Drive access prevention

The place to post if you need help or advice

Moderators: ChrisThornett, LXF moderators

Drive access prevention

Postby cr8rm8or » Sun Mar 23, 2014 3:53 pm

I have 12 machines with a Microsoft W7/8 drive and a linux drive in each. Ubuntu was installed without the W7/8 drive connected so grub doesn't know about the other drive. I'd like to block Ubuntu GUI access to the W7/8 drive for all users, understanding that sudo has to be available to users.
Is there a way to prevent all users from mounting the drive from the GUI?
Is causing the drive to mount read only through fstab my best option? Better ideas?

I maintain the linux side of the computers and others maintain the W8 side in our computer club. Being nice (subservient) on my part is necessary unless we get our own machines in the classroom. They already envy my 3 hours of maintenance per quarter compared to their very frequent attention to the other OS.
cr8rm8or
 
Posts: 4
Joined: Sat Sep 08, 2012 8:47 pm

Postby Dutch_Master » Sun Mar 23, 2014 4:07 pm

Haven't tried it, so some 'homework' ;) for you: using the alias command, redirect the GUI to a script that checks if the user wants to mount the Win-drive and rejects it if it does, causing it to bomb out with a "not authorised" message. Otherwise or in conjuncture, redirect the mountpoint of the Win-drive to an inaccessible part of the file tree, like /dev/junk or /proc/junk, where the user has no permissions. (and not even a remote possibility to obtain such :P )

HTH!
Dutch_Master
LXF regular
 
Posts: 2455
Joined: Tue Mar 27, 2007 1:49 am

Postby nelz » Sun Mar 23, 2014 5:18 pm

You could also try setting umask for the drives to 777 in fstab. Users will still be able to mount them, but have no read or write access.

Sudo can be used to prevent some commands being run as root, but I doubt the GUI uses sudo. If it uses udisks, you can add a rule to stop them being mountable.
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
User avatar
nelz
Site admin
 
Posts: 8532
Joined: Mon Apr 04, 2005 11:52 am
Location: Warrington, UK

Drive access prevention

Postby cr8rm8or » Fri Mar 28, 2014 2:05 pm

Thanks to the Dutch_Master !
I followed his hints and came up with a solution which works in our situation.

sudo blkid will list the UUID of the partitions
cp /etc/fstab to origs is where I backed up the existing fstab file
sudo nano /etc/fstab to edit fstab, added a line as below with UUID for the windows drive
UUID=xxxxxxxxxxxxx /dev/junk ntfs noauto,nouser,noexec,nodev,ro 0 0

This process made the Microsoft partitions invisible to Nautilus. Students can't see them so they won't try to mount them. /dev/junk is bogus and ntfs isn't going to work either. It turned out to be simple. Thanks to all for ideas.
cr8rm8or
 
Posts: 4
Joined: Sat Sep 08, 2012 8:47 pm

Postby nelz » Fri Mar 28, 2014 2:16 pm

That doesn't stop them mounting thm in a terminal. Maybe it would be simpler to restrict the sudo access you give users. Surely you aren't giving them unrestricted access to run all commands? Set up sudo to allow the commands they need, an make sure mount is not one of them.
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
User avatar
nelz
Site admin
 
Posts: 8532
Joined: Mon Apr 04, 2005 11:52 am
Location: Warrington, UK


Return to Help!

Who is online

Users browsing this forum: No registered users and 0 guests