lawrie
2010-10-08 14:35 ` Greg KH [this message]
2010-10-08 14:53 ` Kay Sievers
2010-10-08 15:08 ` Kay Sievers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101008143514.GA16182@kroah.com \
--to=greg@kroah.com \
--cc=linux-hotplug@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).