目前,我经常将磁盘映像复制到硬盘或从硬盘复制磁盘映像。它们通常通过 USB 连接。
通常,普通用户无法写入块设备,因此我以 root 身份执行所有操作。我担心有一天我可能会错误地写信给/dev/sda
我真正想要的人/dev/sds
。
有没有办法告诉 GNU/Linux “写保护” /dev/sda
?或者也许有一种方法允许组中的用户写入所有 USB 块设备usbwriters
?
我可以轻松列出我想要写保护的块设备。但是,我无法列出我想要写入的设备,因为它们通常使用 USB 临时连接。
以下是其中一台设备的 udev 输出:
# /sbin/udevadm info -a -p $(/sbin/udevadm info -q path -n /dev/sdn)
Udevadm info starts with the device specified by the devpath and then
walks up the chain of parent devices. It prints for every device
found, all possible attributes in the udev rules key format.
A rule to match, can be composed by the attributes of the device
and the attributes from one single parent device.
looking at device '/devices/pci0000:00/0000:00:14.0/usb3/3-1/3-1:1.0/host16/target16:0:0/16:0:0:1/block/sdn':
KERNEL=="sdn"
SUBSYSTEM=="block"
DRIVER==""
ATTR{alignment_offset}=="0"
ATTR{capability}=="d1"
ATTR{discard_alignment}=="0"
ATTR{events}=="media_change"
ATTR{events_async}==""
ATTR{events_poll_msecs}=="-1"
ATTR{ext_range}=="256"
ATTR{hidden}=="0"
ATTR{inflight}==" 0 0"
ATTR{range}=="16"
ATTR{removable}=="1"
ATTR{ro}=="0"
ATTR{size}=="13563904"
ATTR{stat}==" 77 0 4168 224 0 0 0 0 0 140 224"
looking at parent device '/devices/pci0000:00/0000:00:14.0/usb3/3-1/3-1:1.0/host16/target16:0:0/16:0:0:1':
KERNELS=="16:0:0:1"
SUBSYSTEMS=="scsi"
DRIVERS=="sd"
ATTRS{blacklist}=="FORCELUN"
ATTRS{device_blocked}=="0"
ATTRS{device_busy}=="0"
ATTRS{dh_state}=="detached"
ATTRS{eh_timeout}=="10"
ATTRS{evt_capacity_change_reported}=="0"
ATTRS{evt_inquiry_change_reported}=="0"
ATTRS{evt_lun_change_reported}=="0"
ATTRS{evt_media_change}=="0"
ATTRS{evt_mode_parameter_change_reported}=="0"
ATTRS{evt_soft_threshold_reached}=="0"
ATTRS{inquiry}==""
ATTRS{iocounterbits}=="32"
ATTRS{iodone_cnt}=="0x81"
ATTRS{ioerr_cnt}=="0x1"
ATTRS{iorequest_cnt}=="0x81"
ATTRS{max_sectors}=="240"
ATTRS{model}=="USB Flash Disk "
ATTRS{queue_depth}=="1"
ATTRS{queue_type}=="none"
ATTRS{rev}=="1100"
ATTRS{scsi_level}=="5"
ATTRS{state}=="running"
ATTRS{timeout}=="30"
ATTRS{type}=="0"
ATTRS{vendor}=="General "
looking at parent device '/devices/pci0000:00/0000:00:14.0/usb3/3-1/3-1:1.0/host16/target16:0:0':
KERNELS=="target16:0:0"
SUBSYSTEMS=="scsi"
DRIVERS==""
looking at parent device '/devices/pci0000:00/0000:00:14.0/usb3/3-1/3-1:1.0/host16':
KERNELS=="host16"
SUBSYSTEMS=="scsi"
DRIVERS==""
looking at parent device '/devices/pci0000:00/0000:00:14.0/usb3/3-1/3-1:1.0':
KERNELS=="3-1:1.0"
SUBSYSTEMS=="usb"
DRIVERS=="usb-storage"
ATTRS{authorized}=="1"
ATTRS{bAlternateSetting}==" 0"
ATTRS{bInterfaceClass}=="08"
ATTRS{bInterfaceNumber}=="00"
ATTRS{bInterfaceProtocol}=="50"
ATTRS{bInterfaceSubClass}=="06"
ATTRS{bNumEndpoints}=="02"
ATTRS{supports_autosuspend}=="1"
looking at parent device '/devices/pci0000:00/0000:00:14.0/usb3/3-1':
KERNELS=="3-1"
SUBSYSTEMS=="usb"
DRIVERS=="usb"
ATTRS{authorized}=="1"
ATTRS{avoid_reset_quirk}=="0"
ATTRS{bConfigurationValue}=="1"
ATTRS{bDeviceClass}=="00"
ATTRS{bDeviceProtocol}=="00"
ATTRS{bDeviceSubClass}=="00"
ATTRS{bMaxPacketSize0}=="64"
ATTRS{bMaxPower}=="300mA"
ATTRS{bNumConfigurations}=="1"
ATTRS{bNumInterfaces}==" 1"
ATTRS{bcdDevice}=="1100"
ATTRS{bmAttributes}=="80"
ATTRS{busnum}=="3"
ATTRS{configuration}==""
ATTRS{devnum}=="29"
ATTRS{devpath}=="1"
ATTRS{idProduct}=="1000"
ATTRS{idVendor}=="090c"
ATTRS{ltm_capable}=="no"
ATTRS{manufacturer}=="General"
ATTRS{maxchild}=="0"
ATTRS{product}=="USB Flash Disk"
ATTRS{quirks}=="0x0"
ATTRS{removable}=="removable"
ATTRS{serial}=="FBK1611110100145"
ATTRS{speed}=="480"
ATTRS{urbnum}=="981"
ATTRS{version}==" 2.00"
looking at parent device '/devices/pci0000:00/0000:00:14.0/usb3':
KERNELS=="usb3"
SUBSYSTEMS=="usb"
DRIVERS=="usb"
ATTRS{authorized}=="1"
ATTRS{authorized_default}=="1"
ATTRS{avoid_reset_quirk}=="0"
ATTRS{bConfigurationValue}=="1"
ATTRS{bDeviceClass}=="09"
ATTRS{bDeviceProtocol}=="01"
ATTRS{bDeviceSubClass}=="00"
ATTRS{bMaxPacketSize0}=="64"
ATTRS{bMaxPower}=="0mA"
ATTRS{bNumConfigurations}=="1"
ATTRS{bNumInterfaces}==" 1"
ATTRS{bcdDevice}=="0415"
ATTRS{bmAttributes}=="e0"
ATTRS{busnum}=="3"
ATTRS{configuration}==""
ATTRS{devnum}=="1"
ATTRS{devpath}=="0"
ATTRS{idProduct}=="0002"
ATTRS{idVendor}=="1d6b"
ATTRS{interface_authorized_default}=="1"
ATTRS{ltm_capable}=="no"
ATTRS{manufacturer}=="Linux 4.15.0-96-generic xhci-hcd"
ATTRS{maxchild}=="4"
ATTRS{product}=="xHCI Host Controller"
ATTRS{quirks}=="0x0"
ATTRS{removable}=="unknown"
ATTRS{serial}=="0000:00:14.0"
ATTRS{speed}=="480"
ATTRS{urbnum}=="918"
ATTRS{version}==" 2.00"
looking at parent device '/devices/pci0000:00/0000:00:14.0':
KERNELS=="0000:00:14.0"
SUBSYSTEMS=="pci"
DRIVERS=="xhci_hcd"
ATTRS{broken_parity_status}=="0"
ATTRS{class}=="0x0c0330"
ATTRS{consistent_dma_mask_bits}=="64"
ATTRS{d3cold_allowed}=="1"
ATTRS{device}=="0x1e31"
ATTRS{dma_mask_bits}=="64"
ATTRS{driver_override}=="(null)"
ATTRS{enable}=="1"
ATTRS{irq}=="24"
ATTRS{local_cpulist}=="0-7"
ATTRS{local_cpus}=="ff"
ATTRS{msi_bus}=="1"
ATTRS{numa_node}=="-1"
ATTRS{revision}=="0x04"
ATTRS{subsystem_device}=="0x0686"
ATTRS{subsystem_vendor}=="0x1025"
ATTRS{vendor}=="0x8086"
looking at parent device '/devices/pci0000:00':
KERNELS=="pci0000:00"
SUBSYSTEMS==""
DRIVERS==""
答案1
我不会尝试保护设备免受 root 攻击,而是使用以下规则确保可移动 USB 设备节点可按usbwriters
组写入udev
KERNEL=="sd[a-z]*", ATTR{removable}=="1", SUBSYSTEMS=="usb", MODE="660", GROUP="usbwriters"
将其添加到某个位置/etc/udev/rules.d
(我有一个01-local.rules
本地规则文件),然后将您自己添加到您使用的组中。
答案2
解决方案是将这一行添加到“/etc/udev/rules.d/99-local.rules”:
KERNEL=="sd[a-z]*", SUBSYSTEMS=="usb", MODE="660", GROUP="plugdev"
@StephenKitt 的答案的变化是:
- 的删除
ATTR{removable}=="1"
。如果ATTR{removable}=="1"
包含分区 (/dev/sdn1
) 将不会受到影响。 - 将其设置为 99-local... 而不是 01-local... 因为否则组将被 50-... 覆盖
(udevadm test $(udevadm info -q path -n /dev/sdn)
对于解决这个问题绝对至关重要。感谢@StephenKitt)。