"Mount Blocker" for online safety?[solved]
"Mount Blocker" for online safety?[solved]
Does anyone know if it is possible to make some sort of "Mount Blocker" that would prevent any attempt to mount storage devices?
I'm thinking of a situation where I would be using a live CD for banking purposes - with no intention of creating a savefile - and I wanted to prevent any hacker from mounting hard disks and usb sticks that might be plugged into my system.
So I would load the CD using pfix=ram and somehow have the puppy code modified so that the storage devices would be totally locked out.
Could it be as simple as remastering a puppy so that it had certain items removed permanently from the /dev directory?
I'm thinking of a situation where I would be using a live CD for banking purposes - with no intention of creating a savefile - and I wanted to prevent any hacker from mounting hard disks and usb sticks that might be plugged into my system.
So I would load the CD using pfix=ram and somehow have the puppy code modified so that the storage devices would be totally locked out.
Could it be as simple as remastering a puppy so that it had certain items removed permanently from the /dev directory?
Last edited by greengeek on Thu 29 May 2014, 10:18, edited 1 time in total.
hmm there was a huge thread on this subject a while ago.
When you say 'hacker' are you talking about a user in say a cyber cafe or via the internet as the latter is not really a linux issue.
If someone wanted to mount and is computer savvy I think this it unfeasible.
For less teccy users then you could remove the drive icons/pmount and perhaps say write the mount script to not work in X.
Some fiddling with udev might do the trick too.
mike
When you say 'hacker' are you talking about a user in say a cyber cafe or via the internet as the latter is not really a linux issue.
If someone wanted to mount and is computer savvy I think this it unfeasible.
For less teccy users then you could remove the drive icons/pmount and perhaps say write the mount script to not work in X.
Some fiddling with udev might do the trick too.
mike
What generated this question was a request from a Windows user friend of mine who no longer feels secure doing his banking through XP so he wanted to use puppy. He plans to use XP only for his Photoshop stuff and other specific programmes that are unlikely to work on Puppy.
The banking side of things works fine of course, but I started to worry that he could accidentally delete critical files from the XP hard drive - hence the desire to prevent mounting of the storage drives and just use puppy as a live CD - more or less just a browser interface really.
I could remove desktop icons but then I thought maybe there is a better way to do it - which would also prevent a more experienced hacker or Trojan from mounting the drives at all. (Who knows when a Linux trojan might start doing the rounds...).
I will see if I can find that other thread.
The banking side of things works fine of course, but I started to worry that he could accidentally delete critical files from the XP hard drive - hence the desire to prevent mounting of the storage drives and just use puppy as a live CD - more or less just a browser interface really.
I could remove desktop icons but then I thought maybe there is a better way to do it - which would also prevent a more experienced hacker or Trojan from mounting the drives at all. (Who knows when a Linux trojan might start doing the rounds...).
I will see if I can find that other thread.
-
- Posts: 1885
- Joined: Tue 05 Jun 2012, 12:17
- Location: Wisconsin USA
if he has a P4, vbox will not work as well as on a newer computer because the P4 doesn't have hardware virtualisation support. vmware player/workstation won't run at all on a P4.mikeb wrote:Just tell him to stop using IE and outlook express...
mike
actually if he wants tinfoil why not set up vbox for him.... its what most paranoid windows users do...
Your best option is to burn puppy to a disc then open the case and disconnect the drives (except for the cd drive) and run it that way. boot from the CD. Do your banking stuff. When it asks if you want to save the session to a savefile, just press no. Reconnect the drives and boot XP.
Don't forget to remove the disc before shutting down.
....
If the puppy LiveCD is a pristine new image of the op-sys/gui, and you power off the PC before booting the LiveCD (clear memory) using puppy pfix=ram pmedia=cd, and use a pristine/new version of a browser to go nowhere else other than to the banks web site, and you've a router firewall and puppy firewall both running, and you power off/reboot afterwards (not saving) - then any hacker has EXTREMELY limited means to potentially 'break-in'.I'm thinking of a situation where I would be using a live CD for banking purposes - with no intention of creating a savefile - and I wanted to prevent any hacker from mounting hard disks and usb sticks that might be plugged into my system
It sounds to me that all you're really looking to do is have the drives mount as read only. Wouldn't that prevent your friend from writing or downloading something bad to a drive?
Couldn't a read-only mount script get loaded at startup? I have a script that mounts all drives as read-only but I manually execute it. Probably something that unmounts all drives and remounts all as read-only ...
Oh, and better make sure the puppy he's using has an updated openssl version to protect from the Heartbleed.
To check, go to terminal and type: openssl version
I believe 1.0.1 and 1.0.1f are the ones with issues.
Couldn't a read-only mount script get loaded at startup? I have a script that mounts all drives as read-only but I manually execute it. Probably something that unmounts all drives and remounts all as read-only ...
Oh, and better make sure the puppy he's using has an updated openssl version to protect from the Heartbleed.
To check, go to terminal and type: openssl version
I believe 1.0.1 and 1.0.1f are the ones with issues.
Thanks - yes, that is a good possibilty, although I would really like to ensure all gui icons are removed so no mounting takes place at all. I'm almost there but not quite...slavvo67 wrote:It sounds to me that all you're really looking to do is have the drives mount as read only. Wouldn't that prevent your friend from writing or downloading something bad to a drive? Couldn't a read-only mount script get loaded at startup? I have a script that mounts all drives as read-only but I manually execute it. Probably something that unmounts all drives and remounts all as read-only
I've decided it is beyond the scope of my expertise to totally lock out 'mounting by hacker' so I will settle for making it hard (or preferably impossible) for a novice user to accidentally mount their Windows or any other partition while using this live pup for banking etc.
I can't expect to remove all dangers posed by access to the cli, but I have renamed pmount to pmounter (so it can't be activated from currently configured gui icons etc) and I want to remove any other gui based access point I can find that such a user might click on and jeopardise their pre-existing data.
I have got rid of the desktop icons for drives/partitions by modifying the following settings in the /etc/eventmanager file:
HOTPLUGON=false
ICONDESK=false
ICONPARTITIONS=false
HOTPLUGNOISY=false
FD0ICON=false
I also changed this setting to true:
AUTOUNMOUNT=true
This is ok so far, but it seems that when the desktop icons are removed, Puppy reverts to a behaviour that apparently existed "pre Puppy 4" where it places an icon labelled "Drives" on the desktop as a replacement for the individual drive icons. Clicking this "Drives" icon starts pmount. Obviously with pmount disabled clicking this icon does nothing (which is good) but I want to go one step further by removing the icon.
The icon is defined in the file /root/Choices/Rox_Filer/PuppyPin as follows:
Code: Select all
<icon x="160" y="32" label="drives" args="any 0">/root/.pup_event/drive_drives</icon>
I have found some code that refers to it in /sbin/clean_desk_icons but I don't think that does the writing of the icon definition. Lines 30-36 are as follows:
Code: Select all
#remove all invalid drive icons off desktop...
echo -n "" > /tmp/pup_event_ok_pin
if [ "$ICONDESK" = "false" ];then
#leave single 'drives' icon on desktop...
grep '/root/.pup_event/drive_drives' /root/Choices/ROX-Filer/PuppyPin >> /tmp/pup_event_ok_pin
rm -rf /root/.pup_event/drive_[^d]* 2>/dev/null #delete all except drive_drives.
else
All I do know is that the drive icons are created by /sbin/pup_event_frontend_d.
This is sometimes a full script (like in Lucid) and sometimes a short script just to execute /usr/local/pup_event/pup_event_frontend_d, which then is (as far as I know) a binary, that calls/uses /usr/local/pup_event/frontend_funcs - this contains the code then.
In this case the script /usr/local/pup_event/frontend_startup seems to have the needed code section:
Function create_icon_func seems to do the job and this function is existing in /usr/local/pup_event/frontend_funcs.
Hope that will help somehow...
This is sometimes a full script (like in Lucid) and sometimes a short script just to execute /usr/local/pup_event/pup_event_frontend_d, which then is (as far as I know) a binary, that calls/uses /usr/local/pup_event/frontend_funcs - this contains the code then.
In this case the script /usr/local/pup_event/frontend_startup seems to have the needed code section:
Code: Select all
if [ "$ICONDESK" = "false" ];then
#only show a single 'drives' icon on desktop...
DRV_NAME='drives'
DRV_CATEGORY='any' #see pmount.
DRV_DESCRIPTION="all drives"
create_icon_func #needs DRV_NAME, DRV_CATEGORY, DRV_DESCRIPTION.
else
#show all drives on desktop... w476 add ext4... 130216 add f2fs...
PROBEPART="`probepart -k | grep -E '\|f2fs\||\|ext4\||\|ntfs\||\|msdos\||\|vfat\||\|ext2\||\|ext3\||\|iso9660\||\|udf\||\|audiocd\||\|xfs\||\|reiser'`"
if [ "$FD0ICON" = "true" ];then #see /etc/eventmanager
if [ -e /sys/block/fd0 ];then
PROBEDISK="/dev/fd0|floppy|Legacy floppy drive
$PROBEDISK"
PROBEPART="/dev/fd0|vfat|1440
$PROBEPART"
fi
fi
for ONEDRV in `echo "$PROBEDISK" | cut -f 1,2,3 -d '|' | tr ' ' '_' | tr '\n' ' '`
do
DRV_NAME="`echo -n "$ONEDRV" | cut -f 1 -d '|' | cut -f 3 -d '/'`"
DRV_CATEGORY="`echo -n "$ONEDRV" | cut -f 2 -d '|'`"
DRV_DESCRIPTION="`echo -n "$ONEDRV" | cut -f 3 -d '|' | tr '_' ' '`"
[ "`echo "$PROBEPART" | grep "$DRV_NAME"`" = "" ] && continue #precaution (such as CD not inserted).
create_icon_func startup #needs DRV_NAME, DRV_CATEGORY, DRV_DESCRIPTION, PROBEPART.
done
fi
Hope that will help somehow...
[b][url=http://lazy-puppy.weebly.com]LazY Puppy[/url][/b]
[b][url=http://rshs-dna.weebly.com]RSH's DNA[/url][/b]
[url=http://murga-linux.com/puppy/viewtopic.php?t=91422][b]SARA B.[/b][/url]
[b][url=http://rshs-dna.weebly.com]RSH's DNA[/url][/b]
[url=http://murga-linux.com/puppy/viewtopic.php?t=91422][b]SARA B.[/b][/url]
Ok.
Made a quick mod and test.
Commented out these lines (from section shown in post above):
Added to these lines the following command (just to have a command before else):
So it looks like this:
Made the needed settings to the event manager and restarted X.
No drive icons at all!
Made a quick mod and test.
Commented out these lines (from section shown in post above):
Code: Select all
DRV_NAME='drives'
DRV_CATEGORY='any' #see pmount.
DRV_DESCRIPTION="all drives"
create_icon_func #needs DRV_NAME, DRV_CATEGORY, DRV_DESCRIPTION.
Code: Select all
echo "disabled drive icons"
Code: Select all
#DRV_NAME='drives'
#DRV_CATEGORY='any' #see pmount.
#DRV_DESCRIPTION="all drives"
#create_icon_func #needs DRV_NAME, DRV_CATEGORY, DRV_DESCRIPTION.
echo "disabled drive icons"
No drive icons at all!
- Attachments
-
- image-1.jpg
- (74.7 KiB) Downloaded 134 times
[b][url=http://lazy-puppy.weebly.com]LazY Puppy[/url][/b]
[b][url=http://rshs-dna.weebly.com]RSH's DNA[/url][/b]
[url=http://murga-linux.com/puppy/viewtopic.php?t=91422][b]SARA B.[/b][/url]
[b][url=http://rshs-dna.weebly.com]RSH's DNA[/url][/b]
[url=http://murga-linux.com/puppy/viewtopic.php?t=91422][b]SARA B.[/b][/url]
Thanks for the help with these ideas guys - this thread led on to my "BanksyPup" for banking and for ex Windows users as a puppy sampler...
http://murga-linux.com/puppy/viewtopic.php?t=93968
http://murga-linux.com/puppy/viewtopic.php?t=93968