Re: How to secure access to SD cards a la USBGuard?
- To: debian-user@lists.debian.org
- Subject: Re: How to secure access to SD cards a la USBGuard?
- From: David Wright <deblis@lionunicorn.co.uk>
- Date: Sun, 2 Jan 2022 20:52:25 -0600
- Message-id: <[🔎] 20220103025225.GC25662@axis.corp>
- Reply-to: debian-user@lists.debian.org
- In-reply-to: <20211210162052.tv3lfqzhmt6v2rgo@acr13.nuvreauspam>
- References: <b642c779-e4ed-7de1-a28c-6d0ef8a20c5a@gmail.com> <jwvwnld8iuj.fsf-monnier+gmane.linux.debian.user@gnu.org> <32bfedbe-c0a3-dbcf-0afd-935d40d41081@gmail.com> <jwvr1bl8fj9.fsf-monnier+gmane.linux.debian.user@gnu.org> <20211205123341.zq7hkx6pz6ccazai@acr13.nuvreauspam> <20211206161849.GD5554@axis.corp> <20211210162052.tv3lfqzhmt6v2rgo@acr13.nuvreauspam>
On Fri 10 Dec 2021 at 17:20:52 (+0100), Andrei POPESCU wrote:
> On Lu, 06 dec 21, 10:18:49, David Wright wrote:
> > On Sun 05 Dec 2021 at 13:33:41 (+0100), Andrei POPESCU wrote:
> > > On Vi, 12 nov 21, 12:27:59, Stefan Monnier wrote:
> > > >
> > > > As mentioned, the way to control it will depend on the specific tool
> > > > used to mount. E.g. if it's mounted by hand via a rule in /etc/fstab,
> > > > then you can rules that specify the device via /etc/disk/by-uuid.
> > > >
> > > > Do note that partition UUIDs are not designed to be reliable w.r.t
> > > > malicious uses (it's easy to create a partition with the same UUID as
> > > > some other).
> > >
> > > /dev/disk/by-id/ should be device specific.
> >
> > It certainly is, but specific to the card reader reading it,
> > not the card. And that's whether the card is plugged into a
> > slot on the computer, or into a discrete SD/USB adapter.
>
> At least with the built-in reader on an Acer Chromebook R13 the ID
> changes with every card I tested, but you are indeed right about USB
> adapters (at least for the two I could test).
I did some comparisons between machines, and it would appear that
when the link starts with /dev/disk/by-id/mmc- then the ID is
that of the card, whereas when it starts with /dev/disk/by-id/usb-
then the ID is that of the card reader. Note that I did all the
comparisons using fullsize SD cards pushed into slots in the PCs,
so there were no separate adapters involved, neither SD→USB, nor µSD→SD.
As one might expect, googling mmc and usb is swamped with stuff about
MMC and SD /cards/, so I haven't read anything about the differences
between these slots on different computers. But I guess that if you
want to distinguish SD cards by their identification/serial number,
rather than strings that you write onto them (UUID/LABEL), you need
to use a PC with an mmc-style slot.
Cheers,
David.
Reply to: