Restricting MTP devices from being mounted by a user/group
Solution 1
I had the same requirement in my end .
Best way to Block MTP,PTP for android is to disable the service in ubuntu .
Enter this location as root /usr/lib/gvfs
"sudo nautilus" will be easy if you tend to use GUI
"sudo nautilus" and the n navigate to computer/usr/lib/gvfs
There will be list of services Remove the execute permission by right clicking the appropriate service-->properties-->permission-->unckeck "execute" and change the read only access from "read only" to "none"
Blocking MTP and PTP
Remove the execute permission for
gvfsd-mtp
gvfs-mtp-volume-monitor(for safer side)
gvfsd-gphoto2
gvfs-gphoto2-volume-monitor(for safer side)
Apple I phone can mount through afp
so kindly Remove the execute permission for gvfsd-afp
gvfs-afc-volume-monitor(for safer side)
some android mobiles can use mass-storage mode to mount there SD card change the folder permission in /media/user to 400
user- the created user in ubuntu.
chmod 400
or remove the mount permission for user..
Solution 2
I couldn't get it to work using user/group permissions neither I know how libmtp mount phones volumes.
This is a solution to check the user group from udev side.
-
Switch to root
sudo -i -
Create a generic script to check GUI user and if it's in specified group
nano /lib/udev/check_gui_user_group.shAdd these line to it:
#!/bin/bash export GUI_$(grep -z USER /proc/$(pgrep -nx $1)/environ) groups $GUI_USER | grep -qFw "$2"Add executing permission
chmod +x /lib/udev/check_gui_user_group.sh -
MTP devices: Let override libmtp rules in
/lib/udev/rules.d/.cp /lib/udev/rules.d/69-libmtp.rules /etc/udev/rules.d/69-libmtp.rulesThen open it for editing:
nano /etc/udev/rules.d/69-libmtp.rulesAdd this line just after
LABEL="libmtp_usb_rules":PROGRAM!="check_gui_user_group.sh gnome-session myusbaccessgroup", GOTO="libmtp_rules_end"For Ubuntu 14.04 Unity & Gnome, you may use
gnome-session. For other desktops, check usingpstree -uorps aux | grep -i sessionThe meaning of the rule: Whenever the user of
gnome-sessionis NOT in themyusbaccessgroupgroup skip all libmtp rules. -
PTP devices: Add another rules file
nano /etc/udev/rules.d/99-usb-storage-remove.rulesAdd rule
ACTION=="add", ENV{GPHOTO2_DRIVER}=="PTP", ENV{DRIVER}!="", PROGRAM!="check_gui_user_group.sh gnome-session myusbaccessgroup", RUN+="/bin/sh -c 'echo -n %k >/sys%p/subsystem/drivers/%E{DRIVER}/unbind'" -
Other USB storage devices: Add this rule to the rules file of the previous step.
ACTION=="add", DRIVER=="usb-storage|uas|ums-*", PROGRAM!="check_gui_user_group.sh gnome-session myusbaccessgroup", RUN+="/bin/sh -c 'echo -n %k >/sys%p/driver/unbind'"To know from where I get the list of drivers, try this:
ls /lib/modules/$(uname -r)/kernel/drivers/usb/storage/ -
Reload the rules
udevadm control -R Replug your phone.
Testing & Troubleshooting:
-
Setup the group, if it's not already done
addgroup myusbaccessgroup -
Remove user from the group.
deluser user myusbaccessgroup -
Run udev monitor
udevadm monitor -u Replug that device
-
Check what was run
udevadm test /sys/device/... -
Add user to the group
adduser user myusbaccessgroup Redo starting from step 3.
Notes:
I used Kubuntu 15.04 (real machine) and Ubuntu 14.04 (fresh install in VirtualBox) for testing.
- I used Wiko Bloom (Android 4.4.2) to test MTP mode which works well in both systems.
- I couldn't test PTP mode because it wasn't auto-mounted, May be I'm missing something here.
- Other external storages: a flash disk & an external hard drive. Test passes for both systems.
References:
-
man udevlook forPROGRAMuses. - How to pause VLC playback when the headphones are disconnected? , nice trick by Stunts to import current environment variables.
Related videos on Youtube
05 : 43
31 : 00
03 : 46
07 : 51
02 : 24
04 : 04
Akshay Rao
Updated on September 18, 2022Comments
-
Akshay Rao over 1 year
I am working on converting an Ubuntu (14.04 LTS) installation into a kiosk-like system with disabled USB storage. However, this does not prevent a user from mounting an MTP device such as an android phone.
This problem is not the same as preventing auto-mounting of MTP devices, which has been solved in other questions on AskUbuntu.
- I want to permanently disallow MTP and other storage devices from being mounted by a particular user or group. (Maybe by disabling mtpfs/gvfs?)
- What some other means of connecting writeable storage devices that I should take care of (like UMTS)?
--
edit: I should add that I disabed USB storage by revoking access rights for the group in question by chown'ing /media to admin:myusbaccessgroup. Obviously, the users/groups I want to prevent from using the USB are not in myusbaccessgroup.
--
Update:
A bounty was put for this answer but no successful solution was found. Please see the answers before followed by the chat room discussion.
Giving up, I installed Ubuntu 12.04 instead, since it doesn't have support for MTP out of the box. However, PTP devices still get mounted.
-
Pilot6 over 8 yearsI wanted to add a bounty too. I could not find a solution myself. I will give an additional bounty, if we get an answer. -
Daniel over 8 yearsHave you tried changing ownership of the device (like
/dev/mtp1or whatever) to root:root? -
Daniel over 8 yearsThen they would need sudo access, and you can disable sudo access for that user/group
-
Akshay Rao over 8 years@Daniel, root:rooting /dev/ but to no avail. The users/groups I need to disable this for are not in the sudo group.
-
Akshay Rao over 8 years@Pilot6, hope this works out!
-
Pilot6 over 8 yearsI even removed
usb-storage.ko. But on next reboot it got mounted usingusbfsdriver. -
Akshay Rao over 8 yearsPerhaps the script you ran to remove usb-storage.ko can be put inside rc.local or some such startup script file? However, did removing usb-storage.ko disable your MTP device from mounting?
-
Daniel over 8 yearsDid you root:root /dev/ recursively?
-
Daniel over 8 yearsIf that works I'll put it as an answer
-
Akshay Rao over 8 yearsI already that and it did not work. I don't believe these devices are mounted onto /dev/. I could be wrong.
-
Akshay Rao over 8 years@Pilot6, I want to add more bounty now, but can't seem to do it. Do you still wanna put some bounty from your side?
-
Pilot6 over 8 yearsWe can't add any bounty until you award this one or it expires. Please ping me if the solution is found. I will add my bounty.
-
muru over 8 yearsIs thatexport GUI_$(...supposed to beexport GUI_USER=$(? Also, instead of looping over groups, you could just grep:groups $GUI_USER | grep -qFw "$2" -
user.dz over 8 years@muru,USER=is already ingrep -zcommand, yes that's simpler. thank you -
Pilot6 over 8 yearsI thought abut this. But there MUST be some better solution. And I notice that some phones get mounted when there is nothing in 69-libmtp.rules
-
user.dz over 8 years@Pilot6, could you confirm if they are in MTP mode and how they get mounted without
dev/libmtp..link? I know that old device like android 2.x get mounted as usb storage. -
Pilot6 over 8 yearsThe brand new android 5.0 device gets mounted without a line in libmtp.rules. Also it does with usb-devices. When I removed
usb-devices.koit still got mounted withusbfs. -
user.dz over 8 years@Pilot6, I couldn't find
usb-devices.ko&usbfs,koin my system neither through packages.ubuntu.com . The only one i could find isusb-storage.ko, I have add another rule for other storage types. Could you please try it. -
Pilot6 over 8 yearsSry, it is
usb-storage.ko. I could not findusbfseither. But it is shown inusb-devicesas a driver if any other driver is disabled. I do not use your script, just try to kill it for everyone just to start with. -
Akshay Rao over 8 years@Sneetsher, I will try your solution out tomorrow (can't today) and get back to you. If it works well for the few MTP devices I have, I'll mark this as the answer. Please let me know if you have a better answer using Pilot6's comments about using usb-storage. In the mean time, can you guys think of other ways a device can connect to ubuntu? Like PTP/UMTS etc? It doesn't even have to be a phone per say. I'm trying to disable any external input and outputs using the USB here.
-
Pilot6 over 8 yearsit is really weird that such a simple user restriction is so hard to achieve in linux.
-
user.dz over 8 years@Pilot6, I agree it shouldn't be hard, I thought about
polkitbut I have no experience with it. -
Pilot6 over 8 yearsI thought same and I have the same problem. I never dealt with it. I was hoping someone knows how to do it.
-
Akshay Rao over 8 years@Sneetsher, unfortunately this didn't work for me :( :( :( I was so hopeful. I was able to open all android phones I connected. Is there anything (any logs etc) you'd want to check to troubleshoot?
-
user.dz over 8 years@AkshayRao , updated the answer. You may post output of
udevadm test ..to paste.Ubuntu.com -
Akshay Rao over 8 years@Sneetsher, here you go! paste.ubuntu.com/12435931
-
user.dz over 8 years@AkshayRao, I have added neew rule for PTP devices. Would you please try it.
-
Akshay Rao over 8 years@Sneetsher, still no luck. Both (MTP and PTP) connections are readable and writeable. However the troubleshooting did show a few non-zero return values from the tests. Maybe they would help. paste.ubuntu.com/12446584
-
user.dz over 8 years@AkshayRao , could you make another test output for mtp mode.
-
Akshay Rao over 8 years@Sneetsher, I was under the impression that this was for MTP mode as well. I'll get back to you in a few.
-
Akshay Rao over 8 years@Sneetsher, here you go. By the way, the one I pasted before was MTP (sorry about that). This one contains PTP first and then MTP. Samsung Galaxy S3 paste.ubuntu.com/12448398
-
user.dz over 8 yearsLet us continue this discussion in chat.
-
Pilot6 over 8 yearsThis did not work. The phone still gets mounted with
usbfs. -
user.dz over 8 years:( out of ideas, It hit the wall. BTW, @Pilot6 are using Ubuntu 14.04/Unity?
-
Pilot6 over 8 yearsI use default 14.04 LTS with unity. But it does not matter much I guess.
-
Jake over 6 yearsThank you! Works like a charm on Ubuntu 16.04. Just note that you need to reboot to see the change. -
mxmlnkn over 6 yearshardcore approach which only works when having root access, but it works, thank you.
