Restricting MTP devices from being mounted by a user/group
I couldn't get it to work using user/group permissions neither I know how libmtp mount phones volumes.
This is a solution to check the user group from udev side.
-
Switch to root
sudo -i -
Create a generic script to check GUI user and if it's in specified group
nano /lib/udev/check_gui_user_group.shAdd these line to it:
#!/bin/bash export GUI_$(grep -z USER /proc/$(pgrep -nx $1)/environ) groups $GUI_USER | grep -qFw "$2"Add executing permission
chmod +x /lib/udev/check_gui_user_group.sh -
MTP devices: Let override libmtp rules in
/lib/udev/rules.d/.cp /lib/udev/rules.d/69-libmtp.rules /etc/udev/rules.d/69-libmtp.rulesThen open it for editing:
nano /etc/udev/rules.d/69-libmtp.rulesAdd this line just after
LABEL="libmtp_usb_rules":PROGRAM!="check_gui_user_group.sh gnome-session myusbaccessgroup", GOTO="libmtp_rules_end"For Ubuntu 14.04 Unity & Gnome, you may use
gnome-session. For other desktops, check usingpstree -uorps aux | grep -i sessionThe meaning of the rule: Whenever the user of
gnome-sessionis NOT in themyusbaccessgroupgroup skip all libmtp rules. -
PTP devices: Add another rules file
nano /etc/udev/rules.d/99-usb-storage-remove.rulesAdd rule
ACTION=="add", ENV{GPHOTO2_DRIVER}=="PTP", ENV{DRIVER}!="", PROGRAM!="check_gui_user_group.sh gnome-session myusbaccessgroup", RUN+="/bin/sh -c 'echo -n %k >/sys%p/subsystem/drivers/%E{DRIVER}/unbind'" -
Other USB storage devices: Add this rule to the rules file of the previous step.
ACTION=="add", DRIVER=="usb-storage|uas|ums-*", PROGRAM!="check_gui_user_group.sh gnome-session myusbaccessgroup", RUN+="/bin/sh -c 'echo -n %k >/sys%p/driver/unbind'"To know from where I get the list of drivers, try this:
ls /lib/modules/$(uname -r)/kernel/drivers/usb/storage/ -
Reload the rules
udevadm control -R Replug your phone.
Testing & Troubleshooting:
-
Setup the group, if it's not already done
addgroup myusbaccessgroup -
Remove user from the group.
deluser user myusbaccessgroup -
Run udev monitor
udevadm monitor -u Replug that device
-
Check what was run
udevadm test /sys/device/... -
Add user to the group
adduser user myusbaccessgroup Redo starting from step 3.
Notes:
I used Kubuntu 15.04 (real machine) and Ubuntu 14.04 (fresh install in VirtualBox) for testing.
- I used Wiko Bloom (Android 4.4.2) to test MTP mode which works well in both systems.
- I couldn't test PTP mode because it wasn't auto-mounted, May be I'm missing something here.
- Other external storages: a flash disk & an external hard drive. Test passes for both systems.
References:
-
man udevlook forPROGRAMuses. - How to pause VLC playback when the headphones are disconnected? , nice trick by Stunts to import current environment variables.
I had the same requirement in my end .
Best way to Block MTP,PTP for android is to disable the service in ubuntu .
Enter this location as root /usr/lib/gvfs
"sudo nautilus" will be easy if you tend to use GUI
"sudo nautilus" and the n navigate to computer/usr/lib/gvfs
There will be list of services Remove the execute permission by right clicking the appropriate service-->properties-->permission-->unckeck "execute" and change the read only access from "read only" to "none"
Blocking MTP and PTP
Remove the execute permission for
gvfsd-mtp
gvfs-mtp-volume-monitor(for safer side)
gvfsd-gphoto2
gvfs-gphoto2-volume-monitor(for safer side)
Apple I phone can mount through afp
so kindly Remove the execute permission for gvfsd-afp
gvfs-afc-volume-monitor(for safer side)
some android mobiles can use mass-storage mode to mount there SD card change the folder permission in /media/user to 400
user- the created user in ubuntu.
chmod 400
or remove the mount permission for user..