6

On my Ubuntu system, I noticed that some file managers, when open, they can mount any drive that was connected via one of my USB ports (as non-root). In the attempt of preventing this from happening I configured my /etc/fstab like so:

# <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/mapper/vgubuntu-root /               ext4    errors=remount-ro 0       1
# /boot was on /dev/nvme0n1p3 during installation
UUID=485794d0-6773-4136-9df9-c8f97fc3c3bc /boot           ext4    defaults        0       2
# /boot/efi was on /dev/nvme0n1p2 during installation
UUID=5E62-20EC  /boot/efi       vfat    umask=0077      0       1
/dev/mapper/vgubuntu-swap_1 none            swap    sw              0       0
#/media/j/sandisk-32GB is my primary USB drive for backups
PARTUUID=d199a40a-b5cc-724b-b70b-1b90e4274ea9 /media/user_xyz/sandisk-32GB ext4 defaults,nofail 0 3

1. How do I prevent automounting or mounting by other than root users of the drives / partition that are not specified in my /etc/fstab?

2. Is it possible to go even further and restrict root from mounting drives other than those whitelisted? E.g., root tries to do mount PARTUUID=this-partition-is-not-whitelisted /media/user_xyz/not-whitelisted and fails, unless they change the configuration that I am trying to set up.

P.S. The particular PARTUUID is just used to convey the idea where I am getting at - I am aware that it is not of a proper format and that root would fail in mounting it because of it. I am on Ubuntu 22.04 LTS.

Improve this question
1
  • 1
    re 2: to what end? Whatever you do, by definition, root can circumvent that. Worst case, they can literally modify RAM contents to achieve what they want. There's no more "game over, the computer belongs fully to this particular person" than "this person has root privileges"
    – Marcus Müller
    Commented Jan 8 at 10:11

3 Answers 3

Reset to default
7

Mounting/automounting by file managers is indeed done via udisks however, it all goes through an authorization mechanism called polkit which defines actions and rules (who can do what...). One can override the default settings via configuration files called rules.
In this particular case the action is called

org.freedesktop.udisks2.filesystem-mount

and you can inspect the default settings for this action via

pkaction --verbose --action-id org.freedesktop.udisks2.filesystem-mount

which returns something like this:

org.freedesktop.udisks2.filesystem-mount:
  description:       Mount a filesystem
  message:           Authentication is required to mount the filesystem
  vendor:            The Udisks Project
  vendor_url:        https://github.com/storaged-project/udisks
  icon:              drive-removable-media
  implicit any:      auth_admin
  implicit inactive: auth_admin
  implicit active:   yes

As you can see on the last line, the implicit permission for the active user to mount a filesystem is set to yes. You can override that by writing a new rule. This will not have any effect on the stuff listed in your /etc/fstab. Create a file

/etc/polkit-1/rules.d/90-disable-automount.rules

with the following content:

polkit.addRule(function(action, subject) {
               if (action.id == "org.freedesktop.udisks2.filesystem-mount" ) {
                   return polkit.Result.AUTH_ADMIN;
               }
           });

When you restart the system no user should be able to mount/automount drives unless they have admin rights: they will be prompted for the admin password. If you want to disable that prompt too, replace AUTH_ADMIN with NO.

Improve this answer
5
  • Sorry for a naïve question. but "freedesktop" hints that the Polkit authorisation system is for desktop only. If I Ctrl-alt-F2 and login to a terminal, or SSH, will these rules still be checked when I try to mount?
    – Andrew Savinykh
    Commented Jan 8 at 19:36
  • @AndrewSavinykh - the rules are checked regardless but how would you "try to mount" in those cases?
    – don_crissti
    Commented Jan 8 at 21:36
  • with the mount command presumably?
    – Andrew Savinykh
    Commented Jan 9 at 0:07
  • @AndrewSavinykh - I'm having a hard time understanding what you're asking... you do know that you can not mount drives/filesystems with mount unless you're superuser? So that's a non-issue to begin with. The question here is about mount helpers used primarily by file manager and how to inhibit/disable them - in this particular case it's udisks.
    – don_crissti
    Commented Jan 9 at 9:18
  • "can not mount drives/filesystems with mount unless you're superuser?" No I did not know that.
    – Andrew Savinykh
    Commented Jan 9 at 10:03
3

The solution to question 1) is found here: https://askubuntu.com/questions/1062719/how-do-i-disable-the-auto-mounting-of-internal-drives-in-ubuntu-or-kubuntu-18-04

Basically, turn off udisks2.

systemctl stop udisks2.service

and then test, and do it permanently:

systemctl mask udisks2

This will prevent "normal" users from mounting drives automatically... You should also make sure they are not in the adm or sudo group, as then they could still mount drives.

As Marcus Müller noted in the comments, the solution to 2) would be non-trivial, I think. I can not think of a good answer right off (e.g. if I am root, how do I prevent myself from mounting any drive?). root has to be able to mount drives, it is how the kernel boots, and loads ram disks and such.

Further, as Guntram Blohm noted in the comments, adding:

systemctl mask udisks2

will prevent it from being pulled back into the system in the future, which is a "good thing".

Improve this answer
2
  • Thanks, stopping udisks2 solved the problem of automounting. I do not use Gnome as my desktop environment, I use icewm instead, and the dependecies of udisks2 all seem to be gnome-releated: gvfs* gvfs-backends* gvfs-daemons* gvfs-fuse*. Thus I am tempted to purge udisks2 with apt, what do you opine of such solution? Is there any possibility of ubuntu reinstalling this package during routine apt full-upgrade?
    – John Smith
    Commented Jan 8 at 16:17
  • 2
    You can remove udisks2, but you can't be sure you'll never install something that pulls it back in. That's why you should do systemctl mask udisks2, which makes sure that even if the package gets installed later somehow, systemctl won't start it. On my system, udisks2 got reinstalled when I installed a commercial package named bcompare - no idea why that should need udisks2, but I'm mentioning this here to show udisks2 could get installed whenever you don't expect it.
    – Guntram Blohm
    Commented Jan 8 at 17:12
1

connected via one of my USB ports...

so have the mount entry in your /etc/fstab if you desire, but to deal with disks hotplugged via usb you can use usbguard.

I do not know if it is available for Ubuntu like it is for Redhat, but it is a simple matter of installing, configuring the /etc/usbguard/usbguard-daemon.conf to your liking but the defaults will probably suffice. Then before starting the usbguard service, you must create the /etc/usbguard/rules.conf file otherwise you won't have anything whitelisted to work on the usb ports including your keyboard and mouse and you will be yanking the power cord to reboot and then booting to single user mode to correct,

when you do usbguard generate-policy > /etc/usbguard/rules.conf before doing service usbguard start that will automatically capture existing usb devices and you can recognize those in the rules.conf file, one of which will be your usb connected disk devices which will be identified specifically and explicitly via id, serial, etc. And this will manage what external usb disks will or will not work on the system, you'll be managing it at the usb connection level before udisks sees and mounts them.

for some usbguard detailed info see : usbguard rules allow any keyboard and mouse

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .