[systemd-bugs] [Bug 82369] New: option to lock USB ports when no session is opened

bugzilla-daemon at freedesktop.org bugzilla-daemon at freedesktop.org
Fri Aug 8 13:57:11 PDT 2014 

https://bugs.freedesktop.org/show_bug.cgi?id=82369

          Priority: medium
            Bug ID: 82369
          Assignee: systemd-bugs at lists.freedesktop.org
           Summary: option to lock USB ports when no session is opened
        QA Contact: systemd-bugs at lists.freedesktop.org
          Severity: enhancement
    Classification: Unclassified
                OS: All
          Reporter: corsac at debian.org
          Hardware: Other
            Status: NEW
           Version: unspecified
         Component: general
           Product: systemd

Hi,

following the various presentation on USB security (for example the “Bad USB”
one at Black Hat 2014 [1], but actually there quite some more earlier, like
Travis Goodspeed experiments with the facedancer [2] etc.) and a thread on
oss-security [3], came the idea to “lock” the USB ports in the kernel when the
systems is locked [4,5]. This can be done by setting the
usbcore.authorized_default parameter to 0 [6].

I guess logind/systemd would be able to do things like that?

There's a caveat, since it could be possible to lock yourself out, for example
if you lock your screen, or log out from your session, and unplug your USB
keyboard. There's also the boot situation, but maybe USB could be enabled for
the first few minutes then disabled.

Grsecurity also has a feature to disable new USB devices (either after boot or
after toggling a sysctl).

[1]: https://srlabs.de/badusb/
[2]: http://goodfet.sourceforge.net/hardware/facedancer11/
[3]: https://marc.info/?l=oss-security&m=140749685512320&w=2
[4]: https://marc.info/?l=oss-security&m=140751502119399&w=2
[5]: https://marc.info/?l=oss-security&m=140753051926692&w=2
[6]: https://marc.info/?l=oss-security&m=140752686125379&w=2

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-bugs/attachments/20140808/c19b336c/attachment.html>

More information about the systemd-bugs mailing list