Restricting MTP devices from being mounted by a user/group

I couldn't get it to work using user/group permissions neither I know how libmtp mount phones volumes.

This is a solution to check the user group from udev side.

  1. Switch to root

    sudo -i
    
  2. Create a generic script to check GUI user and if it's in specified group

    nano /lib/udev/check_gui_user_group.sh
    

    Add these line to it:

    #!/bin/bash
    
    export GUI_$(grep -z USER /proc/$(pgrep -nx $1)/environ)
    groups $GUI_USER | grep -qFw "$2"
    

    Add executing permission

    chmod +x /lib/udev/check_gui_user_group.sh
    
  3. MTP devices: Let override libmtp rules in /lib/udev/rules.d/ .

    cp /lib/udev/rules.d/69-libmtp.rules /etc/udev/rules.d/69-libmtp.rules
    

    Then open it for editing:

    nano /etc/udev/rules.d/69-libmtp.rules
    

    Add this line just after LABEL="libmtp_usb_rules":

    PROGRAM!="check_gui_user_group.sh gnome-session myusbaccessgroup", GOTO="libmtp_rules_end"
    

    For Ubuntu 14.04 Unity & Gnome, you may use gnome-session. For other desktops, check using pstree -u or ps aux | grep -i session

    The meaning of the rule: Whenever the user of gnome-session is NOT in the myusbaccessgroup group skip all libmtp rules.

  4. PTP devices: Add another rules file

    nano /etc/udev/rules.d/99-usb-storage-remove.rules
    

    Add rule

    ACTION=="add", ENV{GPHOTO2_DRIVER}=="PTP", ENV{DRIVER}!="", PROGRAM!="check_gui_user_group.sh gnome-session myusbaccessgroup", RUN+="/bin/sh -c 'echo -n %k >/sys%p/subsystem/drivers/%E{DRIVER}/unbind'"
    
  5. Other USB storage devices: Add this rule to the rules file of the previous step.

    ACTION=="add", DRIVER=="usb-storage|uas|ums-*", PROGRAM!="check_gui_user_group.sh gnome-session myusbaccessgroup", RUN+="/bin/sh -c 'echo -n %k >/sys%p/driver/unbind'"
    

    To know from where I get the list of drivers, try this:

    ls /lib/modules/$(uname -r)/kernel/drivers/usb/storage/
    
  6. Reload the rules

    udevadm control -R
    
  7. Replug your phone.


Testing & Troubleshooting:

  1. Setup the group, if it's not already done

    addgroup myusbaccessgroup
    
  2. Remove user from the group.

    deluser user myusbaccessgroup
    
  3. Run udev monitor

    udevadm monitor -u
    
  4. Replug that device

  5. Check what was run

    udevadm test /sys/device/...
    
  6. Add user to the group

    adduser user myusbaccessgroup
    
  7. Redo starting from step 3.

Notes:

I used Kubuntu 15.04 (real machine) and Ubuntu 14.04 (fresh install in VirtualBox) for testing.

  • I used Wiko Bloom (Android 4.4.2) to test MTP mode which works well in both systems.
  • I couldn't test PTP mode because it wasn't auto-mounted, May be I'm missing something here.
  • Other external storages: a flash disk & an external hard drive. Test passes for both systems.

References:

  • man udev look for PROGRAM uses.
  • How to pause VLC playback when the headphones are disconnected? , nice trick by Stunts to import current environment variables.

I had the same requirement in my end .

Best way to Block MTP,PTP for android is to disable the service in ubuntu .

Enter this location as root /usr/lib/gvfs

"sudo nautilus" will be easy if you tend to use GUI

"sudo nautilus" and the n navigate to computer/usr/lib/gvfs

There will be list of services Remove the execute permission by right clicking the appropriate service-->properties-->permission-->unckeck "execute" and change the read only access from "read only" to "none"

Blocking MTP and PTP

Remove the execute permission for

gvfsd-mtp

gvfs-mtp-volume-monitor(for safer side)

gvfsd-gphoto2

gvfs-gphoto2-volume-monitor(for safer side)


Apple I phone can mount through afp

so kindly Remove the execute permission for gvfsd-afp

gvfs-afc-volume-monitor(for safer side)

some android mobiles can use mass-storage mode to mount there SD card change the folder permission in /media/user to 400

user- the created user in ubuntu.

chmod 400

or remove the mount permission for user..