Enabling/disabling control over usb and optical storages and network for some users

I need to deny access in OpenSuse 13.1 x64 for some users to usb memory sticks and optical disks and network access and the same time I need to keep usb keyboard, mouse and usb printer enabled for the same users. I need to deny access to usb mass storage devices like usb memory sticks and usb hard drives, based on user login name.
Any help is welcome :slight_smile: Thanks in advance.

On 2013-11-22 13:26, olegue wrote:
>
> I need to deny access in OpenSuse 13.1 x64 for some users to usb memory
> sticks and optical disks and network access and the same time I need to
> keep usb keyboard, mouse and usb printer enabled for the same users. I
> need to deny access to usb mass storage devices like usb memory sticks
> and usb hard drives, based on user login name.
> Any help is welcome :slight_smile: Thanks in advance.

I don’t think it can be done.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

What do you want to do?
Users should have access via USB and the access via USB should be denied for them?

Ok this is pure speculation!

Maybe if you set the mount for USB media like devices to have a special group. Then only members of the group should be able to use it. I suppose that it might be able to be set in udev maybe??

I really don’t know how to do it but that would be the direction I’d look.

On 2013-11-23 02:46, gogalthorp wrote:
>
> Ok this is pure speculation!
>
> Maybe if you set the mount for USB media like devices to have a special
> group. Then only members of the group should be able to use it. I
> suppose that it might be able to be set in udev maybe??
>
> I really don’t know how to do it but that would be the direction I’d
> look.

You can do that if you edit the automount rules, yes; but it only works
for FAT/NTFS mounts, you can only set permissions for them in the mount
command. If the user brings from home a stick formatted as ext3, with a
directory belonging to the same UID as the one he has on the restricted
computer, then he automatically gets full permissions on that stick when
he plugs in.

No, the only way is to remove all the automatics that automount usb
sticks, forcing users to mount manually, which is something that only
root can do. But of course, you can not have a group of users with
permissions to do it, either.

Choose your poison.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

I need to prepare a work station with limited access in copying or moving files for some users, that means to disable them copying/moving files on removable medias as flash drives or cd/dvd or send them over the net with sharing or e-mailing. On the other hand I have to keep usb keyboard , mouse and scanner/printer working on the same pc for the users. As the disabling the net access is easy to be done with YAST, I was wondering is there a way to do the same for usb and cd/dvd drives as well.

On 2013-11-25 11:46, olegue wrote:
>
> AdaLovelace;2600370 Wrote:
>> What do you want to do?
>> Users should have access via USB and the access via USB should be denied
>> for them?
>
> I need to prepare a work station with limited access in copying or
> moving files for some users, that means to disable them copying/moving
> files on removable medias as flash drives or cd/dvd or send them over
> the net with sharing or e-mailing. On the other hand I have to keep usb
> keyboard , mouse and scanner/printer working on the same pc for the
> users. As the disabling the net access is easy to be done with YAST, I
> was wondering is there a way to do the same for usb and cd/dvd drives as
> well.

You can disable in yast the network for everybody, not for a few.

Linux is by design about sharing information, about freedom. Once you
have access to a box, you can do things. To increase ease of use,
devices are automounted, and once that is done, every body has access.

To do what you require you need to redesign the box.

I suggest you have a look a policy kit and udev rules. I can not help
there, it is above my pay level {joke}.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)