"Mount Blocker" for online safety?[solved]

[greengeek]

Does anyone know if it is possible to make some sort of "Mount Blocker" that would prevent any attempt to mount storage devices?

I'm thinking of a situation where I would be using a live CD for banking purposes - with no intention of creating a savefile - and I wanted to prevent any hacker from mounting hard disks and usb sticks that might be plugged into my system.

So I would load the CD using pfix=ram and somehow have the puppy code modified so that the storage devices would be totally locked out.

Could it be as simple as remastering a puppy so that it had certain items removed permanently from the /dev directory?

[mikeb]

hmm there was a huge thread on this subject a while ago.

When you say 'hacker' are you talking about a user in say a cyber cafe or via the internet as the latter is not really a linux issue.

If someone wanted to mount and is computer savvy I think this it unfeasible.

For less teccy users then you could remove the drive icons/pmount and perhaps say write the mount script to not work in X.
Some fiddling with udev might do the trick too.

mike

[Flash]

If the mount command is removed, is there any other way to access the contents of a drive? Can't dd do it without the mount command? Maybe the only way to guarantee it can't be done is to disconnect anything you don't want read.

[mikeb]

Hmm well geek proof becomes pretty impossible... there is busybox mount for example and busybox is used extensively.

If you are dealing with users that find the mount command meaningless then life is easier.

mike

[greengeek]

What generated this question was a request from a Windows user friend of mine who no longer feels secure doing his banking through XP so he wanted to use puppy. He plans to use XP only for his Photoshop stuff and other specific programmes that are unlikely to work on Puppy.

The banking side of things works fine of course, but I started to worry that he could accidentally delete critical files from the XP hard drive - hence the desire to prevent mounting of the storage drives and just use puppy as a live CD - more or less just a browser interface really.

I could remove desktop icons but then I thought maybe there is a better way to do it - which would also prevent a more experienced hacker or Trojan from mounting the drives at all. (Who knows when a Linux trojan might start doing the rounds...).

I will see if I can find that other thread.

[Flash]

I guess the real question is, how many ways are there for malware to go about accessing a storage device?

[mikeb]

Just tell him to stop using IE and outlook express...

mike

actually if he wants tinfoil why not set up vbox for him.... its what most paranoid windows users do...

[bark_bark_bark]

Just tell him to stop using IE and outlook express...

mike

actually if he wants tinfoil why not set up vbox for him.... its what most paranoid windows users do...

if he has a P4, vbox will not work as well as on a newer computer because the P4 doesn't have hardware virtualisation support. vmware player/workstation won't run at all on a P4.

Your best option is to burn puppy to a disc then open the case and disconnect the drives (except for the cd drive) and run it that way. boot from the CD. Do your banking stuff. When it asks if you want to save the session to a savefile, just press no. Reconnect the drives and boot XP.

Don't forget to remove the disc before shutting down.

[mikeb]

qemu then with kqemu ...works ok on a pentium 3.....

disconnect the hard drives eh...

mike

[rufwoof]

I'm thinking of a situation where I would be using a live CD for banking purposes - with no intention of creating a savefile - and I wanted to prevent any hacker from mounting hard disks and usb sticks that might be plugged into my system

If the puppy LiveCD is a pristine new image of the op-sys/gui, and you power off the PC before booting the LiveCD (clear memory) using puppy pfix=ram pmedia=cd, and use a pristine/new version of a browser to go nowhere else other than to the banks web site, and you've a router firewall and puppy firewall both running, and you power off/reboot afterwards (not saving) - then any hacker has EXTREMELY limited means to potentially 'break-in'.

[slavvo67]

It sounds to me that all you're really looking to do is have the drives mount as read only. Wouldn't that prevent your friend from writing or downloading something bad to a drive?

Couldn't a read-only mount script get loaded at startup? I have a script that mounts all drives as read-only but I manually execute it. Probably something that unmounts all drives and remounts all as read-only ...

Oh, and better make sure the puppy he's using has an updated openssl version to protect from the Heartbleed.

To check, go to terminal and type: openssl version

I believe 1.0.1 and 1.0.1f are the ones with issues.

[greengeek]

It sounds to me that all you're really looking to do is have the drives mount as read only. Wouldn't that prevent your friend from writing or downloading something bad to a drive? Couldn't a read-only mount script get loaded at startup? I have a script that mounts all drives as read-only but I manually execute it. Probably something that unmounts all drives and remounts all as read-only

Thanks - yes, that is a good possibilty, although I would really like to ensure all gui icons are removed so no mounting takes place at all. I'm almost there but not quite...

I've decided it is beyond the scope of my expertise to totally lock out 'mounting by hacker' so I will settle for making it hard (or preferably impossible) for a novice user to accidentally mount their Windows or any other partition while using this live pup for banking etc.

I can't expect to remove all dangers posed by access to the cli, but I have renamed pmount to pmounter (so it can't be activated from currently configured gui icons etc) and I want to remove any other gui based access point I can find that such a user might click on and jeopardise their pre-existing data.

I have got rid of the desktop icons for drives/partitions by modifying the following settings in the /etc/eventmanager file:

HOTPLUGON=false
ICONDESK=false
ICONPARTITIONS=false
HOTPLUGNOISY=false
FD0ICON=false

I also changed this setting to true:
AUTOUNMOUNT=true

This is ok so far, but it seems that when the desktop icons are removed, Puppy reverts to a behaviour that apparently existed "pre Puppy 4" where it places an icon labelled "Drives" on the desktop as a replacement for the individual drive icons. Clicking this "Drives" icon starts pmount. Obviously with pmount disabled clicking this icon does nothing (which is good) but I want to go one step further by removing the icon.

The icon is defined in the file /root/Choices/Rox_Filer/PuppyPin as follows:

Code: Select all

 <icon x="160" y="32" label="drives" args="any 0">/root/.pup_event/drive_drives</icon>

Does anyone know where I can find the actual code that writes the 'drives' icon definition into this PuppyPin file?

I have found some code that refers to it in /sbin/clean_desk_icons but I don't think that does the writing of the icon definition. Lines 30-36 are as follows:

Code: Select all

#remove all invalid drive icons off desktop...
echo -n "" > /tmp/pup_event_ok_pin
if [ "$ICONDESK" = "false" ];then
 #leave single 'drives' icon on desktop...
 grep '/root/.pup_event/drive_drives' /root/Choices/ROX-Filer/PuppyPin >> /tmp/pup_event_ok_pin
 rm -rf /root/.pup_event/drive_[^d]* 2>/dev/null #delete all except drive_drives.
else

English words I can read, but asterisks and carets slow me down a lot

[RSH]

All I do know is that the drive icons are created by /sbin/pup_event_frontend_d.

This is sometimes a full script (like in Lucid) and sometimes a short script just to execute /usr/local/pup_event/pup_event_frontend_d, which then is (as far as I know) a binary, that calls/uses /usr/local/pup_event/frontend_funcs - this contains the code then.

In this case the script /usr/local/pup_event/frontend_startup seems to have the needed code section:

Code: Select all

if [ "$ICONDESK" = "false" ];then
 #only show a single 'drives' icon on desktop...
 DRV_NAME='drives'
 DRV_CATEGORY='any' #see pmount.
 DRV_DESCRIPTION="all drives"
 create_icon_func #needs DRV_NAME, DRV_CATEGORY, DRV_DESCRIPTION.
else
 #show all drives on desktop... w476 add ext4... 130216 add f2fs...
 PROBEPART="`probepart -k | grep -E '\|f2fs\||\|ext4\||\|ntfs\||\|msdos\||\|vfat\||\|ext2\||\|ext3\||\|iso9660\||\|udf\||\|audiocd\||\|xfs\||\|reiser'`"
 if [ "$FD0ICON" = "true" ];then #see /etc/eventmanager
  if [ -e /sys/block/fd0 ];then
   PROBEDISK="/dev/fd0|floppy|Legacy floppy drive
$PROBEDISK"
   PROBEPART="/dev/fd0|vfat|1440
$PROBEPART"
  fi
 fi
 for ONEDRV in `echo "$PROBEDISK" | cut -f 1,2,3 -d '|' | tr ' ' '_' | tr '\n' ' '`
 do
  DRV_NAME="`echo -n "$ONEDRV" | cut -f 1 -d '|' | cut -f 3 -d '/'`"
  DRV_CATEGORY="`echo -n "$ONEDRV" | cut -f 2 -d '|'`"
  DRV_DESCRIPTION="`echo -n "$ONEDRV" | cut -f 3 -d '|' | tr '_' ' '`"
  [ "`echo "$PROBEPART" | grep "$DRV_NAME"`" = "" ] && continue #precaution (such as CD not inserted).
  create_icon_func startup #needs DRV_NAME, DRV_CATEGORY, DRV_DESCRIPTION, PROBEPART.
 done
fi

Function create_icon_func seems to do the job and this function is existing in /usr/local/pup_event/frontend_funcs.

Hope that will help somehow...

[RSH]

Ok.

Made a quick mod and test.

Commented out these lines (from section shown in post above):

Code: Select all

DRV_NAME='drives'
DRV_CATEGORY='any' #see pmount.
DRV_DESCRIPTION="all drives"
create_icon_func #needs DRV_NAME, DRV_CATEGORY, DRV_DESCRIPTION.

Added to these lines the following command (just to have a command before else):

Code: Select all

echo "disabled drive icons"

So it looks like this:

Code: Select all

#DRV_NAME='drives'
#DRV_CATEGORY='any' #see pmount.
#DRV_DESCRIPTION="all drives"
#create_icon_func #needs DRV_NAME, DRV_CATEGORY, DRV_DESCRIPTION.
echo "disabled drive icons"

Made the needed settings to the event manager and restarted X.

No drive icons at all!

[greengeek]

Many thanks RSH - that seems to work perfectly!
cheers.

[greengeek]

Thanks for the help with these ideas guys - this thread led on to my "BanksyPup" for banking and for ex Windows users as a puppy sampler...
http://murga-linux.com/puppy/viewtopic.php?t=93968