Seusb2

Aus codecivil
Zur Navigation springen Zur Suche springen

Authorizing USB input devices

About

Security Enhanced USB 2 is the second approach to securing USB devices. (The first approach is based on usbmon and tries to detect changes in the firmware. It is not yet on this wiki.)

This shell script package using udev is for authorizing USB input devices. Newly connected devices are disabled until a user (of the group seusb2) authorizes its use in a pop-up dialogue. In order to avoid lockouts authorization can also be done by pressing the power button. This feature requires acpid.

WARNING: Most USB input devices, like keyboards or mouses, come without a distinguished serial number. So, authorization is based on vendor and product id, allowing attackers to spoof these data to match already authorized devices.

The source code is under LGPL3 and available on Github: https://github.com/codecivil/seusb2

The tarball and the binary Debian package is available here: Datei:Seusb2 1.0.orig.tar.xz Datei:Seusb2 1.0-1 all.deb

Dependencies

   udev
   inotify-tools
   zenity
   bash (>= 3.2)
   adduser
   acpid

Installation

1. Download the Debian package above.

2. Install the dependencies

   sudo apt-get install udev inotify-tools zenity bash adduser acpid

3. Install the package

   sudo dpkg -i seusb2_1.0-1_all.deb

(alternatively, download the tarball and build the package for yourself)

4. Add seusb2 users For every USERNAME you want to allow authorizing new USB input devices, do

   sudo usermod -aG seusb2 USERNAME

5. Login as a seusb2 user. If you are already logged in, logout first. *This will display the dialogues for existing USB input devices. If you do not authorize them now, they will be unavailable after next boot.*