Restricting USB access

Restricting USB access

[Ryan Lawrie]

Good afternoon,

Just wondering if I could get your assistance with something.

I need to secure the USB ports on my LAN workstations so they are not
writable by users (other than a certain group that I specify). Is this type
of restriction possible using udev rules?

I was using PolicyKit before but since we've changed OS (from openSUSE11.0
to 64-bit openSUSE11.2) that no longer seems to function properly.
Everybody has access to the USB ports now.

Any assistance you can offer would be greatly appreciated.

Take care,
Ryan Lawrie

Re: Restricting USB access

[Greg KH]

On Thu, Oct 07, 2010 at 03:50:55PM -0400, Ryan Lawrie wrote:
> 
> Good afternoon,
> 
> Just wondering if I could get your assistance with something.
> 
> I need to secure the USB ports on my LAN workstations so they are not
> writable by users (other than a certain group that I specify). Is this type
> of restriction possible using udev rules?

USB ports are "writeable" or "readable", it depends on the devices you
plug into them that you could then read or write to.

> I was using PolicyKit before but since we've changed OS (from openSUSE11.0
> to 64-bit openSUSE11.2) that no longer seems to function properly.
> Everybody has access to the USB ports now.

You might want to just restrict the users for the specific devices using
a udev rule, or policykit, if that's still around.

What types of devices are you trying to restrict?

thanks,

greg k-h

Re: Restricting USB access

[Ryan Lawrie]

Hi Greg,

Mostly, we're concerned with portable USB drives.  (We still want USB mice
and keyboards to function properly)  With openSUSE11.0 we were able to
restrict all USB access (in the org.freedesktop.hal.storage.mount-removable
file) and then add a list of privileged usernames into the policykit.conf
file to override permissions for those people. This allowed our special
users to use USB sticks while everyone else was unable to.

I'm trying to figure out if PolicyKit is still working for openSUSE11.2
(all the files seems to be there so I assumed that meant it was
available .... but the system doesn't seem to care what I put into those
files)

Could you give me some simple instructions on how to write a udev rule to
do this (I've never worked with udev before) .... or direct me to a good
tutorial website perhaps. I will do some more web hunting on that.
 (I guess I will have to take care of the CD burner also. I want that to be
readable by everyone but not writable. Would udev rules work for this
also?)

Thanks very much for your assistance.

Take care,
Ryan



From:       Greg KH <greg@kroah.com>
To:         Ryan Lawrie <ryan.lawrie@hc-sc.gc.ca>
Cc:         linux-hotplug@vger.kernel.org
Date:       2010-10-07 04:51 PM
Subject:    Re: Restricting USB access



On Thu, Oct 07, 2010 at 03:50:55PM -0400, Ryan Lawrie wrote:
>
> Good afternoon,
>
> Just wondering if I could get your assistance with something.
>
> I need to secure the USB ports on my LAN workstations so they are not
> writable by users (other than a certain group that I specify). Is this
type
> of restriction possible using udev rules?

USB ports are "writeable" or "readable", it depends on the devices you
plug into them that you could then read or write to.

> I was using PolicyKit before but since we've changed OS (from
openSUSE11.0
> to 64-bit openSUSE11.2) that no longer seems to function properly.
> Everybody has access to the USB ports now.

You might want to just restrict the users for the specific devices using
a udev rule, or policykit, if that's still around.

What types of devices are you trying to restrict?

thanks,

greg k-h

Re: Restricting USB access

[Greg KH]

On Fri, Oct 08, 2010 at 10:25:31AM -0400, Ryan Lawrie wrote:
> Hi Greg,
> 
> Mostly, we're concerned with portable USB drives.  (We still want USB mice
> and keyboards to function properly)  With openSUSE11.0 we were able to
> restrict all USB access (in the org.freedesktop.hal.storage.mount-removable
> file) and then add a list of privileged usernames into the policykit.conf
> file to override permissions for those people. This allowed our special
> users to use USB sticks while everyone else was unable to.
> 
> I'm trying to figure out if PolicyKit is still working for openSUSE11.2
> (all the files seems to be there so I assumed that meant it was
> available .... but the system doesn't seem to care what I put into those
> files)

You should ask the policykit people about this, it's not really a
hotplug issue at all here.  I'm not sure what they have changed over the
past few years in this area in that program.

> Could you give me some simple instructions on how to write a udev rule to
> do this (I've never worked with udev before) .... or direct me to a good
> tutorial website perhaps. I will do some more web hunting on that.
>  (I guess I will have to take care of the CD burner also. I want that to be
> readable by everyone but not writable. Would udev rules work for this
> also?)

Well, block devices get "wierd" in that HAL is probably doing the
mounting of the device when it is seen by the system automatically.  So
you need to tell it to only mount it 'read-only'.  And I think that
falls back to policykit to handle properly, so I don't think writing a
udev here will help you out at all, sorry.

good luck,

greg k-h

Re: Restricting USB access

[Kay Sievers]

On Fri, Oct 8, 2010 at 16:25, Ryan Lawrie <ryan.lawrie@hc-sc.gc.ca> wrote:
> Mostly, we're concerned with portable USB drives.  (We still want USB mice
> and keyboards to function properly)  With openSUSE11.0 we were able to
> restrict all USB access (in the org.freedesktop.hal.storage.mount-removable
> file) and then add a list of privileged usernames into the policykit.conf
> file to override permissions for those people. This allowed our special
> users to use USB sticks while everyone else was unable to.
>
> I'm trying to figure out if PolicyKit is still working for openSUSE11.2
> (all the files seems to be there so I assumed that meant it was
> available .... but the system doesn't seem to care what I put into those
> files)
>
> Could you give me some simple instructions on how to write a udev rule to
> do this (I've never worked with udev before) .... or direct me to a good
> tutorial website perhaps. I will do some more web hunting on that.
>  (I guess I will have to take care of the CD burner also. I want that to be
> readable by everyone but not writable. Would udev rules work for this
> also?)

Udev can't manage any permissions at such level. And USB *ports* don't
have any user permissions. Raw USB devices have, but they are not
user-assigned. USB storage devices like USB sticks are never
permission managed at the block device level, but only at mount.

Seems, you look for auto-mount permissions for removable devices,
which have nothing really to do with USB, but with the auto-mouter <->
user-session hookup.

These permissions are never applied to device nodes (which udev could
do), but only handled when an untrusted user asks to mount a device
(udisks/HAL ask if the calling user should be granted access).

It depends on the desktop. Up-to-date desktops use udisks/polkit for
that, others still use the deprecated and no longer maintained
HAL/PolicyKit.

Kay

Re: Restricting USB access

[Kay Sievers]

On Fri, Oct 8, 2010 at 16:35, Greg KH <greg@kroah.com> wrote:
> On Fri, Oct 08, 2010 at 10:25:31AM -0400, Ryan Lawrie wrote:

>> Could you give me some simple instructions on how to write a udev rule to
>> do this (I've never worked with udev before) .... or direct me to a good
>> tutorial website perhaps. I will do some more web hunting on that.
>>  (I guess I will have to take care of the CD burner also. I want that to be
>> readable by everyone but not writable. Would udev rules work for this
>> also?)
>
> Well, block devices get "wierd" in that HAL is probably doing the
> mounting of the device when it is seen by the system automatically.  So
> you need to tell it to only mount it 'read-only'.  And I think that
> falls back to policykit to handle properly, so I don't think writing a
> udev here will help you out at all, sorry.

Right, udev is not in the game here besides that it handles the device
events, and broadcasts them to system services. It does no permissions
at all for these devices.

User-sessions/logged-in users can  request mounting of storage devices
from the system, on behalf of the user. Untrusted users can cause
privileged operations to happen that way. The guard here is polkit, it
say yes or no these requests.

The details of all this are explained here:
  http://people.redhat.com/davidz/Plumbers-2009-Sievers-Zeuthen-Replugging-The-Modern-Desktop.pdf

Kay