USB Devices – Libgphoto2 – PTP – Hplip
Hi All,
I’m trying to disable USB storage devices in CentOS7.1.1503.
I’ve setup udev rules to block all usb devices and then additional rules to allow specific vendors / products to be used (mainly keyboards and mice). This is all working perfectly.
cat /etc/udev/rules.d/01-usblockdown.rules
# Block all USB devices ACTION==”add”, SUBSYSTEMS==”usb”, RUN+=”/bin/sh -c ‘for host in
/sys/bus/usb/devices/usb*; do echo 0 > $host/authorized_default; done'”
# Allow devices
# Keyboards ACTION==”add”, ATTR{idVendor}==”04f3″, ATTR{idProduct}==”0103″
RUN+=”/bin/sh -c ‘echo 1 >/sys$DEVPATH/authorized'”
……
Now I’m testing against mobile devices and when I connect an Asus mobile telephone it’s mounting the camera using PTP even though the device is not allowed in my udev rules.
I removed libgphoto2 which has now stopped the PTP from automounting.
My issue is that I require hplip on my systems for certain printer drivers and this package was removed along with libgphoto2. I added an
‘exclude=libgphoto2*’ to my /etc/yum.repos.d/CentOS-Base.repo and installing hplip now fails on dependencies.
Is there a method of disable libgphoto2 PTP without having to remove the package? or can I create further udev rules to stop PTP mounts?
thanks in advance,
Michael
9 thoughts on - USB Devices – Libgphoto2 – PTP – Hplip
Hi, Posting this again as it has been drowned. can anybody assist?
—————————————————————-
Am 10.12.2015 um 09:37 schrieb Michael H:
on EL6 we use:
# cat /etc/modprobe.d/usb-disabled.conf install usb-storage /bin/true
# depmod -a
I’ve achieved disabling USB devices and then allowing specific vendors /
products using UDEV rules.
How can I disable PTP automounting without removing the libgphoto2 package?
We are allowing a specific set of usb devices to be used in the company, one of the things we want to block is any kind of file transfer between mobile devices and our systems. Unfortunately it’s not just a complete block on devices.
I did a google search on “disable usb storage CentOS 7” and came up with this. Don’t know if it helps:
https://unixserveradmin.wordpress.com/2012/12/08/how-to-stop-usb-mass-storage-device-in-rhelCentOS/ <https://unixserveradmin.wordpress.com/2012/12/08/how-to-stop-usb-mass-storage-device-in-rhelCentOS/>
-wes
Am 10.12.2015 um 11:11 schrieb Michael H:
A legitimately approach but from a security point of view its not the best one. No authentication, no authorization mechanism and USB IDs can be forgeable.
Please read my entire post! I need to allow specific devices, I am trying to combat PTP mounting. not completely disable all USB devices.
We are simply trying to block people who are unaware their phone may be compromised. We understand that if someone puts their mind to it they will still be able to get past the udev rules but it’s a good starting point.
any clues on disabling PTP (photo transfer protocol) without removing the libgphoto2 package?
thanks
Am 10.12.2015 um 17:02 schrieb Michael H:
I have not handled such scenario but I would take a closer look at that functionality; like these files of libgphoto2 (EL6)
/usr/lib64/libgphoto2/2.4.7/ptp2.so
/usr/lib64/libgphoto2_port/0.8.0/ptpip.so
/usr/lib64/udev/check-ptp-camera
/usr/lib64/udev/check-mtp-device
/usr/lib64/udev/check-ptp-camera
/lib/udev/rules.d/40-libgphoto2.rules
the former ones looks like “plugins” for libgphoto2
the latter ones seems to control such functionality
your solution should be repackaged or enforced on every libgphoto2 update …
It sounds like you’re reinventing the wheel:
https://github.com/dkopecek/usbguard
Search for “Linux USB whitelist” for additional existing solutions to the problem, if you don’t like USBGuard for some reason.