How to block all USB storage devices in Ubuntu [duplicate]
I need to block all USB storage devices (pendrives & mobile devices) but I need to access USB keyboard and USB mouse. I have already tried by editing /etc/modprobe.d/blacklist.conf by adding blacklist usb_storage but still the system can access USB devices.
4 Answers 4
I found in Ubuntu 16.04, some pendrives trigger pickup of the uas.ko kernel driver (USB Attached SCSI driver). And a kernel driver dependency of uas.ko is usb_storage.ko.
Hence, eventhough I had blacklist usb_storage in /etc/modprobe.d/blacklist.conf , usb_storage.ko still got loaded by virtue of dependency to uas.ko
blacklist uas blacklist usb_storage into /etc/modprobe.d/blacklist.conf , access to those pendrives no longer works (uas.ko & usb_storage.ko no longer loads) in a running system.
Bear in mind to enforce this during kernel boot, one would also need to make some grub/kernel line modifications of some similar sort in link.
Another, To disable USB storage, create the following file and edit it with your favourite text editor.
/etc/modprobe.d/usb-storage.conf Within this file, add the following line.
install usb-storage /bin/true After saving that line to the /etc/modprobe.d/usb-storage.conf file you will need to perform a reboot to complete the process. After rebooting if you plug in a USB storage device you should not be able to access it.
The usb-storage.ko is the USB Mass Storage driver for Linux operating system. You can see the file typing the following command:
ls -l /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko All you have to do is disable or remove the usb-storage.ko driver to restrict to use USB devices on Linux such as:
- USB keyboards
- USB mice
- USB pen drive
- USB hard disk
- Other USB block storage
BIOS option
You can also disable USB from system BIOS configuration option. Make sure BIOS is password protected. This is recommended option so that nobody can boot it from USB.
Grub option
You can get rid of all USB devices by disabling kernel support for USB via GRUB. Open grub.conf or menu.lst and append «nousb» to the kernel line as follows (taken from RHEL 5.x):
kernel /vmlinuz-2.6.18-128.1.1.el5 ro root=LABEL=/ console=tty0 console=ttyS1,19200n8 nousb Make sure you remove any other reference to usb-storage in the grub or grub2 config files. Save and close the file. Once done just reboot the system:
Turning off a single usb device. again
I know that this topic has been discussed many times, but none of the answers helped me. For the record, i’m running Debian. The deal is: I bought an usb powered led lamp, which is very simple and doesn’t even have an on/off switch (it works and is always on). I want to be able to turn it on/off via command line. Here’s what i tried:
echo on > /sys/bus/usb/devices/usb1/power/level # turn on echo suspend > /sys/bus/usb/devices/usb1/power/level # turn off -su: echo: write error: Invalid argument echo "0" > "/sys/bus/usb/devices/usbX/power/autosuspend_delay_ms" echo "usb1" > /sys/bus/usb/drivers/usb/unbind works only for more «inteligent» devices, like the keyboard, the mouse, or the usb wifi card. What i mean is that only tyhose devices are turned off, other usbN don’t give an error, but the lamp never goes off. the contents of /sys/bus/usb/devices/ are
1-0:1.0 1-1:1.0 1-2:1.0 1-2:1.2 2-0:1.0 4-0:1.0 4-1:1.0 6-0:1.0 8-0:1.0 8-2:1.0 usb2 usb4 usb6 usb8 1-1 1-2 1-2:1.1 1-2:1.3 3-0:1.0 4-1 5-0:1.0 7-0:1.0 8-2 usb1 usb3 usb5 usb7 echo device_name > /sys/bus/usb/drivers/usb/unbind with every single one of them, but only the devices usbN and N-M react, the ones of the form n-m:x.y yield
tee: /sys/bus/usb/drivers/usb/bind: No such device (i tried putting in, for instance, «1-0:1.0», «1-0\:1.0» and «1-0\:1.0», all gave the same result). One last thing, what is shown after executing
How to disable USB device
Whitelist or render inoperative any USB device to secure your personal belongings.
Disable the particular USB device#
I will disable the cheap Samsung tablet, so it won’t mount when connected.
Display USB devices before the mentioned device is connected.
Bus 001 Device 002: ID 8087:8001 Intel Corp. Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 002 Device 093: ID 0bda:5682 Realtek Semiconductor Corp. Bus 002 Device 003: ID 8087:0a2a Intel Corp. Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Display USB devices after the device is connected.
Bus 001 Device 002: ID 8087:8001 Intel Corp. Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 002 Device 093: ID 0bda:5682 Realtek Semiconductor Corp. Bus 002 Device 003: ID 8087:0a2a Intel Corp. Bus 002 Device 029: ID 04e8:6860 Samsung Electronics Co., Ltd Galaxy (MTP) Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
The mentioned device can be identified by vendor id 0x04e8 Samsung Electronics Co., Ltd and product id 0x6860 Galaxy (MTP).
Identify the device path to display more useful udev information.
$ idVendor="04e8"; idProduct="6860"; \ find -L /sys/bus/usb/devices/ -maxdepth 2 -name idVendor -exec grep -l $idVendor <> \; | \ while read line; do \ location=$(dirname $line); \ grep -q $idProduct $location/idProduct; if [ "$?" -eq "0" ]; then \ echo $location; fi done
Use the device path to display udev information.
$ udevadm info -a -p /sys/bus/usb/devices/2-2
Udevadm info starts with the device specified by the devpath and then walks up the chain of parent devices. It prints for every device found, all possible attributes in the udev rules key format. A rule to match, can be composed by the attributes of the device and the attributes from one single parent device. looking at device '/devices/pci0000:00/0000:00:14.0/usb2/2-2': KERNEL=="2-2" SUBSYSTEM=="usb" DRIVER=="usb" ATTR=="0" ATTR=="0" ATTR=="" ATTR=="00" ATTR=="01" ATTR=="00" ATTR=="64" ATTR=="" ATTR=="1" ATTR=="" ATTR=="0400" ATTR=="" ATTR=="2" ATTR=="" ATTR=="29" ATTR=="2" ATTR=="6860" ATTR=="04e8" ATTR=="no" ATTR=="SAMSUNG" ATTR=="0" ATTR=="SAMSUNG_Android" ATTR=="0x0" ATTR=="removable" ATTR=="3801a4eaab8a3400" ATTR=="480" ATTR=="32" ATTR==" 2.00" looking at parent device '/devices/pci0000:00/0000:00:14.0/usb2': KERNELS=="usb2" SUBSYSTEMS=="usb" DRIVERS=="usb" ATTRS=="1" ATTRS=="1" ATTRS=="0" ATTRS=="1" ATTRS=="09" ATTRS=="01" ATTRS=="00" ATTRS=="64" ATTRS=="0mA" ATTRS=="1" ATTRS==" 1" ATTRS=="0411" ATTRS=="e0" ATTRS=="2" ATTRS=="" ATTRS=="1" ATTRS=="0" ATTRS=="0002" ATTRS=="1d6b" ATTRS=="1" ATTRS=="no" ATTRS=="Linux 4.11.0-13-generic xhci-hcd" ATTRS=="11" ATTRS=="xHCI Host Controller" ATTRS=="0x0" ATTRS=="unknown" ATTRS=="0000:00:14.0" ATTRS=="480" ATTRS=="8014" ATTRS==" 2.00" looking at parent device '/devices/pci0000:00/0000:00:14.0': KERNELS=="0000:00:14.0" SUBSYSTEMS=="pci" DRIVERS=="xhci_hcd" ATTRS=="0" ATTRS=="0x0c0330" ATTRS=="64" ATTRS=="1" ATTRS=="0x9cb1" ATTRS=="64" ATTRS=="(null)" ATTRS=="1" ATTRS=="44" ATTRS=="0-3" ATTRS=="f" ATTRS=="1" ATTRS=="-1" ATTRS=="0x03" ATTRS=="0x0665" ATTRS=="0x1028" ATTRS=="0x8086" looking at parent device '/devices/pci0000:00': KERNELS=="pci0000:00" SUBSYSTEMS=="" DRIVERS==""
Create an exact udev rule to de-authorize this device early on.
$ cat =="removable", ATTR=="04e8", ATTR=="6860", ATTR="0" EOF
This device will be unusable next time it is connected to the computer.
Whitelist USB devices#
lsusb Bus 001 Device 002: ID 8087:8001 Intel Corp. Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 002 Device 093: ID 0bda:5682 Realtek Semiconductor Corp. Bus 002 Device 003: ID 8087:0a2a Intel Corp. Bus 002 Device 012: ID 045e:0745 Microsoft Corp. Nano Transceiver v1.0 for Bluetooth Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Authorize these USB devices and their children, but only if the device as a parent is not a hub.
$ cat == "8087", ATTR == "8001", GOTO = "usblist_rules_end" ATTRS == "8087", ATTRS == "8001", ATTRS != "09", GOTO = "usblist_rules_end" # Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub ATTR == "1d6b", ATTR == "0002", GOTO = "usblist_rules_end" ATTRS == "1d6b", ATTRS == "0002", ATTRS != "09", GOTO = "usblist_rules_end" # Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub ATTR == "1d6b", ATTR == "0003", GOTO = "usblist_rules_end" ATTRS == "1d6b", ATTRS == "0003", ATTRS != "09", GOTO = "usblist_rules_end" # Bus 002 Device 093: ID 0bda:5682 Realtek Semiconductor Corp. ATTR == "0bda", ATTR == "5682", GOTO = "usblist_rules_end" ATTRS == "0bda", ATTRS == "5682", ATTRS != "09", GOTO = "usblist_rules_end" # Bus 002 Device 003: ID 8087:0a2a Intel Corp. ATTR == "8087", ATTR == "0a2a", GOTO = "usblist_rules_end" ATTRS == "8087", ATTRS == "0a2a", ATTRS != "09", GOTO = "usblist_rules_end" # Bus 002 Device 012: ID 045e:0745 Microsoft Corp. Nano Transceiver v1.0 for Bluetooth ATTR == "045e", ATTR == "0745", GOTO = "usblist_rules_end" ATTRS == "045e", ATTRS == "0745", ATTRS != "09", GOTO = "usblist_rules_end" # Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub ATTR == "1d6b", ATTR == "0002", GOTO = "usblist_rules_end" ATTRS == "1d6b", ATTRS == "0002", ATTRS != "09", GOTO = "usblist_rules_end" # Other USB devices - de-authorize ATTR="0" LABEL="usblist_rules_end" EOF
References#
Follow me on Mastodon , check out source code ad GitHub
how to disable USB devices based on vendor id in Linux environment?
I want to disable usb devices based on vendor id in Linux environment. I want to allow only specific USB devices, based on vendor id.
I have one specific vendor:device ID I want to disable cdc_acm for. I have since made this into a separate question.
3 Answers 3
You can make a udev rule that disables devices by default, but enables certain ones by vendor ID. Make a file /etc/udev/rules.d/01-usblockdown.rules that contains a rule to disable devices:
ACTION=="add", SUBSYSTEMS=="usb", RUN+="/bin/sh -c 'for host in /sys/bus/usb/devices/usb*; do echo 0 > $host/authorized_default; done'" And then rules to enable the devices you want to allow (you can use ATTR to get at the vendor ID):
ACTION=="add", ATTR=="0000" RUN+="/bin/sh -c 'echo 1 >/sys$DEVPATH/authorized'" @subbarao Yes, you have to add both rules, the first blocks anything per default, the second allows certain devices.
This works for when you plug in, say a keyboard, once the system is booted. But if the keyboard is connected and you reboot, the keyboard works upon the OS booting back up. Unplugging the keyboard then re-plug, the keyboard doesn’t work as expected. Is there some area more lower level that this rule can be run before boot devices are activated?
(this might have been better as a comment but I lack the points so expanded it into an answer)
I came here searching for how to allow all usb devices except disabling a specific one by vendor and product id. How to disable a usb sound device with udev answers it for the 0d8c:000c example.
ACTION=="add", ATTR=="0d8c", ATTR=="000c", RUN="/bin/sh -c 'echo 0 >/sys/\$devpath/authorized'" There a discrepancy between the answer and a comment below with RUN= vs. RUN+= , I tried the former and it worked fine.
I was expecting dmesg or lusb to report differently but they both show the un-authorized device getting enumerated just as before, but other processes/modules that would have launched automatically appear to not be running which was the desired effect. cat /sys/bus/usb/devices/1-2.2.1.1.4/authorized (the 1-2.2. for example which can be found in dmesg) shows that the 0 was put in the right place.