Restricting MTP devices from being mounted by a user/group
Solution 1
I had the same requirement in my end .
Best way to Block MTP,PTP for android is to disable the service in ubuntu .
Enter this location as root /usr/lib/gvfs
"sudo nautilus" will be easy if you tend to use GUI
"sudo nautilus" and the n navigate to computer/usr/lib/gvfs
There will be list of services Remove the execute permission by right clicking the appropriate service-->properties-->permission-->unckeck "execute" and change the read only access from "read only" to "none"
Blocking MTP and PTP
Remove the execute permission for
gvfsd-mtp
gvfs-mtp-volume-monitor(for safer side)
gvfsd-gphoto2
gvfs-gphoto2-volume-monitor(for safer side)
Apple I phone can mount through afp
so kindly Remove the execute permission for gvfsd-afp
gvfs-afc-volume-monitor(for safer side)
some android mobiles can use mass-storage mode to mount there SD card change the folder permission in /media/user to 400
user- the created user in ubuntu.
chmod 400
or remove the mount permission for user..
Solution 2
I couldn't get it to work using user/group permissions neither I know how libmtp mount phones volumes.
This is a solution to check the user group from udev
side.
-
Switch to root
sudo -i
-
Create a generic script to check GUI user and if it's in specified group
nano /lib/udev/check_gui_user_group.sh
Add these line to it:
#!/bin/bash export GUI_$(grep -z USER /proc/$(pgrep -nx $1)/environ) groups $GUI_USER | grep -qFw "$2"
Add executing permission
chmod +x /lib/udev/check_gui_user_group.sh
-
MTP devices: Let override libmtp rules in
/lib/udev/rules.d/
.cp /lib/udev/rules.d/69-libmtp.rules /etc/udev/rules.d/69-libmtp.rules
Then open it for editing:
nano /etc/udev/rules.d/69-libmtp.rules
Add this line just after
LABEL="libmtp_usb_rules"
:PROGRAM!="check_gui_user_group.sh gnome-session myusbaccessgroup", GOTO="libmtp_rules_end"
For Ubuntu 14.04 Unity & Gnome, you may use
gnome-session
. For other desktops, check usingpstree -u
orps aux | grep -i session
The meaning of the rule: Whenever the user of
gnome-session
is NOT in themyusbaccessgroup
group skip all libmtp rules. -
PTP devices: Add another rules file
nano /etc/udev/rules.d/99-usb-storage-remove.rules
Add rule
ACTION=="add", ENV{GPHOTO2_DRIVER}=="PTP", ENV{DRIVER}!="", PROGRAM!="check_gui_user_group.sh gnome-session myusbaccessgroup", RUN+="/bin/sh -c 'echo -n %k >/sys%p/subsystem/drivers/%E{DRIVER}/unbind'"
-
Other USB storage devices: Add this rule to the rules file of the previous step.
ACTION=="add", DRIVER=="usb-storage|uas|ums-*", PROGRAM!="check_gui_user_group.sh gnome-session myusbaccessgroup", RUN+="/bin/sh -c 'echo -n %k >/sys%p/driver/unbind'"
To know from where I get the list of drivers, try this:
ls /lib/modules/$(uname -r)/kernel/drivers/usb/storage/
-
Reload the rules
udevadm control -R
Replug your phone.
Testing & Troubleshooting:
-
Setup the group, if it's not already done
addgroup myusbaccessgroup
-
Remove user from the group.
deluser user myusbaccessgroup
-
Run udev monitor
udevadm monitor -u
Replug that device
-
Check what was run
udevadm test /sys/device/...
-
Add user to the group
adduser user myusbaccessgroup
Redo starting from step 3.
Notes:
I used Kubuntu 15.04 (real machine) and Ubuntu 14.04 (fresh install in VirtualBox) for testing.
- I used Wiko Bloom (Android 4.4.2) to test MTP mode which works well in both systems.
- I couldn't test PTP mode because it wasn't auto-mounted, May be I'm missing something here.
- Other external storages: a flash disk & an external hard drive. Test passes for both systems.
References:
-
man udev
look forPROGRAM
uses. - How to pause VLC playback when the headphones are disconnected? , nice trick by Stunts to import current environment variables.
Related videos on Youtube
Akshay Rao
Updated on September 18, 2022Comments
-
Akshay Rao over 1 year
I am working on converting an Ubuntu (14.04 LTS) installation into a kiosk-like system with disabled USB storage. However, this does not prevent a user from mounting an MTP device such as an android phone.
This problem is not the same as preventing auto-mounting of MTP devices, which has been solved in other questions on AskUbuntu.
- I want to permanently disallow MTP and other storage devices from being mounted by a particular user or group. (Maybe by disabling mtpfs/gvfs?)
- What some other means of connecting writeable storage devices that I should take care of (like UMTS)?
--
edit: I should add that I disabed USB storage by revoking access rights for the group in question by chown'ing /media to admin:myusbaccessgroup. Obviously, the users/groups I want to prevent from using the USB are not in myusbaccessgroup.
--
Update:
A bounty was put for this answer but no successful solution was found. Please see the answers before followed by the chat room discussion.
Giving up, I installed Ubuntu 12.04 instead, since it doesn't have support for MTP out of the box. However, PTP devices still get mounted.
-
Pilot6 over 8 yearsI wanted to add a bounty too. I could not find a solution myself. I will give an additional bounty, if we get an answer.
-
Daniel over 8 yearsHave you tried changing ownership of the device (like
/dev/mtp1
or whatever) to root:root? -
Daniel over 8 yearsThen they would need sudo access, and you can disable sudo access for that user/group
-
Akshay Rao over 8 years@Daniel, root:rooting /dev/ but to no avail. The users/groups I need to disable this for are not in the sudo group.
-
Akshay Rao over 8 years@Pilot6, hope this works out!
-
Pilot6 over 8 yearsI even removed
usb-storage.ko
. But on next reboot it got mounted usingusbfs
driver. -
Akshay Rao over 8 yearsPerhaps the script you ran to remove usb-storage.ko can be put inside rc.local or some such startup script file? However, did removing usb-storage.ko disable your MTP device from mounting?
-
Daniel over 8 yearsDid you root:root /dev/ recursively?
-
Daniel over 8 yearsIf that works I'll put it as an answer
-
Akshay Rao over 8 yearsI already that and it did not work. I don't believe these devices are mounted onto /dev/. I could be wrong.
-
Akshay Rao over 8 years@Pilot6, I want to add more bounty now, but can't seem to do it. Do you still wanna put some bounty from your side?
-
Pilot6 over 8 yearsWe can't add any bounty until you award this one or it expires. Please ping me if the solution is found. I will add my bounty.
-
muru over 8 yearsIs that
export GUI_$(...
supposed to beexport GUI_USER=$(
? Also, instead of looping over groups, you could just grep:groups $GUI_USER | grep -qFw "$2"
-
user.dz over 8 years@muru,
USER=
is already ingrep -z
command, yes that's simpler. thank you -
Pilot6 over 8 yearsI thought abut this. But there MUST be some better solution. And I notice that some phones get mounted when there is nothing in 69-libmtp.rules
-
user.dz over 8 years@Pilot6, could you confirm if they are in MTP mode and how they get mounted without
dev/libmtp..
link? I know that old device like android 2.x get mounted as usb storage. -
Pilot6 over 8 yearsThe brand new android 5.0 device gets mounted without a line in libmtp.rules. Also it does with usb-devices. When I removed
usb-devices.ko
it still got mounted withusbfs
. -
user.dz over 8 years@Pilot6, I couldn't find
usb-devices.ko
&usbfs,ko
in my system neither through packages.ubuntu.com . The only one i could find isusb-storage.ko
, I have add another rule for other storage types. Could you please try it. -
Pilot6 over 8 yearsSry, it is
usb-storage.ko
. I could not findusbfs
either. But it is shown inusb-devices
as a driver if any other driver is disabled. I do not use your script, just try to kill it for everyone just to start with. -
Akshay Rao over 8 years@Sneetsher, I will try your solution out tomorrow (can't today) and get back to you. If it works well for the few MTP devices I have, I'll mark this as the answer. Please let me know if you have a better answer using Pilot6's comments about using usb-storage. In the mean time, can you guys think of other ways a device can connect to ubuntu? Like PTP/UMTS etc? It doesn't even have to be a phone per say. I'm trying to disable any external input and outputs using the USB here.
-
Pilot6 over 8 yearsit is really weird that such a simple user restriction is so hard to achieve in linux.
-
user.dz over 8 years@Pilot6, I agree it shouldn't be hard, I thought about
polkit
but I have no experience with it. -
Pilot6 over 8 yearsI thought same and I have the same problem. I never dealt with it. I was hoping someone knows how to do it.
-
Akshay Rao over 8 years@Sneetsher, unfortunately this didn't work for me :( :( :( I was so hopeful. I was able to open all android phones I connected. Is there anything (any logs etc) you'd want to check to troubleshoot?
-
user.dz over 8 years@AkshayRao , updated the answer. You may post output of
udevadm test ..
to paste.Ubuntu.com -
Akshay Rao over 8 years@Sneetsher, here you go! paste.ubuntu.com/12435931
-
user.dz over 8 years@AkshayRao, I have added neew rule for PTP devices. Would you please try it.
-
Akshay Rao over 8 years@Sneetsher, still no luck. Both (MTP and PTP) connections are readable and writeable. However the troubleshooting did show a few non-zero return values from the tests. Maybe they would help. paste.ubuntu.com/12446584
-
user.dz over 8 years@AkshayRao , could you make another test output for mtp mode.
-
Akshay Rao over 8 years@Sneetsher, I was under the impression that this was for MTP mode as well. I'll get back to you in a few.
-
Akshay Rao over 8 years@Sneetsher, here you go. By the way, the one I pasted before was MTP (sorry about that). This one contains PTP first and then MTP. Samsung Galaxy S3 paste.ubuntu.com/12448398
-
user.dz over 8 yearsLet us continue this discussion in chat.
-
Pilot6 over 8 yearsThis did not work. The phone still gets mounted with
usbfs
. -
user.dz over 8 years:( out of ideas, It hit the wall. BTW, @Pilot6 are using Ubuntu 14.04/Unity?
-
Pilot6 over 8 yearsI use default 14.04 LTS with unity. But it does not matter much I guess.
-
Jake over 6 yearsThank you! Works like a charm on Ubuntu 16.04. Just note that you need to reboot to see the change.
-
mxmlnkn over 6 yearshardcore approach which only works when having root access, but it works, thank you.