Restricting HDD Mounting

[DoomUs]

I'm looking for a mechanism to restrict users from mounting HDDs. The purpose is to give users peace of mind that the live-cd won't mount their HDDs.

This being the case, I'm not concerned if the prevention is not bullet-proof. If they are somehow able to circumvent my restriction measures, I'm not concerned. However, I would prefer that the circumvention is not completely trivial. I don't want a user to be able to say "I didn't realize I was mounting the HDD."

Any suggestions are appreciated. Thanks.

[Hamza]

You can make a new account with specific permission, and make it as "Default User". After, you will need to use nohd cheatcode, and edit /etc/rc.d/rc.locale to unload the Network driver.

You're welcome to our community.

But , Please post more information about your question.
Version?
Machine?

4. Include logs and tell us commands executed. Most wanted are: /var/log/dmesg and /var/log/messages. Use pastebin.com for long and multiple files. Jayflood's 'Porteus System Info' tool can be also very helpful - you can launch it from Kmenu/Lxde menu and receive a lot of useful info about your system straight on the desktop.
Remember: nobody can help you if they don't know what's wrong, or what you did to get the error you received. Providing this information will greatly aid others in assisting you, and will allow us to diagnose your problem easier and sooner.

Regards,

[DoomUs]

Thanks for your response.
What's involved in editing the "/etc/rc.d/rc.locale to unload the Network driver." What exactly am I doing in "rc.locale"?

[Hamza]

Hello,

/etc/rc.d/rc.locale is script when some task is written in it, and executed at start of system.

You can write an action in it for unload network drivers.

Please , post more information about your problem..

4. Include logs and tell us commands executed. Most wanted are: /var/log/dmesg and /var/log/messages. Use pastebin.com for long and multiple files. Jayflood's 'Porteus System Info' tool can be also very helpful - you can launch it from Kmenu/Lxde menu and receive a lot of useful info about your system straight on the desktop.
Remember: nobody can help you if they don't know what's wrong, or what you did to get the error you received. Providing this information will greatly aid others in assisting you, and will allow us to diagnose your problem easier and sooner.

You must give me more information.

Regards,

[roadie]

DoomUs,

I think Hamza is referring to /etc/rc.d/rc.local.............you can add commands in there which will be activated after the booting process is finished.

As an example, I added a command to change my USB mouse's settings..........it can be done in Kde, but the setting doesn't survive a reboot.

In your case, you can add something like this......../bin/umount -a.........that will umount the HD..........if you want to stop a user from mounting, best, I think, is to edit the file that automounts the HD and replace it in the Porteus module within the .iso..........I would look at /etc/rc.d/rc.S first..........possibly /usr/lib/liblinuxlive.

Edit:....I just tried modifying /etc/rc.d/rc.S to stop automounting and it works fine here.

The appropriate line is this.....mount -a -v -t nonfs,nosmbfs,nocifs,noproc,nosysfs,nodevpts

roadie

[brokenman]

This was a much asked question over at slax. I think the best answer was to restrict normal users priveleges to mount which is so in Porteus anyway.. Booting with nohd will mean nothing gets mounted and user has restrictions so they can't mount.

As someone mentioned in mchat ... this is also another option to be triply safe.

Delete the symlink /sbin/mount ... move /bin/mount to /sbin/mount ... make a symlink /bin/mount pointing to /sbin/mount. Now normal users should get a "Only root can do that!" message ... but will still be able to mount there USB drive when plugging it in.

Or just open the machine and remove the hard drive if it is an option!

[DoomUs]

Delete the symlink /sbin/mount ... move /bin/mount to /sbin/mount ... make a symlink /bin/mount pointing to /sbin/mount. Now normal users should get a "Only root can do that!" message ... Or just open the machine and remove the hard drive if it is an option!

I used the nohd cheatcode, and I've made the changes to /bin/mount, /sbin/mount, as described. But my "guest" account is still allowed to call mount. Granted, drives aren't mounting properly, the command is still accessible. Any ideas? Could my guest account have too high of privelages?

[roadie]

What exactly is your goal in this?

Do you want it setup so no external drives can be mounted by a user, including USB, HD and crdrom?

By "Granted, drives aren't mounting properly, the command is still accessible." I assume the drive doesn't get mounted and you get the "Only root can do that" message............that's about the best you'll get in Linux.........any user can call any command, doesn't mean they'll be able to do anything other than what their privileges allow...........the commands still have to be available.

I would stop the automounting on boot, make the changes that Brokenman suggested and be happy.

You may find something here:http://www.cromwell-intl.com/security/l ... ening.html

roadie

[fanthom]

anyone tried "chmod 500 /bin/mount"?
also
"chmod -x /etc/rc.d/rc.hald"
not sure how to disable udisk in LXDE/KDE4 ....

if that wont help then i would recompile kernel and remove support for all filesystems except iso9660

[DoomUs]

What exactly is your goal in this?

Do you want it setup so no external drives can be mounted by a user, including USB, HD and crdrom?

By "Granted, drives aren't mounting properly, the command is still accessible." I assume the drive doesn't get mounted and you get the "Only root can do that" message............that's about the best you'll get in Linux.........any user can call any command, doesn't mean they'll be able to do anything other than what their privileges allow...........the commands still have to be available.

I would stop the automounting on boot, make the changes that Brokenman suggested and be happy.

You may find something here:http://www.cromwell-intl.com/security/l ... ening.html

roadie

It looks like you're right. I ran into some other funny errors that appeared to me to allow mounting, however, with deeper investigation, I believe the /sbin/mount /bin/mount solution provided by Brokenman works. Thanks all.

Posted after 21 hour 28 minutes 32 seconds:

anyone tried "chmod 500 /bin/mount"?
also
"chmod -x /etc/rc.d/rc.hald"
not sure how to disable udisk in LXDE/KDE4 ....

if that wont help then i would recompile kernel and remove support for all filesystems except iso9660

Fanthom, how would I go about doing this. If I download the kernel from kernel.org, where is the filesystem's supported information?

Do I need to compile inside Porteus for this to work? and how do I use my new kernel with Porteus?

Thanks.

[Hamza]

You need to compile your own kernel with your config.

You can read this before.
Compilation and usage of custom Porteus kernel

Thanks fanthom for this article!

[DoomUs]

Is there any way to modify any part of the kernel.lzm to reflect similar changes without having to compile a whole new kernel?

By the way, that re-compile tutorial is nice, and I'll definitely look into it, but where is the stuff I need to change to remove support for certain filesystems, and which ones do I NEED and which ones should I remove to keep local HDDs from being mounted?

[Hamza]

You can remove the 'net' folder and remove all lines with 'net' drivers in manifest file ??

What do you think fanthom ?

[DoomUs]

You can remove the 'net' folder and remove all lines with 'net' drivers in manifest file ??

What do you think fanthom ?

The "net" folder contains HDD drivers?? And what is the manifest file?

[Hamza]

Do you want to disable the internet connection from your custom LIVE-CD ?

And what is the manifest file?
It is a file when there is all kernel modules. It is a list of all kernel modules (not built in).