Rather than using antivirus/encryption etc to protect from viruses from a USB device, is there a way to enable a PC or Laptop Hard Disk to read/write to a USB device but disable the USB device to read/write to the hard disk without user permission?

One can read data from the USB device, use/process the data and write the data back to the USB device. But there should not be any automatic data read/written by the USB device to the hard disk.

The user is controlling the OS and the programs running on the hard disk. An external static USB device should not be able to read/write any data to the hard disk without user permission so as to prevent any infection.

key word permission. got a have to to read/write/execute, that is not actually a device controlled item, but a user controlled situation. Because a device itself cannot automatically write to something even itself without outside intervention.

This means that a user be it root or someone else has to be logged into the system before anything can be written to a device or read from it. The device is just the medium that holds the data to be read from or written to.

I think you need to rethink your line of logic on how data is being written to and read from a device. your last statement tells how this is taking place already.

root can do anything, to anyone's system, if you get yourself to root user you can do anything to that system and whatever is attached to it. Encryption helps prevent this. It is just one more hurdle one has to jump over to gain access to the data that is encrypted.

Hi BW-userx,
I have used Windows OS previously and have now moved towards Linux (Debian OS at the moment having a root account)

While running Windows I have experienced several autorun and other viruses from USB devices.

Now, I am trying to visualise the basic steps of how a virus in a USB device can actually infect a hard disk regardless of the operating system.
1. The USB device has to be mounted to the hard disk running the OS.
2. USB device needs to have read and/or write permission for enabling data transfer.
3. An executable file which is a virus has to run either automatically from the USB (through autorun enabled or something else) or manually run by the user.

Lets say, I mount all USB devices manually (no autorun/automount). Do Linux systems execute any code from a USB device when connected?

I got an answer saying: Linux systems usually (Not 100% sure) do not execute code from a USB stick when just connecting it. From the link: https://askubuntu.com/questions/4508...rive-in-ubuntu

One more suggestion I got was disabling the automatic thumbnailing of files on removable media. From the link: https://lwn.net/Articles/427135/

windows = viruses
Linux != viruses

you basically have to run it yourself Linux uses scripts, and binary, but I've never seen an autorun until it is setup by user, say when they login to there desktop, they have setup a autostart script to start whatever they want stared.

viruses . Linux is not prone to viruses, whereas Windows is. This is why I do not even bother with antiviruses software for linux that some people do put out. As far as I see it to con unknowing people to feed off there fears.

That is not to say one cannot write a script or something into a binary that seeks and destroys someones data, or send back information to an outside source. But autorun upon mounting a drive. I've never seen anything like that.

Autorun exploits only work on badly configured Windows devices and, to my recollection, none of the Linux distributions I have used have even suggested I run a file from a connected device upon mount. Granted, some desktop environments will have options such as "always play media from this device" and autothumbnailing does mean that a process will read data on the device but that's step removed from running any code.
If you're truly worried (or paranoid, or both) you could even look into allowing only certain USB HID devices to control the mouse pointer and input keystrokes under Linux. something I keep meaning to test using my "mouse jigglers".

I was thinking of USBKill, by the way, which disables all but whitelisted USB devices.

Mount the USB device with the "noexec" option to disable running any executables on it. Note that isn't foolproof, though.

1 members found this post helpful.

this helps also.
Please, ce309 learn the difference between a device and a user: a USB device does not execute commands, the user plugging it in does.
If you're still here please actually read about things like autorun and permissions.

Thank you all.

I tried changing permissions of a usb drive.

I used the following commands to create a simple executable file:-
echo 'echo Hello World'>hello
chmod ugo+x hello

And to run the file I used the command:-
./hello

While executable permission was disabled, I got output: Permission denied
While executable permission was enabled, I got output: Hello World

Both times while executable permission was disabled and enabled, I was successfully able to execute and get output from a ".jar" file (a simple application giving output "Hi there"). Note: the ".jar" file was created outside of the usb drive and then copied to the usb drive.

I am going slightly off topic (I hope this is ok) towards files or file extensions that can be a virus on which I have done some research. I'll share the information I got so that one can confirm or reject any part of the information.

Linux Extensions: https://askubuntu.com/a/174356

Permission/file property set by a command to make an executable file:
chmod +x filename
(Discussion Link: https://askubuntu.com/a/831134)

So, my question is why did the ".jar" file execute but not the hello file while executable permission was disabled?
Is it because Linux had an interpreter for it or some other reason?

Please actually read some information about this.
I have, in my pocket, a device which, should you plug it into your PC, could open a terminal and start a server process without being mounted in any way.
Yes, the files you can run which are set to non-execute are interpreted by an executable file which you, the user, chose to run.
Code does not execute itself, ever.

1 members found this post helpful.

I would like to discuss further on this. (respectfully)

I don't see the point in having something like an executable permission for a usb if the user can run executables anyway from a usb.
This is just like saying that one can write to a removable media even if only read permission is given to that removable media.

I think one has to mount before accessing a file on Linux (https://en.wikipedia.org/wiki/Mount_(Unix)

Please correct me if any of the above is wrong.

1 members found this post helpful.

You are not executing something from the USB drive you are telling an executable to interpret and run that code. There are ways around it if you look into that rather than assuming it will work as you expect.
Simply put I referred to a "mouse jiggler" and that any USB device can expose any functinality the creator of it wishes. The key is to learn about that and plan.

I am actually executing from a USB drive. I created an executable jar file and it runs from the USB drive (through the terminal) even if executable permission is disabled.

While the hello file gave error "Permission denied" while running from the terminal and via graphical interface (renamed hello to hello.sh, single-clicked it and pressed on enter key).

I am just executing the .jar file not telling the executable to interpret and run.
I had installed JRE which has the interpreter. Linux uses the interpreter to run/execute that code.

This is why I had given a link for Linux file extensions earlier https://askubuntu.com/a/174356
which says that "Linux is capable of running any file that it has an interpreter for"


If I am mounting a usb with only read permission then I myself (as the root user having control over the operating system) cannot write to that usb unless I remount and give permission (or some other way to give permission) to write on that usb.

In the same way, if I am disabling executable permission on a usb then I myself should not be able to execute any file on that usb unless I enable executable permission for that usb.

I am looking from the point of view of a person or group of people developing an operating system (not just an OS but even a simple application can be taken as an example).

I am defining very well the functionality, permissions, terms etc of an OS/application. After that if someone tries to do something illegal/unethical/bad like using a USB device for stealing/corrupting data then I or (group of people associated with that OS/application) have the right to act against that person or at least do something about it taking in consideration the damage/loss caused.

You are not executing from a USB drive you are running a program which envokes an interpreter which runs code from the USB drive. To learn how to prevent that, learn what that means and how it works. It's pretty-much the same on Windows or was from my recollection.

The secondary subject of just what a device can do when plugged in is best addressed by looking at things like "Bad USB". I would, actually, tend to rate the threat from a rogue HID as fairly low but circumstance could make it more of a threat.

Of course, I am executing from a USB drive as the code is located on the usb drive. Running a code from a usb drive means executing code from a usb drive.

Execute = run = perform a set of instructions.

This is why it is called as an executable .jar file. Compiling java program(s) gives you .class files containing byte code. Class files can be packed into an executable .jar file. The .jar file needs an interpreter to run/execute the byte code. Installing JRE (which has the interpreter) in Linux means that Linux is now capable of executing .jar files.

Rather than trying to explain or dive into the terms "interpreter", "interpreted language", "compiled language" etc, I will simply say that there may be some default options for a user to execute files (such as .sh file or .deb file or using chmod command) after installing an OS. After that the user would need to do some additional work: install (or manually write etc) some other softwares/applications/tools/codes etc for other file types which have requirements not satisfied by the OS, so that those file types are capable of being executed by the user.

In both cases (default options and for other file types) when the user wants to execute some file, he/she would give some input like double-clicking on a file or write a command on a terminal. After that the OS would execute the file. The only difference is that additional work would be needed for other file types to be executed.

Again it is the user who controls the OS, who is actually giving some input resulting in execution of code.
In my case, I am a root user having full control over the OS giving some input resulting in execution of code from the usb drive.

If the executable permission is only for default options then in my opinion it is not useful at all. In fact, I am able to install .deb files even if I have disabled executable permission. (I checked file permissions via "ls -l /path/to/file" command).

I did read somewhat about things such as Bad USB and I am again looking from the point of view of a person or group of people developing an operating system/application rather than the attacker knowing what my rights are...... The reply I gave to "any USB device can expose any functinality the creator of it wishes".