How to enable a Hard Disk to read/write to a USB device but disable the USB device to read/write to the hard disk without user permission?
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to enable a Hard Disk to read/write to a USB device but disable the USB device to read/write to the hard disk without user permission?
Rather than using antivirus/encryption etc to protect from viruses from a USB device, is there a way to enable a PC or Laptop Hard Disk to read/write to a USB device but disable the USB device to read/write to the hard disk without user permission?
One can read data from the USB device, use/process the data and write the data back to the USB device. But there should not be any automatic data read/written by the USB device to the hard disk.
The user is controlling the OS and the programs running on the hard disk. An external static USB device should not be able to read/write any data to the hard disk without user permission so as to prevent any infection.
key word permission. got a have to to read/write/execute, that is not actually a device controlled item, but a user controlled situation. Because a device itself cannot automatically write to something even itself without outside intervention.
This means that a user be it root or someone else has to be logged into the system before anything can be written to a device or read from it. The device is just the medium that holds the data to be read from or written to.
I think you need to rethink your line of logic on how data is being written to and read from a device. your last statement tells how this is taking place already.
root can do anything, to anyone's system, if you get yourself to root user you can do anything to that system and whatever is attached to it. Encryption helps prevent this. It is just one more hurdle one has to jump over to gain access to the data that is encrypted.
Hi BW-userx,
I have used Windows OS previously and have now moved towards Linux (Debian OS at the moment having a root account)
While running Windows I have experienced several autorun and other viruses from USB devices.
Now, I am trying to visualise the basic steps of how a virus in a USB device can actually infect a hard disk regardless of the operating system.
1. The USB device has to be mounted to the hard disk running the OS.
2. USB device needs to have read and/or write permission for enabling data transfer.
3. An executable file which is a virus has to run either automatically from the USB (through autorun enabled or something else) or manually run by the user.
Lets say, I mount all USB devices manually (no autorun/automount). Do Linux systems execute any code from a USB device when connected?
you basically have to run it yourself Linux uses scripts, and binary, but I've never seen an autorun until it is setup by user, say when they login to there desktop, they have setup a autostart script to start whatever they want stared.
viruses . Linux is not prone to viruses, whereas Windows is. This is why I do not even bother with antiviruses software for linux that some people do put out. As far as I see it to con unknowing people to feed off there fears.
That is not to say one cannot write a script or something into a binary that seeks and destroys someones data, or send back information to an outside source. But autorun upon mounting a drive. I've never seen anything like that.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
How to enable a Hard Disk to read/write to a USB device but disable the USB device to read/write to the hard disk without user permission?
Autorun exploits only work on badly configured Windows devices and, to my recollection, none of the Linux distributions I have used have even suggested I run a file from a connected device upon mount. Granted, some desktop environments will have options such as "always play media from this device" and autothumbnailing does mean that a process will read data on the device but that's step removed from running any code.
If you're truly worried (or paranoid, or both) you could even look into allowing only certain USB HID devices to control the mouse pointer and input keystrokes under Linux. something I keep meaning to test using my "mouse jigglers".
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Quote:
Originally Posted by smallpond
Mount the USB device with the "noexec" option to disable running any executables on it. Note that isn't foolproof, though.
this helps also.
Please, ce309 learn the difference between a device and a user: a USB device does not execute commands, the user plugging it in does.
If you're still here please actually read about things like autorun and permissions.
I used the following commands to create a simple executable file:-
echo 'echo Hello World'>hello
chmod ugo+x hello
And to run the file I used the command:-
./hello
While executable permission was disabled, I got output: Permission denied
While executable permission was enabled, I got output: Hello World
Both times while executable permission was disabled and enabled, I was successfully able to execute and get output from a ".jar" file (a simple application giving output "Hi there"). Note: the ".jar" file was created outside of the usb drive and then copied to the usb drive.
I am going slightly off topic (I hope this is ok) towards files or file extensions that can be a virus on which I have done some research. I'll share the information I got so that one can confirm or reject any part of the information.
Permission/file property set by a command to make an executable file:
chmod +x filename
(Discussion Link: https://askubuntu.com/a/831134)
So, my question is why did the ".jar" file execute but not the hello file while executable permission was disabled?
Is it because Linux had an interpreter for it or some other reason?
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Please actually read some information about this.
I have, in my pocket, a device which, should you plug it into your PC, could open a terminal and start a server process without being mounted in any way.
Yes, the files you can run which are set to non-execute are interpreted by an executable file which you, the user, chose to run.
Code does not execute itself, ever.
I would like to discuss further on this. (respectfully)
I don't see the point in having something like an executable permission for a usb if the user can run executables anyway from a usb.
This is just like saying that one can write to a removable media even if only read permission is given to that removable media.
Quote:
Originally Posted by 273
I have, in my pocket, a device which, should you plug it into your PC, could open a terminal and start a server process without being mounted in any way.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Quote:
Originally Posted by ce309
I would like to discuss further on this. (respectfully)
I don't see the point in having something like an executable permission for a usb if the user can run executables anyway from a usb.
This is just like saying that one can write to a removable media even if only read permission is given to that removable media.
You are not executing something from the USB drive you are telling an executable to interpret and run that code. There are ways around it if you look into that rather than assuming it will work as you expect.
Simply put I referred to a "mouse jiggler" and that any USB device can expose any functinality the creator of it wishes. The key is to learn about that and plan.
You are not executing something from the USB drive
I am actually executing from a USB drive. I created an executable jar file and it runs from the USB drive (through the terminal) even if executable permission is disabled.
While the hello file gave error "Permission denied" while running from the terminal and via graphical interface (renamed hello to hello.sh, single-clicked it and pressed on enter key).
Quote:
Originally Posted by 273
you are telling an executable to interpret and run that code.
I am just executing the .jar file not telling the executable to interpret and run.
I had installed JRE which has the interpreter. Linux uses the interpreter to run/execute that code.
This is why I had given a link for Linux file extensions earlier https://askubuntu.com/a/174356
which says that "Linux is capable of running any file that it has an interpreter for"
If I am mounting a usb with only read permission then I myself (as the root user having control over the operating system) cannotwrite to that usb unless I remount and give permission (or some other way to give permission) to write on that usb.
In the same way, if I am disabling executable permission on a usb then I myself should not be able to execute any file on that usb unless I enable executable permission for that usb.
Quote:
Originally Posted by 273
any USB device can expose any functinality the creator of it wishes
I am looking from the point of view of a person or group of people developing an operating system (not just an OS but even a simple application can be taken as an example).
I am defining very well the functionality, permissions, terms etc of an OS/application. After that if someone tries to do something illegal/unethical/bad like using a USB device for stealing/corrupting data then I or (group of people associated with that OS/application) have the right to act against that person or at least do something about it taking in consideration the damage/loss caused.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
You are not executing from a USB drive you are running a program which envokes an interpreter which runs code from the USB drive. To learn how to prevent that, learn what that means and how it works. It's pretty-much the same on Windows or was from my recollection.
The secondary subject of just what a device can do when plugged in is best addressed by looking at things like "Bad USB". I would, actually, tend to rate the threat from a rogue HID as fairly low but circumstance could make it more of a threat.
Last edited by 273; 05-14-2019 at 01:33 PM.
Reason: typo's
You are not executing from a USB drive you are running a program which envokes an interpreter which runs code from the USB drive. To learn how to prevent that, learn what that means and how it works.
Of course, I am executing from a USB drive as the code is located on the usb drive. Running a code from a usb drive means executing code from a usb drive.
Execute = run = perform a set of instructions.
This is why it is called as an executable .jar file. Compiling java program(s) gives you .class files containing byte code. Class files can be packed into an executable .jar file. The .jar file needs an interpreter to run/execute the byte code. Installing JRE (which has the interpreter) in Linux means that Linux is now capable of executing .jar files.
Rather than trying to explain or dive into the terms "interpreter", "interpreted language", "compiled language" etc, I will simply say that there may be some default options for a user to execute files (such as .sh file or .deb file or using chmod command) after installing an OS. After that the user would need to do some additional work: install (or manually write etc) some other softwares/applications/tools/codes etc for other file types which have requirements not satisfied by the OS, so that those file types are capable of being executed by the user.
In both cases (default options and for other file types) when the user wants to execute some file, he/she would give some input like double-clicking on a file or write a command on a terminal. After that the OS would execute the file. The only difference is that additional work would be needed for other file types to be executed.
Again it is the user who controls the OS, who is actually giving some input resulting in execution of code.
In my case, I am a root user having full control over the OS giving some input resulting in execution of code from the usb drive.
If the executable permission is only for default options then in my opinion it is not useful at all. In fact, I am able to install .deb files even if I have disabled executable permission. (I checked file permissions via "ls -l /path/to/file" command).
Quote:
Originally Posted by 273
The secondary subject of just what a device can do when plugged in is best addressed by looking at things like "Bad USB". I would, actually, tend to rate the threat from a rogue HID as fairly low but circumstance could make it more of a threat.
I did read somewhat about things such as Bad USB and I am again looking from the point of view of a person or group of people developing an operating system/application rather than the attacker knowing what my rights are...... The reply I gave to "any USB device can expose any functinality the creator of it wishes".
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.