Thorough disabling of USB auto-run on Debian

Discussion in 'all things UNIX' started by Palancar, Dec 22, 2015.

  1. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    I am looking for ideas/methods to be CERTAIN that USB auto-run is disabled on Debian. Some of my activities require transfer of data (small file size but critically important to me) from online computers to "offline" machines. Yes, I do what I can to inspect stuff and try to run scans galore before approaching the "offline" computer. Fortunately there is NO windows involved and only Debian systems on all the computers.

    Should I fail and malware hides on my flash media, at least having auto-run disabled removes a significant attack vector. Its interesting how many ideas are floating around out there.

    I have been using optical drives/CDR (write once) mode and then destroying the media after transfer but its a bit wasteful. LOL!!

    I just wanted to be sure about this so I thought I would check here. Openly, some of you guys are at a point beyond me with Debian. Trust, me I am studying and learning this pretty quickly. This particular function is very important so I want to be certain. Please chime in.



    ps - these are very small usb devices (< 100 meg custom ordered) which are forensically wiped after any and all transfers.
     
    Last edited: Dec 22, 2015
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Edit /etc/fstab as root, and delete the line that starts "/dev/sr0". Now only root can mount it.
     
  3. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    Mirimir, thanks

    So let me just paste the line here and continue my thoughts. Here is that line in the VM I am currently using --- sudo gedit /etc/fstab. I could easily # out the line pasted below, which would take it out of the picture.

    /dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0

    example ------#/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0


    So let me describe what I am wanting. If I then mount the USB in the future what I am wanting is that no exe/file on that USB will auto run at that instant. In other words; is there a way to mount a USB and yet REQUIRE sudo or a manual CLICK to open any file or exe on the flash? No hidden exe/malware can auto run?

    In the case of an infected flash (pretty unlikely with pure linux but possible) I could only mount/run a specific file which is clicked on or sudo commanded?

    I am just examining my possibilities here. Maybe have USB's only open in a sandbox (firejail), and I would manually move anything out to the system?

    Am I going down a "rabbit hole" that I should just ignore?
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    This mount command won't allow anything to execute:

    mount -o noexec /dev/sr0 /media/cdrom0
     
  5. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    Continuing on then. Say a command such as above is added keeping anything from executing. Now; could I add a switch or command line that will allow e.g. a specific file named transfer.xxx to open/mount and ONLY that file-name would ever be allowed? The file name would be very creative and unique.

    I hope you are visualizing what I am trying to do. Use a USB (only between 2 physically different Debian OS computers) and transfer data where only a specifically named file would ever be allowed to mount/execute on the usb of the offline machine. I could care less about the online machine. My file will be sha512sum'd on the offline computer verifying it matches the online computer's sha512sum. After that I can do what I want with it on the offline machine thereby knowing its fine and no other "tag along" files have "hitch hiked" aboard the offline system. That's the goal anyway. Might be kind of aggressive but I enjoy learning stuff like this.


    If this isn't do-able I may have to pursue firejail of the usb.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Is there any need to execute anything?

    If you mount the USB with noexec, I'm pretty sure that nothing will happen with any files on it except for what you do.
     
  7. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599

    This leaves me feeling a little better. BUT --- > I have been thinking this process through, contrasted with doing the transfers using CDR's. I am not alone on this project, just alone here at Wilder's. The hard core, totally over the top, tin foil hat types , are pretty set in their ways with CDRs. Arguably, there is no firmware resident on an optical disk and so no attack surface. There is no denying that malware at the firmware level on a usb is a possibility, while currently rare. Plus it comes down to do I trust the usb mfg's to not have designed access?

    Thanks.
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Well, there could be backdoors in CDR drive firmware ;) And it could interact with hidden code on CDs.

    Maybe instead use SD cards? But then, they contain hackable ARM CPUs ;)

    So maybe CDR is really the safest option.
     
Loading...