Re: How to secure access to SD cards a la USBGuard?

To: debian-user@lists.debian.org
Subject: Re: How to secure access to SD cards a la USBGuard?
From: Andrei POPESCU <andreimpopescu@gmail.com>
Date: Tue, 11 Jan 2022 12:41:02 +0100
Message-id: <[🔎] 20220111114102.wbsoerh3xhv3emgh@acr13.nuvreauspam>
In-reply-to: <[🔎] 20220103025225.GC25662@axis.corp>
References: <b642c779-e4ed-7de1-a28c-6d0ef8a20c5a@gmail.com> <jwvwnld8iuj.fsf-monnier+gmane.linux.debian.user@gnu.org> <32bfedbe-c0a3-dbcf-0afd-935d40d41081@gmail.com> <jwvr1bl8fj9.fsf-monnier+gmane.linux.debian.user@gnu.org> <20211205123341.zq7hkx6pz6ccazai@acr13.nuvreauspam> <20211206161849.GD5554@axis.corp> <20211210162052.tv3lfqzhmt6v2rgo@acr13.nuvreauspam> <[🔎] 20220103025225.GC25662@axis.corp>

On Du, 02 ian 22, 20:52:25, David Wright wrote:
> On Fri 10 Dec 2021 at 17:20:52 (+0100), Andrei POPESCU wrote:
> > On Lu, 06 dec 21, 10:18:49, David Wright wrote:
> > > On Sun 05 Dec 2021 at 13:33:41 (+0100), Andrei POPESCU wrote:
> > > > On Vi, 12 nov 21, 12:27:59, Stefan Monnier wrote:
> > > > > 
> > > > > As mentioned, the way to control it will depend on the specific tool
> > > > > used to mount.  E.g. if it's mounted by hand via a rule in /etc/fstab,
> > > > > then you can rules that specify the device via /etc/disk/by-uuid.
> > > > > 
> > > > > Do note that partition UUIDs are not designed to be reliable w.r.t
> > > > > malicious uses (it's easy to create a partition with the same UUID as
> > > > > some other).
> > > > 
> > > > /dev/disk/by-id/ should be device specific.
> > > 
> > > It certainly is, but specific to the card reader reading it,
> > > not the card. And that's whether the card is plugged into a
> > > slot on the computer, or into a discrete SD/USB adapter.
> > 
> > At least with the built-in reader on an Acer Chromebook R13 the ID 
> > changes with every card I tested, but you are indeed right about USB 
> > adapters (at least for the two I could test).
> 
> I did some comparisons between machines, and it would appear that
> when the link starts with /dev/disk/by-id/mmc- then the ID is
> that of the card, whereas when it starts with /dev/disk/by-id/usb-
> then the ID is that of the card reader. Note that I did all the
> comparisons using fullsize SD cards pushed into slots in the PCs,
> so there were no separate adapters involved, neither SD→USB, nor µSD→SD.

My guess is micro-SD to SD adapters are passive only (i.e. just 
connecting pin-to-pin as needed), so it shouldn't matter.

For the OP's issue, it seems a possible solution would be to disallow 
any USB-to-SD adapters, and for the (hopefully few) users that really 
need to use SD cards to use MMC-style slots only.

A less secure option would be to allow USB adapters only for a few 
select *trusted* users, with the understanding that they use "safe" SD 
cards only.

Kind regards,
Andrei
-- 
http://wiki.debian.org/FAQsFromDebianUser

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: How to secure access to SD cards a la USBGuard?
  - From: "hdv@gmail" <hdv.jadev@gmail.com>

References:
- Re: How to secure access to SD cards a la USBGuard?
  - From: David Wright <deblis@lionunicorn.co.uk>

Prev by Date: Re: How do I change disk ?
Next by Date: Re: Need Support on Debian10 Kernel Upgrade
Previous by thread: Re: How to secure access to SD cards a la USBGuard?
Next by thread: Re: How to secure access to SD cards a la USBGuard?
Index(es):
- Date
- Thread