4

I am working on converting an Ubuntu (14.04 LTS) installation into a kiosk-like system with disabled USB storage. However, this does not prevent a user from mounting an MTP device such as an android phone.

This problem is not the same as preventing auto-mounting of MTP devices, which has been solved in other questions on AskUbuntu.

  1. I want to permanently disallow MTP and other storage devices from being mounted by a particular user or group. (Maybe by disabling mtpfs/gvfs?)
  2. What some other means of connecting writeable storage devices that I should take care of (like UMTS)?

--

edit: I should add that I disabed USB storage by revoking access rights for the group in question by chown'ing /media to admin:myusbaccessgroup. Obviously, the users/groups I want to prevent from using the USB are not in myusbaccessgroup.

--

Update:

A bounty was put for this answer but no successful solution was found. Please see the answers before followed by the chat room discussion.

Giving up, I installed Ubuntu 12.04 instead, since it doesn't have support for MTP out of the box. However, PTP devices still get mounted.

Akshay Rao
  • 91
  • 1
  • 7

3 Answers3

3

I couldn't get it to work using user/group permissions neither I know how libmtp mount phones volumes.

This is a solution to check the user group from udev side.

  1. Switch to root

    sudo -i

  2. Create a generic script to check GUI user and if it's in specified group

    nano /lib/udev/check_gui_user_group.sh

    Add these line to it:

    #!/bin/bash

export GUI_$(grep -z USER /proc/$(pgrep -nx $1)/environ)
groups $GUI_USER | grep -qFw "$2"

    Add executing permission

    chmod +x /lib/udev/check_gui_user_group.sh

  3. MTP devices: Let override libmtp rules in /lib/udev/rules.d/ .

    cp /lib/udev/rules.d/69-libmtp.rules /etc/udev/rules.d/69-libmtp.rules

    Then open it for editing:

    nano /etc/udev/rules.d/69-libmtp.rules

    Add this line just after LABEL="libmtp_usb_rules":

    PROGRAM!="check_gui_user_group.sh gnome-session myusbaccessgroup", GOTO="libmtp_rules_end"

    For Ubuntu 14.04 Unity & Gnome, you may use gnome-session. For other desktops, check using pstree -u or ps aux | grep -i session

    The meaning of the rule: Whenever the user of gnome-session is NOT in the myusbaccessgroup group skip all libmtp rules.

  4. PTP devices: Add another rules file

    nano /etc/udev/rules.d/99-usb-storage-remove.rules

    Add rule

    ACTION=="add", ENV{GPHOTO2_DRIVER}=="PTP", ENV{DRIVER}!="", PROGRAM!="check_gui_user_group.sh gnome-session myusbaccessgroup", RUN+="/bin/sh -c 'echo -n %k >/sys%p/subsystem/drivers/%E{DRIVER}/unbind'"

  5. Other USB storage devices: Add this rule to the rules file of the previous step.

    ACTION=="add", DRIVER=="usb-storage|uas|ums-*", PROGRAM!="check_gui_user_group.sh gnome-session myusbaccessgroup", RUN+="/bin/sh -c 'echo -n %k >/sys%p/driver/unbind'"

    To know from where I get the list of drivers, try this:

    ls /lib/modules/$(uname -r)/kernel/drivers/usb/storage/

  6. Reload the rules

    udevadm control -R

  7. Replug your phone.

Testing & Troubleshooting:

  1. Setup the group, if it's not already done

    addgroup myusbaccessgroup

  2. Remove user from the group.

    deluser user myusbaccessgroup

  3. Run udev monitor

    udevadm monitor -u

  4. Replug that device

  5. Check what was run

    udevadm test /sys/device/...

  6. Add user to the group

    adduser user myusbaccessgroup

  7. Redo starting from step 3.

Notes:

I used Kubuntu 15.04 (real machine) and Ubuntu 14.04 (fresh install in VirtualBox) for testing.

  • I used Wiko Bloom (Android 4.4.2) to test MTP mode which works well in both systems.
  • I couldn't test PTP mode because it wasn't auto-mounted, May be I'm missing something here.
  • Other external storages: a flash disk & an external hard drive. Test passes for both systems.

References:

Community
  • 1
user.dz
  • 48,105
  • 1
    Is that export GUI_$(... supposed to be export GUI_USER=$(? Also, instead of looping over groups, you could just grep: groups $GUI_USER | grep -qFw "$2" – muru Sep 16 '15 at 15:19
  • @muru, USER= is already in grep -z command, yes that's simpler. thank you – user.dz Sep 16 '15 at 15:53
  • I thought abut this. But there MUST be some better solution. And I notice that some phones get mounted when there is nothing in 69-libmtp.rules – Pilot6 Sep 16 '15 at 16:28
  • @Pilot6, could you confirm if they are in MTP mode and how they get mounted without dev/libmtp.. link? I know that old device like android 2.x get mounted as usb storage. – user.dz Sep 16 '15 at 16:33
  • 1
    The brand new android 5.0 device gets mounted without a line in libmtp.rules. Also it does with usb-devices. When I removed usb-devices.ko it still got mounted with usbfs. – Pilot6 Sep 16 '15 at 16:41
  • @Pilot6, I couldn't find usb-devices.ko & usbfs,ko in my system neither through http://packages.ubuntu.com . The only one i could find is usb-storage.ko , I have add another rule for other storage types. Could you please try it. – user.dz Sep 16 '15 at 17:33
  • Sry, it is usb-storage.ko. I could not find usbfs either. But it is shown in usb-devices as a driver if any other driver is disabled. I do not use your script, just try to kill it for everyone just to start with. – Pilot6 Sep 16 '15 at 17:37
  • 1
    @Sneetsher, I will try your solution out tomorrow (can't today) and get back to you. If it works well for the few MTP devices I have, I'll mark this as the answer. Please let me know if you have a better answer using Pilot6's comments about using usb-storage.

    In the mean time, can you guys think of other ways a device can connect to ubuntu? Like PTP/UMTS etc? It doesn't even have to be a phone per say. I'm trying to disable any external input and outputs using the USB here.

     – Akshay Rao Sep 16 '15 at 17:57
  • it is really weird that such a simple user restriction is so hard to achieve in linux. – Pilot6 Sep 16 '15 at 20:23
  • @Pilot6, I agree it shouldn't be hard, I thought about polkit but I have no experience with it. – user.dz Sep 16 '15 at 20:46
  • 1
    I thought same and I have the same problem. I never dealt with it. I was hoping someone knows how to do it. – Pilot6 Sep 16 '15 at 20:46
  • @Sneetsher, unfortunately this didn't work for me :( :( :( I was so hopeful. I was able to open all android phones I connected.

    Is there anything (any logs etc) you'd want to check to troubleshoot?

     – Akshay Rao Sep 17 '15 at 06:19
  • @AkshayRao , updated the answer. You may post output of udevadm test .. to http://paste.Ubuntu.com – user.dz Sep 17 '15 at 07:24
  • @Sneetsher, here you go! http://paste.ubuntu.com/12435931/ – Akshay Rao Sep 17 '15 at 08:05
  • @AkshayRao, I have added neew rule for PTP devices. Would you please try it. – user.dz Sep 17 '15 at 11:17
  • @Sneetsher, still no luck. Both (MTP and PTP) connections are readable and writeable. However the troubleshooting did show a few non-zero return values from the tests. Maybe they would help.

    http://paste.ubuntu.com/12446584/

     – Akshay Rao Sep 18 '15 at 06:17
  • @AkshayRao , could you make another test output for mtp mode. – user.dz Sep 18 '15 at 09:42
  • @Sneetsher, I was under the impression that this was for MTP mode as well. I'll get back to you in a few. – Akshay Rao Sep 18 '15 at 11:50
  • @Sneetsher, here you go. By the way, the one I pasted before was MTP (sorry about that). This one contains PTP first and then MTP. Samsung Galaxy S3

    http://paste.ubuntu.com/12448398/

     – Akshay Rao Sep 18 '15 at 12:53
  • Let us continue this discussion in chat. – user.dz Sep 18 '15 at 12:59
3

I had the same requirement in my end .

Best way to Block MTP,PTP for android is to disable the service in ubuntu .

Enter this location as root /usr/lib/gvfs

"sudo nautilus" will be easy if you tend to use GUI

"sudo nautilus" and the n navigate to computer/usr/lib/gvfs

There will be list of services Remove the execute permission by right clicking the appropriate service-->properties-->permission-->unckeck "execute" and change the read only access from "read only" to "none"

Blocking MTP and PTP

Remove the execute permission for

gvfsd-mtp

gvfs-mtp-volume-monitor(for safer side)

gvfsd-gphoto2

gvfs-gphoto2-volume-monitor(for safer side)

Apple I phone can mount through afp

so kindly Remove the execute permission for gvfsd-afp

gvfs-afc-volume-monitor(for safer side)

some android mobiles can use mass-storage mode to mount there SD card change the folder permission in /media/user to 400

user- the created user in ubuntu.

chmod 400

or remove the mount permission for user..

TD_Krish
  • 31
0

This should work for both Unity & Gnome, tested in Ubuntu 14.04.

  1. Add the new group

    addgroup myusbaccessgroup

  2. Change the owner group of gvfs monitors

    chown root:myusbaccessgroup /usr/lib/gvfs/gvfs-*-monitor

  3. Remove permission to read & execute for public/others

    chmod 750 /usr/lib/gvfs/gvfs-*-monitor

  4. Put user1 in the group & leave user2 out or remove it from the group

    adduser user1 myusbaccessgroup
deluser user2 myusbaccessgroup

  5. Logout

user.dz
  • 48,105