On 4/17/14, 12:54 PM, Trevor Vaughan wrote:
Udev is system agnostic and works like a firewall instead of a
sledgehammer. Deny all, allow as approved.
nousb is a sledgehammer, you can't turn it back on without a reboot.
I'm wanting to allow <Vendor> keyboards of type X, not all keyboards
that may have who knows what built into them. Udev lets me do this but
nousb doesn't.
As far as I can tell, udev appears to be supported in almost all
modern Linux distros and, if it's not, you can always sledgehammer the
system.
That said, I'm certainly happy for the discussion since it's what it
takes to move things forward (in whatever direction).
Reviewed the link you sent over
(
http://www.irongeek.com/i.php?page=security/plug-and-prey-malicious-usb-d...).
Specifically:
#Script by Adrian Crenshaw
#With info from Michael Miller, Inaky Perez-Gonzalez and VMWare
#By default, disable it.
#ACTION=="add", SUBSYSTEMS=="usb", RUN+="/bin/sh -c 'echo 0
>/sys$DEVPATH/authorized'"
ACTION=="add", SUBSYSTEMS=="usb", RUN+="/bin/sh -c 'for host
in
/sys/bus/usb/devices/usb*; do echo 0 > $host/authorized_default; done'"
#Enable hub devices. There may be a better way than this.
ACTION=="add", ATTR{bDeviceClass}=="09", RUN+="/bin/sh -c
'echo 1
>/sys$DEVPATH/authorized'"
#Other things to enable
ACTION=="add", ATTR{idVendor}=="046d",
ATTR{idProduct}=="0809",
RUN+="/bin/sh -c 'echo 1 >/sys$DEVPATH/authorized'"
ACTION=="add", ATTR{serial}=="078606B90DD3", RUN+="/bin/sh -c
'echo 1
>/sys$DEVPATH/authorized'"
ACTION=="add", ATTR{product}=="802.11 n WLAN", RUN+="/bin/sh -c
'echo
1 >/sys$DEVPATH/authorized'"
#ACTION=="add", ATTR{idVendor}=="413c",
ATTR{idProduct}=="2106",
RUN+="/bin/sh -c 'echo 1 >/sys$DEVPATH/authorized'"
My first reaction was to say "If 'cat $host/authorized_default == 0' or
nousb, then pass || if /sys$DEVPATH/authorized != *, pass"
It's laughable... but I don't own a USB device. Not even a storage
token. Since you're starting the conversation, could you test such a
system configuration ou and see if such an approach is even sane?