In enterprise environments, controlling removable media access is critical for data security and compliance. Ubuntu Linux provides multiple mechanisms to restrict CD-ROM and USB storage devices while maintaining root access.
The most robust approach uses udev rules to prevent device initialization:
# Create a new udev rule file
sudo nano /etc/udev/rules.d/85-no-usb-cdrom.rules
# Add these rules (for USB mass storage and CD-ROM)
SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", RUN+="/bin/sh -c 'echo 0 >/sys$env{DEVPATH}/authorized'"
SUBSYSTEM=="block", ENV{ID_CDROM}=="?*", RUN+="/bin/sh -c 'echo 0 >/sys$env{DEVPATH}/authorized'"
Alternatively, modify device file permissions:
# For CD-ROM devices
sudo chmod 600 /dev/sr*
# For USB storage (typically appears as /dev/sd* after insertion)
sudo chmod 600 /dev/sd*
# Make changes persistent
sudo nano /etc/rc.local
# Add before 'exit 0':
chmod 600 /dev/sr*
chmod 600 /dev/sd*
For stricter control, blacklist drivers:
# Block USB storage
echo "blacklist usb-storage" | sudo tee -a /etc/modprobe.d/blacklist.conf
# Block CD-ROM
echo "blacklist sr_mod" | sudo tee -a /etc/modprobe.d/blacklist.conf
# Update initramfs
sudo update-initramfs -u
After implementing any method:
# Reload udev rules
sudo udevadm control --reload-rules
sudo udevadm trigger
# Verify module blacklisting
lsmod | grep -E 'usb-storage|sr_mod'
# Check device permissions
ls -l /dev/sd* /dev/sr*
To allow specific users while blocking others:
# Create storage access group
sudo groupadd storageaccess
# Add authorized users
sudo usermod -aG storageaccess username
# Set device ownership
sudo chown root:storageaccess /dev/sd* /dev/sr*
# Set permissions
sudo chmod 660 /dev/sd* /dev/sr*
Implement logging for access attempts:
# Add to /etc/rsyslog.conf
kern.* /var/log/storage_access.log
# Create audit rule for USB/CD access
sudo nano /etc/audit/rules.d/storage.rules
-a always,exit -F arch=b64 -S mount -F dir=/media -F uid>=1000 -k storage_access
In Linux systems, block devices like CD-ROM drives and USB storage are typically mounted under /dev with names like /dev/sr0 (CD-ROM) or /dev/sdb1 (USB). By default, these devices are often world-readable, which poses security risks in controlled environments.
The most robust approach is creating custom udev rules to change device permissions:
# Create a new udev rule file
sudo nano /etc/udev/rules.d/99-restrict-removable.rules
# Add these rules:
# For CD-ROM devices
KERNEL=="sr[0-9]*", MODE="0600", OWNER="root", GROUP="root"
# For USB storage devices
KERNEL=="sd[b-z]*", MODE="0600", OWNER="root", GROUP="root"After saving, reload udev rules:
sudo udevadm control --reload-rules
sudo udevadm triggerFor already mounted devices, modify /etc/fstab:
# Example entry for CD-ROM
/dev/sr0 /media/cdrom iso9660 ro,noauto,user=none 0 0The user=none option prevents non-root users from mounting.
To completely disable USB storage at kernel level:
echo "blacklist usb-storage" | sudo tee /etc/modprobe.d/disable-usb-storage.conf
sudo update-initramfs -uThis requires a reboot to take effect.
Create a special group for authorized users:
sudo groupadd mediadev
sudo usermod -aG mediadev alloweduser
# Then modify device permissions
sudo chgrp mediadev /dev/sr0
sudo chmod 0640 /dev/sr0Test the restrictions by attempting to access devices as normal user:
sudo -u nobody dd if=/dev/sr0 of=/dev/null bs=1 count=1
# Should return "Permission denied"- Implement USBGuard for more granular USB device control
- Consider using AppArmor or SELinux for mandatory access control
- Regularly audit device access with
auditd
If devices become inaccessible even to root:
# Check current permissions
ls -l /dev/sd* /dev/sr*
# Temporarily restore access
sudo chmod 644 /dev/sr0