How can access to CD-ROM and USB be disabled for normal users in Linux?
As a part of security policy we need to disable CD-ROM and USB access for normal users. Only root users should have the access. We are mainly using Ubuntu Linux.
How can access to CD-ROM and USB be disabled for normal users in Linux?
As a part of security policy we need to disable CD-ROM and USB access for normal users. Only root users should have the access. We are mainly using Ubuntu Linux.
Easier is to remove users from the 'cdrom' and 'plugdev' groups in /etc/group.
Found a solution to my issue.
Disabling USB
Disabling CDROM
http://www.cyberciti.biz/faq/linux-disable-modprobe-loading-of-usb-storage-driver/
http://blog.ask4itsolutions.com/2010/05/07/disable-block-cddvd-rom-linux-rhel/
How about trying
This will prevent a normal user from seeing removable media devices. Only root will then be able to access removable media.
The easiest I've found is simply:
sudo chmod 700 /media
Ubuntu mounts removable media in /media, so changing permissions for /media is the easiest way to prevent access.This is a safe and easily reversible solution.
For simple protection against non-advanced users blacklisting the usb-storage module should be enough:
To verify:
For CD-ROM simply remove the user from the 'cdrom' group. Then the user should not be able to access it (in user management there is an advanced tab where you can uncheck such option).
My coworker and I were trying this on Ubuntu 10.04 64 bit Desktop.
We had one admin user and one desktop user. We tried removing the desktop user from cdrom and plugdev in /etc/group, but that didn't work.
We then made admin own /media. We then chmodded /media to like:
chmod 700 /media
This seems to work. Also, I'm not worried about desktop user manually mounting because he doesn't have privileges.
Does this make sense? Do you guys see any weaknesses?
It used to be that on *nix systems you would do this by changing the read-write permissions on the devices nodes. I suspect you're going to need to look for something more involved in Ubuntu -- perhaps user groups that grant access to devices classes, disabling hardware services such as hal, or perhaps changing the automount system so things get mounted only for privileged users. USB will be more complicated than CDROM because I assume you don't want to block the whole bus. You want usb mice to work but flash disks to be blocked right?