Howto lockdown USB access for root user only

I just want that if someone puts an USB device in the server, the device will only be mounted after entering the root password.
On google I found all kind of tricks from disabling USB completely and using some scripts to enable / disable but could not find the solution that directly the windows appears to type in the root password to get the USB-Device mounted.

Some time ago I did this on OpenSUSE 13.2, but I forgot it… :frowning:

Can anyone help me please ?

Add this to /etc/polkit-default-privs.local and run “sudo /sbin/set_polkit_default_privs” afterwards:

org.freedesktop.udisks2.filesystem-mount auth_admin

Or set the system security level to “secure” or “paranoid”, either in YaST->System->Security Center and System Hardening or /etc/sysconfig/security (in the latter case, you also need to run set_polkit_default_privs to apply the changes).
But this will have other impacts too of course.

Thank you, perfect !

The above is btw only for mounting mass-storage devices that are detected as being connected during the lifetime of the running system (which in practice means through an USB connector). It does not block (or “lockdown”) USB usage in general as your thread title asks for.

You are right, I did not define a proper title, my mistake. I thought in mass-storage but wrote USB-access in general.