7

Is it possible to restrict the permissions of USB ports on a Debian (Linux) system ?

For examples :

  • Suppressing the ability to plug any kind of material excepted USB key?
  • Giving the ability to read a USB key but not writing on it ?
  • Sending an alert signal when a USB key is plugged on a system?
JeanJouX
  • 211
  • The "sledgehammer" approach is to add "nousb" to the kernel flags, e.g. "kernel /vmlinuz-2.6.18-128.1.1.el5 ro root=LABEL=/ console=tty0 console=ttyS1,19200n8 nousb". That will certainly restrict the permissions of USB ports. – steve Aug 09 '15 at 17:52

2 Answers2

4

When the Linux kernel detects a new device, it sends a message to udev. The job of udev is to make the new device accessible to user land. For many devices, all udev needs to do is to create entries in /dev. For block devices, this allows the device to be mounted. For character devices such as serial ports and sound ports, this allows dedicated applications to use the device. For network interfaces, udev may set a name. For keyboards, udev may also define additional scancodes. If udev doesn't create a device entry, this effectively causes the device to be unused.

Udev can be controlled by rules; default rules are present in /lib/udev/udev.d and they can be overridden by the administrator via files in /etc/udev/udev.d. Each udev rule has conditions of the form VARIABLE==VALUE; the rule applies if all of these rules are met. You can see the conditions that apply to a device by running udevadm info -a -n /dev/… or udevadm info -a /sys/….

As far as I know, there's no generic mechanism to ignore a device. If it isn't a network interface (which doesn't use a device node under /dev), you can make it effectively unusable by giving it no permissions:

CONDITIONS, MODE="000"

USB devices have an authorization mechanism: if the authorized attribute is set to 0 (false), the system will not access the device. With this rule, no USB device will be available other than USB storage devices.

ACTION=="add", SUSYSTEMS=="usb", DRIVERS!="usb-storage", ATTR{authorized}="0"

It's also possible to disable USB devices after the boot sequence by disabling all USB host ports with this snippet in /etc/rc.local:

for x in /sys/bus/usb/devices/usb*; do
  echo 0 >"$x/authorized_default"
done

Individual devices can be enabled via a udev rule (or manually) that sets the authorized attribute to 1.

If you want to make a storage device read-only, set its ro attribute to 1.

If you want to run a command, use the RUN key in a udev rule (note that you need the full path to the command, and see the manual for available escape sequences and environment variables). If you want that command to access the GUI, see Open a window on a remote X display (why "Cannot open display")?

Community
  • 1
Gilles 'SO- stop being evil'
  • 829,060
1

You will want to setup some udev rules.

Steps for your requirements:

  1. Whitelist the allowed devices
  2. Apply restrictive rights/ownership to all others
  3. configure script to be triggered by insertion in rules-file, too.

Here is a releated thread: https://askubuntu.com/questions/15570/configure-udev-to-change-permissions-on-usb-hid-device

It should help explain, and provide further pointers. If you get stuck, add the next roadblock to your question.

Community
  • 1
Alex Stragies
  • 6,016