HPE Community
Operating System - HP-UX
1823959 Members
4241 Online
109667 Solutions
New Discussion юеВ

CD/DVD WRITE DISABLE

 
SOLVED
Go to solution
john guardian
Super Advisor

тАО12-08-2010 10:08 AM

тАО12-08-2010 10:08 AM

CD/DVD WRITE DISABLE

If a system has a writable CD/DVD, is there an EASY method for root to permanently disable that facility, IE: via specific device file changes and/or any other mods?

Please be specific.

Thx.
0 Kudos
10 REPLIES 10
Matti_Kurkela
Honored Contributor

тАО12-08-2010 11:55 AM

тАО12-08-2010 11:55 AM

Solution

Re: CD/DVD WRITE DISABLE

To disallow CD/DVD writing, simply don't create a /dev/rscsi/c#t#d# device for the CD/DVD burner. You cannot burn CDs without that device, and HP-UX won't create it automatically for you: root must always create that device manually, or using a script that comes with the CD burning software.

If someone has already created that device node, remove it, or set its permissions to root access only.

You seem to be trying to prepare a HP-UX system for processing some sort of sensitive information. Would you like some friendly advice?

(Whoa, I think I was channeling Clippy there. Anyway...)

You should keep in mind that physical access (the ability to poke the server with fingers and tools) to the server will trump most software security mechanisms. If you are planning to handle sensitive information, putting the server behind locked doors should be your *first* step.

Once your server is physically accessible by trusted personnel only, the problem of a writable CD/DVD should also be mostly solved: a writable CD/DVD drive is not useful to an unauthorized person if he/she cannot insert a blank CD/DVD.

When thinking about software-level security mechanisms, you should remember this: *anything* root can do, root can also undo. The OS cannot protect the system against a malicious person who has real root access, because with root access the malicious person can disable or override the protection mechanisms of the OS.

MK
MK
0 Kudos
Steven Schweda
Honored Contributor

тАО12-08-2010 12:10 PM

тАО12-08-2010 12:10 PM

Re: CD/DVD WRITE DISABLE

Define "permanently".

> Please be specific.

You first. What is your actual requirement?
The best actual solution may be to lock the
door, not to try to hobble the software, and
keep it hobbled "permanently". (Or did you
intend to run a cron job to check on this
stuff every few minutes to make sure that no
one has removed the hobbles?)

http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1459606

Spreading the same problem across multiple
threads may not be the best path to the best
solution. (My first thought on reading this
post was, "What about the USB ports?".)
0 Kudos
KathyL1
Valued Contributor

тАО12-08-2010 04:19 PM

тАО12-08-2010 04:19 PM

Re: CD/DVD WRITE DISABLE

We have a similar requirement and our solution it to only ever install read-only CD/DVD drives in our servers.
0 Kudos
Steven Schweda
Honored Contributor

тАО12-08-2010 07:59 PM

тАО12-08-2010 07:59 PM

Re: CD/DVD WRITE DISABLE

> [...] our solution [...]

Some years ago, I had occasion to visit a
certain government-operated facility which
employed armed guards and labyrinthine
hallways. It was a "medium motel": The
media check in, but they don't check out.

Physical security has its limitations, too
(like, say, a trusted senior employee with a
9-track tape under his coat), but it's
probably wiser to be aware of those
limitations than it is to believe that
there's some simple technical fix to a very
complex problem, and then relax.
0 Kudos
Tim Nelson
Honored Contributor

тАО12-09-2010 02:23 PM

тАО12-09-2010 02:23 PM

Re: CD/DVD WRITE DISABLE

but there is a simple way........


physically remove the CD/DVD RW hardware from the server
0 Kudos
Steven Schweda
Honored Contributor

тАО12-09-2010 03:24 PM

тАО12-09-2010 03:24 PM

Re: CD/DVD WRITE DISABLE

> but there is a simple way........
>
>
> physically remove the CD/DVD RW hardware
> from the server

Simple, but not particularly effective, if a
user can plug in his own USB-interface drive.
(Or SCSI, or ...)

Everything's complicated. (If you don't
think so, then think more. Or better. But,
"If you don't think too good, don't think too
much.")
0 Kudos
Autocross.US
Trusted Contributor

тАО02-03-2011 12:05 PM

тАО02-03-2011 12:05 PM

Re: CD/DVD WRITE DISABLE

Kinda late to this post, but i've just run across a similar requirement on some Linux systems to disable CD/DVD write access.

This was accomplished by removing read/execute permissions on the following executables that perform these write operations:

chmod 770 /usr/bin/cdrecord
chmod 770 /usr/bin/growisofs

You may want to start with these and then check for other programs that do this and restrict read/execute to them as well.
I drive way too fast to worry about calories.
0 Kudos
Torsten.
Acclaimed Contributor

тАО02-03-2011 12:14 PM

тАО02-03-2011 12:14 PM

Re: CD/DVD WRITE DISABLE

I'm not sure where the issue is.

If you want to write to a CD, you must have physical access to the CD drive to insert a media.

Restrict the physical access like everyone is doing.

Since you usually need to be root to have write access, don't allow root access to others.

Any action done by root to prevent write access can be reverted by "another" root user.


However, IMHO to allow any kind of network access is much more dangerous ... ;-)

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
john guardian
Super Advisor

тАО02-03-2011 12:31 PM

тАО02-03-2011 12:31 PM

Re: CD/DVD WRITE DISABLE

All input was appreciated. Ultimately, the physical devices were removed as I had originally advised my mgmt to do.

Thx to all who responded.
0 Kudos
Torsten.
Acclaimed Contributor

тАО02-03-2011 12:45 PM

тАО02-03-2011 12:45 PM

Re: CD/DVD WRITE DISABLE

Please allow this question:

Is this requirement made by non-technical management alerted by some articles in newspapers about swiss bank account data sold to several european governments on CD-Rs?

LOL!

If anyone would like to get some data from the server with bad intentions, I think the very last choice would be to burn them on the server itself ...


just my 2 cents ...

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!   
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.