using ubuntu 16.04lts,Some of the users are taking important files into their personal devices(pen drive or portable HDD). How to prevent users not to send or copy files to usb..?
users are using USB HEADSET it should work.
Thanks in advance.
Asked
Active
Viewed 2,102 times
2
-
Describe the scenario. Is it a Lab PC? – Anwar Aug 29 '16 at 10:21
-
yeah it is a lab PC(Lenovo laptop) – Mohammad Aug 29 '16 at 10:23
-
Is preventing USB device at all valid answer? They can't copy both way. – Anwar Aug 29 '16 at 10:25
-
yeah it is a valid one..preventing copy from both way, but users must able to use USB HEADSET(it should work). – Mohammad Aug 29 '16 at 10:29
2 Answers
3
The solution is to blacklist the USB storage driver. Users will not be able to read or write files through USB sticks. This not only protects your corporate information from theft but also reduces chances of viruses entering your system.
There isn't a single parameter for blacklisting USB storage because it can vary between kernel versions.
A good write up is on AskUbuntu: how-do-i-disable-usb-storage This Q&A covers Ubuntu 12.04 through 16.04. It covers different blacklisting methods and different USB storage driver names.
WinEunuuchs2Unix
- 102,282
-
1Hi, Thanks for your advice, but here the thing is...users are using USB HEADSET WITH MICROPHONE...if i blacklist USB STORAGE DRIVER..headset will work or not...? – Mohammad Aug 29 '16 at 10:45
-
You might have to block USB PTP/MTP (used by many phones & cameras) too, but that's implemented in userspace (
libgphoto,libmtp, etc.), so you might want to remove those libraries. – JanC Aug 29 '16 at 10:49 -
1
-
1
Though blacklisting USB driver will work, but there is another good solution. You can prevent the users from mounting, unmounting partitions without giving root password. This way, administrators can use USB devices without having to un-blacklist the drivers first.
First create a file naming disable-mounting-without-password.pkla. The content of the file will be
[Disable mount without password]
Identity=unix-user:*
Action=org.freedesktop.udisks2.filesystem-*
ResultAny=no
ResultInactive=no
ResultActive=auth_admin
After saving it, move it to /var/lib/polkit-1/localauthority/10-vendor.d/ using this command (assuming you're in the same directory as the file)
sudo mv disable-mount-without-password.pkla /var/lib/polkit-1/localauthority/10-vendor.d/
Then restart the service using
sudo systemctl restart polkitd.service
Now, everytime a user wants to mount a partition, they'll be asked for the password, even for USB devices.
Anwar
- 76,649