Restricting HDD Mounting

New features which should be implemented in Porteus; suggestions are welcome. All questions or problems with testing releases (alpha, beta, or rc) should go in their relevant thread here, rather than the Bug Reports section.
DoomUs
White ninja
White ninja
Posts: 21
Joined: 06 Jun 2011, 17:04
Location: New Mexico

Restricting HDD Mounting

Post#1 by DoomUs » 07 Jun 2011, 14:46

I'm looking for a mechanism to restrict users from mounting HDDs. The purpose is to give users peace of mind that the live-cd won't mount their HDDs.

This being the case, I'm not concerned if the prevention is not bullet-proof. If they are somehow able to circumvent my restriction measures, I'm not concerned. However, I would prefer that the circumvention is not completely trivial. I don't want a user to be able to say "I didn't realize I was mounting the HDD."

Any suggestions are appreciated. Thanks.

User avatar
Hamza
Warlord
Warlord
Posts: 1847
Joined: 28 Dec 2010, 07:41
Distribution: Porteus
Location: France

Re: Restricting HDD Mounting

Post#2 by Hamza » 07 Jun 2011, 15:06

You can make a new account with specific permission, and make it as "Default User". After, you will need to use nohd cheatcode, and edit /etc/rc.d/rc.locale to unload the Network driver.

You're welcome to our community.

But , Please post more information about your question.
Version?
Machine?
4. Include logs and tell us commands executed. Most wanted are: /var/log/dmesg and /var/log/messages. Use pastebin.com for long and multiple files. Jayflood's 'Porteus System Info' tool can be also very helpful - you can launch it from Kmenu/Lxde menu and receive a lot of useful info about your system straight on the desktop.
Remember: nobody can help you if they don't know what's wrong, or what you did to get the error you received. Providing this information will greatly aid others in assisting you, and will allow us to diagnose your problem easier and sooner.
Regards,
NjVFQzY2Rg==

DoomUs
White ninja
White ninja
Posts: 21
Joined: 06 Jun 2011, 17:04
Location: New Mexico

Re: Restricting HDD Mounting

Post#3 by DoomUs » 07 Jun 2011, 15:38

Thanks for your response.
What's involved in editing the "/etc/rc.d/rc.locale to unload the Network driver." What exactly am I doing in "rc.locale"?

User avatar
Hamza
Warlord
Warlord
Posts: 1847
Joined: 28 Dec 2010, 07:41
Distribution: Porteus
Location: France

Re: Restricting HDD Mounting

Post#4 by Hamza » 07 Jun 2011, 15:42

Hello,

/etc/rc.d/rc.locale is script when some task is written in it, and executed at start of system.

You can write an action in it for unload network drivers.

Please , post more information about your problem..
4. Include logs and tell us commands executed. Most wanted are: /var/log/dmesg and /var/log/messages. Use pastebin.com for long and multiple files. Jayflood's 'Porteus System Info' tool can be also very helpful - you can launch it from Kmenu/Lxde menu and receive a lot of useful info about your system straight on the desktop.
Remember: nobody can help you if they don't know what's wrong, or what you did to get the error you received. Providing this information will greatly aid others in assisting you, and will allow us to diagnose your problem easier and sooner.
You must give me more information.

Regards,
NjVFQzY2Rg==

roadie
Full of knowledge
Full of knowledge
Posts: 205
Joined: 02 Jan 2011, 18:41
Distribution: Porteus 3.5...with a twist
Location: In a hayfield

Re: Restricting HDD Mounting

Post#5 by roadie » 07 Jun 2011, 16:16

DoomUs,

I think Hamza is referring to /etc/rc.d/rc.local.............you can add commands in there which will be activated after the booting process is finished.

As an example, I added a command to change my USB mouse's settings..........it can be done in Kde, but the setting doesn't survive a reboot.

In your case, you can add something like this......../bin/umount -a.........that will umount the HD..........if you want to stop a user from mounting, best, I think, is to edit the file that automounts the HD and replace it in the Porteus module within the .iso..........I would look at /etc/rc.d/rc.S first..........possibly /usr/lib/liblinuxlive.

Edit:....I just tried modifying /etc/rc.d/rc.S to stop automounting and it works fine here.

The appropriate line is this.....mount -a -v -t nonfs,nosmbfs,nocifs,noproc,nosysfs,nodevpts

roadie

User avatar
brokenman
Site Admin
Site Admin
Posts: 5456
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v3.2rcX all desktops
Location: Brazil
Contact:

Re: Restricting HDD Mounting

Post#6 by brokenman » 07 Jun 2011, 16:43

This was a much asked question over at slax. I think the best answer was to restrict normal users priveleges to mount which is so in Porteus anyway.. Booting with nohd will mean nothing gets mounted and user has restrictions so they can't mount.

As someone mentioned in mchat ... this is also another option to be triply safe.

Delete the symlink /sbin/mount ... move /bin/mount to /sbin/mount ... make a symlink /bin/mount pointing to /sbin/mount. Now normal users should get a "Only root can do that!" message ... but will still be able to mount there USB drive when plugging it in.

Or just open the machine and remove the hard drive if it is an option!
How do i become super user?
Wear your underpants on the outside and put on a cape.

DoomUs
White ninja
White ninja
Posts: 21
Joined: 06 Jun 2011, 17:04
Location: New Mexico

Re: Restricting HDD Mounting

Post#7 by DoomUs » 08 Jun 2011, 15:56

brokenman wrote: Delete the symlink /sbin/mount ... move /bin/mount to /sbin/mount ... make a symlink /bin/mount pointing to /sbin/mount. Now normal users should get a "Only root can do that!" message ... Or just open the machine and remove the hard drive if it is an option!
I used the nohd cheatcode, and I've made the changes to /bin/mount, /sbin/mount, as described. But my "guest" account is still allowed to call mount. Granted, drives aren't mounting properly, the command is still accessible. Any ideas? Could my guest account have too high of privelages?

roadie
Full of knowledge
Full of knowledge
Posts: 205
Joined: 02 Jan 2011, 18:41
Distribution: Porteus 3.5...with a twist
Location: In a hayfield

Re: Restricting HDD Mounting

Post#8 by roadie » 08 Jun 2011, 16:26

What exactly is your goal in this?

Do you want it setup so no external drives can be mounted by a user, including USB, HD and crdrom?

By "Granted, drives aren't mounting properly, the command is still accessible." I assume the drive doesn't get mounted and you get the "Only root can do that" message............that's about the best you'll get in Linux.........any user can call any command, doesn't mean they'll be able to do anything other than what their privileges allow...........the commands still have to be available.

I would stop the automounting on boot, make the changes that Brokenman suggested and be happy.

You may find something here:http://www.cromwell-intl.com/security/l ... ening.html

roadie

User avatar
fanthom
Site Admin
Site Admin
Posts: 4566
Joined: 28 Dec 2010, 02:42
Distribution: Porteus Kiosk
Location: Poland, currently - Cork, IE
Contact:

Re: Restricting HDD Mounting

Post#9 by fanthom » 08 Jun 2011, 16:46

anyone tried "chmod 500 /bin/mount"?
also
"chmod -x /etc/rc.d/rc.hald"
not sure how to disable udisk in LXDE/KDE4 ....

if that wont help then i would recompile kernel and remove support for all filesystems except iso9660 :D
Please add [Solved] to your thread title if the solution was found.

DoomUs
White ninja
White ninja
Posts: 21
Joined: 06 Jun 2011, 17:04
Location: New Mexico

Re: Restricting HDD Mounting

Post#10 by DoomUs » 09 Jun 2011, 17:20

roadie wrote:What exactly is your goal in this?

Do you want it setup so no external drives can be mounted by a user, including USB, HD and crdrom?

By "Granted, drives aren't mounting properly, the command is still accessible." I assume the drive doesn't get mounted and you get the "Only root can do that" message............that's about the best you'll get in Linux.........any user can call any command, doesn't mean they'll be able to do anything other than what their privileges allow...........the commands still have to be available.

I would stop the automounting on boot, make the changes that Brokenman suggested and be happy.

You may find something here:http://www.cromwell-intl.com/security/l ... ening.html

roadie
It looks like you're right. I ran into some other funny errors that appeared to me to allow mounting, however, with deeper investigation, I believe the /sbin/mount /bin/mount solution provided by Brokenman works. Thanks all.

Posted after 21 hour 28 minutes 32 seconds:
fanthom wrote:anyone tried "chmod 500 /bin/mount"?
also
"chmod -x /etc/rc.d/rc.hald"
not sure how to disable udisk in LXDE/KDE4 ....

if that wont help then i would recompile kernel and remove support for all filesystems except iso9660 :D
Fanthom, how would I go about doing this. If I download the kernel from kernel.org, where is the filesystem's supported information?

Do I need to compile inside Porteus for this to work? and how do I use my new kernel with Porteus?

Thanks.

User avatar
Hamza
Warlord
Warlord
Posts: 1847
Joined: 28 Dec 2010, 07:41
Distribution: Porteus
Location: France

Re: Restricting HDD Mounting

Post#11 by Hamza » 09 Jun 2011, 17:28

You need to compile your own kernel with your config.

You can read this before.
Compilation and usage of custom Porteus kernel

Thanks fanthom for this article!
NjVFQzY2Rg==

DoomUs
White ninja
White ninja
Posts: 21
Joined: 06 Jun 2011, 17:04
Location: New Mexico

Re: Restricting HDD Mounting

Post#12 by DoomUs » 09 Jun 2011, 18:48

Is there any way to modify any part of the kernel.lzm to reflect similar changes without having to compile a whole new kernel?

By the way, that re-compile tutorial is nice, and I'll definitely look into it, but where is the stuff I need to change to remove support for certain filesystems, and which ones do I NEED and which ones should I remove to keep local HDDs from being mounted?

User avatar
Hamza
Warlord
Warlord
Posts: 1847
Joined: 28 Dec 2010, 07:41
Distribution: Porteus
Location: France

Re: Restricting HDD Mounting

Post#13 by Hamza » 09 Jun 2011, 18:56

You can remove the 'net' folder and remove all lines with 'net' drivers in manifest file ??

What do you think fanthom ?
NjVFQzY2Rg==

DoomUs
White ninja
White ninja
Posts: 21
Joined: 06 Jun 2011, 17:04
Location: New Mexico

Re: Restricting HDD Mounting

Post#14 by DoomUs » 10 Jun 2011, 13:52

Hamza wrote:You can remove the 'net' folder and remove all lines with 'net' drivers in manifest file ??

What do you think fanthom ?
The "net" folder contains HDD drivers?? And what is the manifest file?

User avatar
Hamza
Warlord
Warlord
Posts: 1847
Joined: 28 Dec 2010, 07:41
Distribution: Porteus
Location: France

Re: Restricting HDD Mounting

Post#15 by Hamza » 10 Jun 2011, 14:01

Do you want to disable the internet connection from your custom LIVE-CD ?

And what is the manifest file?
It is a file when there is all kernel modules. It is a list of all kernel modules (not built in).
NjVFQzY2Rg==

Post Reply