<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Priority</th>
          <td>medium
          </td>
        </tr>

        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW --- - option to lock USB ports when no session is opened"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=82369">82369</a>
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>systemd-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>option to lock USB ports when no session is opened
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>systemd-bugs@lists.freedesktop.org
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>enhancement
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>corsac@debian.org
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Other
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>general
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>systemd
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Hi,

following the various presentation on USB security (for example the “Bad USB”
one at Black Hat 2014 [1], but actually there quite some more earlier, like
Travis Goodspeed experiments with the facedancer [2] etc.) and a thread on
oss-security [3], came the idea to “lock” the USB ports in the kernel when the
systems is locked [4,5]. This can be done by setting the
usbcore.authorized_default parameter to 0 [6].

I guess logind/systemd would be able to do things like that?

There's a caveat, since it could be possible to lock yourself out, for example
if you lock your screen, or log out from your session, and unplug your USB
keyboard. There's also the boot situation, but maybe USB could be enabled for
the first few minutes then disabled.

Grsecurity also has a feature to disable new USB devices (either after boot or
after toggling a sysctl).

[1]: <a href="https://srlabs.de/badusb/">https://srlabs.de/badusb/</a>
[2]: <a href="http://goodfet.sourceforge.net/hardware/facedancer11/">http://goodfet.sourceforge.net/hardware/facedancer11/</a>
[3]: <a href="https://marc.info/?l=oss-security&m=140749685512320&w=2">https://marc.info/?l=oss-security&m=140749685512320&w=2</a>
[4]: <a href="https://marc.info/?l=oss-security&m=140751502119399&w=2">https://marc.info/?l=oss-security&m=140751502119399&w=2</a>
[5]: <a href="https://marc.info/?l=oss-security&m=140753051926692&w=2">https://marc.info/?l=oss-security&m=140753051926692&w=2</a>
[6]: <a href="https://marc.info/?l=oss-security&m=140752686125379&w=2">https://marc.info/?l=oss-security&m=140752686125379&w=2</a></pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the QA Contact for the bug.</li>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>