Re: Restricting USB access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Oct 8, 2010 at 16:25, Ryan Lawrie <ryan.lawrie@xxxxxxxxxxx> wrote:
> Mostly, we're concerned with portable USB drives. Â(We still want USB mice
> and keyboards to function properly) ÂWith openSUSE11.0 we were able to
> restrict all USB access (in the org.freedesktop.hal.storage.mount-removable
> file) and then add a list of privileged usernames into the policykit.conf
> file to override permissions for those people. This allowed our special
> users to use USB sticks while everyone else was unable to.
>
> I'm trying to figure out if PolicyKit is still working for openSUSE11.2
> (all the files seems to be there so I assumed that meant it was
> available .... but the system doesn't seem to care what I put into those
> files)
>
> Could you give me some simple instructions on how to write a udev rule to
> do this (I've never worked with udev before) .... or direct me to a good
> tutorial website perhaps. I will do some more web hunting on that.
> Â(I guess I will have to take care of the CD burner also. I want that to be
> readable by everyone but not writable. Would udev rules work for this
> also?)

Udev can't manage any permissions at such level. And USB *ports* don't
have any user permissions. Raw USB devices have, but they are not
user-assigned. USB storage devices like USB sticks are never
permission managed at the block device level, but only at mount.

Seems, you look for auto-mount permissions for removable devices,
which have nothing really to do with USB, but with the auto-mouter <->
user-session hookup.

These permissions are never applied to device nodes (which udev could
do), but only handled when an untrusted user asks to mount a device
(udisks/HAL ask if the calling user should be granted access).

It depends on the desktop. Up-to-date desktops use udisks/polkit for
that, others still use the deprecated and no longer maintained
HAL/PolicyKit.

Kay
--
To unsubscribe from this list: send the line "unsubscribe linux-hotplug" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel]     [Linux DVB]     [Asterisk Internet PBX]     [DCCP]     [Netdev]     [X.org]     [Util Linux NG]     [Fedora Women]     [ALSA Devel]     [Linux USB]

  Powered by Linux