blocking usb device on redhat 9
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: blocking usb device on redhat 9

  1. #1
    Senior Member
    Join Date
    May 2004
    Posts
    274

    blocking usb device on redhat 9

    Hi guys,
    i am into a problem these days and required some feedback on it. I am using linux redhat 9 on the network machines and i want to forbid users to use usb storage device for data copy. The users on the system does not have root access but they can mount the usb device using 'sudo'. I stripped of the SUID bit from the mount command and blocked the 'mount' in 'visudo' but now they are unable to mount cdrom. Is there a way they can mount the cdrom but cannot mount the usb devices. I want to do it using open source tools and tehniques.


    Thanks
    Excuse me, is there an airport nearby large enough for a private jet to land?

  2. #2
    Senior Member
    Join Date
    Oct 2003
    Posts
    394
    hmm....

    Why not disable USB in BIOS?
    // too far away outside of limit

  3. #3
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    CD drive should be mounted auto on start up, USB would pop up only when plugged in. Why not just take away the USB drive? And for Sudo, don't they need root for that? Like when I run it it asks me for the root password. If they have that to run sudo you have bigger problems. And not just the one that you're running an OS no longer supported or updated with security fixes either.
    Kill the lights, let the candles burn behind the pumpkinsí mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Not sure how to do this on Linux but on FreeBSD I would give users access to /dev/cd0 and disallow /dev/umass* via /etc/devfs.rules. I'm sure something like this is possible on Linux.

    http://www.freebsd.org/cgi/man.cgi?q...ts&format=html

    Originally posted here by MrBabis
    hmm....

    Why not disable USB in BIOS?
    USB keyboard/mouse?
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Senior Member
    Join Date
    May 2004
    Posts
    274
    Originally posted here by gore
    And for Sudo, don't they need root for that? Like when I run it it asks me for the root password. If they have that to run sudo you have bigger problems. And not just the one that you're running an OS no longer supported or updated with security fixes either.
    'sudo' asks for the user password not for the 'root' password. 'Sudo' gives the user ability to run the application/executable as they are the owners of it but inreality they are not the owners of the file and it only work for the executables that have SUID bit set.


    Regards
    Excuse me, is there an airport nearby large enough for a private jet to land?

  6. #6
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206
    What about trying something like this. In your /etc/fstab change entry for USB flash to
    noauto,uid=0,umask=022 for anybody can read only root can mount.
    ----------------------------------------------------------------------------------------------------------
    "If I'd asked my customers what they wanted, they'd have said a faster horse." ~ Henry Ford

  7. #7
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    OK, just did sudo and it asked for the root password. And you need to be root to mount so the fact it's letting them go, worries me.
    Kill the lights, let the candles burn behind the pumpkinsí mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  8. #8
    Senior Member
    Join Date
    Sep 2003
    Posts
    101
    you should just change permissions to something like 640 (rw-r----) or 740 (rwer---) on the usb device.this would allow things like usb keys and mice and the drive bout would not allow them to execute or to write to those drives.

    as for the sudo command:

    http://www.google.com/search?q=cache...ient=firefox-a
    <sorry for the long url google cache>

    sounds to me like your sudo file is messed up. i would follow this site to find out whats wrong

    this one is also a good one if the above doesnt want to work.
    http://www.linuxhelp.ca/guides/sudo/

    i would also ask on the fourms at
    http://www.linuxquestions.org
    if these things dont work
    chown -r us ./bases

  9. #9
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    I stripped of the SUID bit from the mount command
    Huh? Why was mount SUID anyway? None of the mount commands on my FreeBSD system are SUID..

    OK, just did sudo and it asked for the root password.
    Don't confuse sudo with su.. su will ask for the root password.. sudo will ask for the user's password. On BSD you need to be a member of the wheel group to su (don't need it on linux)..

    And you need to be root to mount so the fact it's letting them go, worries me.
    On bsd the sysctl vfs.usermount can be set to 1 to allow users to mount filesystems (they need to own the mountpoint and the filesystem). IIRC on linux you can add user to the fstab options to allow users to mount that filesystem. I.e. /dev/cdrom /cdrom iso9660 noauto,ro,user 0 0
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  10. #10
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Sudo, without alot of work (there is stuff you can do but I dont think sudo is really thwe answer you need), is not by any means a security feature in my opinion. Its good for accounting purposes so you can see who did what, but any user you dont trust shouldnt be given sudo rights. There are a million ways to spawn a root shell with sudo and no one knows them all. The mount command is SUID root by default in linux. This is so non-root users can mount stuff, based on the entries in /etc/fstab like (user,exec,owner) etc. Removing the SUID bit will prevent any non-root users from running mount, and a 'sudo mount' command would cause the filesystem to be mounted as root and inherit roots perms (unless specified otherwise), basically making it a ro system to the user. The reason Gore thinks the CD will mount automagically is because he is a Suse whore , Suse is the only distro that includes subfs/submount by default, if you build a vanilla kernel on suse you'll see it bitch about not having its subfs support. You probably want to: A. Just add the appropriate entries in /etc/fstab, put the suid back on mount, and ditch sudo, B. Use something like subfs or autofs which are little kernel modules that will do the mounting for you from root land, and ditch sudo.

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides