Отключить cd rom linux

Как отключить CD-ROM и USB для обычных пользователей в Linux?

Как можно отключить доступ к CD-ROM и USB для обычных пользователей в Linux?

В рамках политики безопасности нам необходимо отключить доступ к CD-ROM и USB для обычных пользователей. Доступ должен быть только у пользователя root. Мы в основном используем Ubuntu Linux.

Этот вопрос имеет 1 ответ на английском, чтобы прочитать их войдите в свой аккаунт.

Нашел решение своей проблемы.

# mv /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko /root

# mv /lib/modules/$(uname -r)/kernel/drivers/cdrom/cdrom.ko /root

Для простой защиты от непродвинутых пользователей достаточно внести модуль usb-storage в черный список:

modprobe -r usb-storage echo blacklist usb-storage >> /etc/modprobe.d/blacklist

modprobe usb-storage if ! lsmod | grep -q usb-storage; then echo Module is blacklisted; fi

Для CD-ROM просто удалите пользователя из группы ‘cdrom’. Тогда пользователь не сможет получить к нему доступ (в управлении пользователями есть вкладка Advanced, где можно снять галочку с такой опции).

Раньше в *nix-системах это можно было сделать, изменив разрешения на чтение и запись на узлах устройств. Я подозреваю, что в Ubuntu вам придется искать что-то более сложное — возможно, группы пользователей, предоставляющие доступ к классам устройств, отключение аппаратных служб, таких как hal, или, возможно, изменение системы automount, чтобы вещи монтировались только для привилегированных пользователей. USB будет сложнее, чем CDROM, потому что я предполагаю, что вы не хотите блокировать всю шину. Вы хотите, чтобы мыши usb работали, но флэш-диски были заблокированы, верно?

Источник

How to disable CD-ROM and USB for normal users in Linux?

How can access to CD-ROM and USB be disabled for normal users in Linux? As a part of security policy we need to disable CD-ROM and USB access for normal users. Only root users should have the access. We are mainly using Ubuntu Linux.

7 Answers 7

Easier is to remove users from the ‘cdrom’ and ‘plugdev’ groups in /etc/group.

Found a solution to my issue.

# mv /lib/modules/$(uname -r)/kernel/drivers/usb/storage/usb-storage.ko /root 

# mv /lib/modules/$(uname -r)/kernel/drivers/cdrom/cdrom.ko /root 

Yes root also, but root can easily enable it by moving back.This may not be an ideal solution, but it is okay in my case.

This is an worst possible solution(above solution).I think people need to look into their /etc/fstab file for that kind of manipulation.If they take out «nouser» option from the cdrom/dvd line in /etc/fstab file then the desired result can be achieved .Moving out and in modules like that is a bad very bad option.

The easiest I’ve found is simply:

Ubuntu mounts removable media in /media, so changing permissions for /media is the easiest way to prevent access.This is a safe and easily reversible solution.

This will prevent a normal user from seeing removable media devices. Only root will then be able to access removable media.

For simple protection against non-advanced users blacklisting the usb-storage module should be enough:

modprobe -r usb-storage echo blacklist usb-storage >> /etc/modprobe.d/blacklist 

modprobe usb-storage if ! lsmod | grep -q usb-storage; then echo Module is blacklisted; fi 

For CD-ROM simply remove the user from the ‘cdrom’ group. Then the user should not be able to access it (in user management there is an advanced tab where you can uncheck such option).

My coworker and I were trying this on Ubuntu 10.04 64 bit Desktop.

We had one admin user and one desktop user. We tried removing the desktop user from cdrom and plugdev in /etc/group, but that didn’t work.

We then made admin own /media. We then chmodded /media to like:

This seems to work. Also, I’m not worried about desktop user manually mounting because he doesn’t have privileges.

Does this make sense? Do you guys see any weaknesses?

It used to be that on *nix systems you would do this by changing the read-write permissions on the devices nodes. I suspect you’re going to need to look for something more involved in Ubuntu — perhaps user groups that grant access to devices classes, disabling hardware services such as hal, or perhaps changing the automount system so things get mounted only for privileged users. USB will be more complicated than CDROM because I assume you don’t want to block the whole bus. You want usb mice to work but flash disks to be blocked right?

You must log in to answer this question.

Linked

Related

Hot Network Questions

Subscribe to RSS

To subscribe to this RSS feed, copy and paste this URL into your RSS reader.

Site design / logo © 2023 Stack Exchange Inc; user contributions licensed under CC BY-SA . rev 2023.7.12.43529

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy.

Источник

Disable & Enable CD-ROM

For security reasons (so no-one can copy data from computer to CD-ROM, or from CD-ROM to computer), I have to disable the CD-ROM drives on all of the Ubuntu systems I have. I estimate I have near 400-500 Ubuntu machines. How can I disable CD-ROM drives, and then enable them again. If possible, I would like commands to both enable, and disable a CD-ROM drive.

Does any of the people you want to disabled the cd/dvd for have admin permissions in those machines? Or are all normal users? And how would this prevent them from using a USB, a floppy disk, ssh, command line mail, storing it on a cloud and a dozen other methods I probably forgot about.

I already disabled USB mass storage on all the systems, it worked successfully. I just want to disable cdrom so that no one can access it, I want enable & disable command for cdrom. In future if i need to enable cdrom then i want those enabling commands. All are normal users

@VikramJadhav stop this! The people here are all volunteers. If they can help, they will but do not insist like this. Be patient and wait. Even better, edit your question and show that you tried the commands Rinzwind already gave you and what happened when you tried. But, whatever you do, stop leaving repetitive comments like this.

2 Answers 2

 -i on|1|off|0 This option controls locking of the hardware eject button. When enabled, the drive will not be ejected when the button is pressed. This is useful when you are carrying a laptop in a bag or case and don't want it to eject if the button is inadvertently pressed. 

Mind that this command is available for users on the system so you might also want to create an alias to override the normal eject. And not all versions of eject support locking (the version in Ubuntu 15.04+ does; below that I am not sure).

What the command does is a .

echo 1 | sudo tee /proc/sys/dev/cdrom/lock echo 0 | sudo tee /proc/sys/dev/cdrom/lock 

And these is also a 3rd party script you could use called cdctl.

15:04 (oldest Ubuntu I have):

$ eject --version eject version 2.1.5 by Jeff Tranter (tranter@pobox.com) $ eject -i 1 CD-Drive may NOT be ejected with device button $ eject -i 0 CD-Drive may be ejected with device button 

I am using 14.04 LTS given above all these commands are not working.. I tried all of them but no any one command is not working. Please provide me the working commands.

superuser.com/a/78855/276585 seems to show that those commands even working in 2009. Maybe your hardware does not support it.

care to add the results you get from the commands I edited into the answer? (version of eject and results of the command). Again: it could be your hardware not supporting locking the cd drive. More drastic measure: cp /dev/cdrom to somewhere else and remove it when disabled and copy it back when you need it enabled?

I tried this command but still the CD Drive is ejecting . not working for me.. please provide another command

First: I’m using Debian 10, but this might also work in Ubuntu.

The only way I was able to disable CD/DVD reading/writing was to create — as root — the following cron job:

@reboot mv /dev/sr0 /dev/sr0_block 

Remember to check the device file name for your CD-ROM. You could use the lsblk command for that. In my case, it is sr0 .

To re-enable functioning just comment or delete the cron job line and restart the computer.

Note that if you just rename the sr0 file, without adding a cron job, you’ll find the change unmade after reboot.

I’m sorry this is an ugly trick, but I have tried: removing users from cdrom group, changing permissions of /media , blacklisting cdrom and sr_mod modules and even the eject -i 1 command. That is the only thing that worked for me.

Источник

Completely disable CD/DVD Rom access to all users on Ubuntu 12.04 LTS?

Result: Yet no differece. Impact is if user put’s in disc (CD/DVD) with content on it, then it will not load. But if user put’s in blank disc (CD/DVD), then it will load the disc and if brasero is installed, user is able to write new disc

EDIT (New): 8. More tries with via UDEV Initialization rules

8.1) Modified following files and commented all lines that were creating /dev mappings for CD/DVD Rom drives,

8.2) Created a new file here /etc/udev/rules.d/10-custom-cd.rules and added following rules ,

SUBSYSTEMS=="scsi", DRIVERS=="sr", OPTIONS+="ignore_device",OPTIONS+="last_rule" SUBSYSTEM=="block", ENV=="?*", ENV=="pci-0000:00:1f.2-scsi-5:0:0:0", OPTIONS+="ignore_device", OPTIONS+="last_rule" 

Tried with this one also, removing SUBSYSTEMS==»scsi»

DRIVERS=="sr", OPTIONS+="ignore_device", OPTIONS+="last_rule" 

8.3) Removed all the following /dev entries,

sudo rm /dev/cdrom /dev/cdrw /dev/dvdrw /dev/dvd /dev/sr0 

Note: «/dev/sr0» keeps getting created automatically, and other folders got created again after recent updates. But still if these were working can keep removing them /etc/rc.local

Result: With CDROM related UDEV rules commented, and after restarting machine, again manually deleting /dev/sr0, and with no CDROM related UDEV rules active, excepted for the newly created OPTIONS+=»ignore_device» ones, and no entries in /dev, Blank disc loads as usual and user is able to write new DVD Rom

Tried all approaches listed on internet. Please provide a option to disable cdrom mounting on laptop. Goal is if user inserts any kind of disc (blank, audio, with files), ubuntu should not mount cdrom at all. It’s ok if cdrom is disable for all users also.

Edit: adding UDEV info for device information. Following the output from «udevadm»

• (other parent level info)
  • looking at parent device ‘/devices/pci0000:00/0000:00:1f.2/host5/target5:0:0/5:0:0:0’:
  • KERNELS==»5:0:0:0″
  • SUBSYSTEMS==»scsi»
  • DRIVERS==»sr»
  • ATTRS==»0″
  • ATTRS==»5″
  • ATTRS==»6″
  • ATTRS==»hp «
  • ATTRS==»DVDWBD TS-LB23P «
  • ATTRS==»0100″
  • ATTRS==»running»
  • ATTRS==»30″
  • ATTRS==»32″
  • ATTRS==»0x11d»
  • ATTRS==»0x114″
  • ATTRS==»0x2″
  • ATTRS==»0″
  • ATTRS==»detached»
  • ATTRS==»1″
  • ATTRS==»120000″
  • ATTRS= mt24 mb12″>

  Источник

  disable the cdrom in Ubuntu 11.10 OS

  Can anyone help me how to disable the cdrom in Ubuntu 11.10 OS level. I tried searching google but I could not find any solution.

  2 Answers 2

  To remove a user [eg. john] from membership of a group [eg. accounts] use:

  sudo deluser john accounts 

  sudo adduser john accounts 

  So to match example (in other answer):

  sudo deluser tachyons cdrom sudo adduser tachyons cdrom [to undo] 

  Do it in your risk

  Take a backup of /etc/group

  press ctrl + alt + t and type gksudo gedit /etc/group

  Remove the users from cdrom(in this screenshot tachyons is the user name)

  

  save the file and restart your pc

  You must log in to answer this question.

  Linked

  Related

  Hot Network Questions

  Subscribe to RSS

  To subscribe to this RSS feed, copy and paste this URL into your RSS reader.

  Site design / logo © 2023 Stack Exchange Inc; user contributions licensed under CC BY-SA . rev 2023.7.12.43529

  Ubuntu and the circle of friends logo are trade marks of Canonical Limited and are used under licence.

  By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy.

  Источник