Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 09 Aug 2014 11:17:47 +0200
From: Yves-Alexis Perez <corsac@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: BadUSB discussion

On ven., 2014-08-08 at 14:36 -0700, Greg KH wrote:
> On Fri, Aug 08, 2014 at 11:27:06PM +0200, Yves-Alexis Perez wrote:
> > On ven., 2014-08-08 at 14:20 -0700, Greg KH wrote:
> > > > Actually, since it's a module parameter, it doesn't seem possible to
> > > > toggle it without reloading the module (or rebooting if it's
> > > builtin).
> > > > So it might not be that easy to do the locking part.
> > > 
> > > echo "0" > /sys/module/usbcore/parameters/authorized_default
> > 
> > I did that, but unplugging/replugging my mouse still works after that.
> 
> Hm, not good, take it to the linux-usb@...r.kernel.org mailing list and
> we can debug it there.
> 
To follow up on this.

The correct way to do this is to do:

for bus in /sys/bus/usb/usb*;
do
  echo 0 > ${bus}/authorized_default
done

to disable registration of new USB devices (kernel will still enumerate
them, but no driver will handle them).

Echo 1 (or -1) to re-enable registration. Current devices will keep
working. If you want to completely disable a bus (including power), use
'authorized' instead of 'authorized_default' sysfs entry.

Regards,
-- 
Yves-Alexis

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ