Completely disable CD/DVD Rom access to all users on Ubuntu 12.04 LTS?

Question

We are using Ubuntu 12.04 LTS. Following is output fromuname -a command: Linux trainingmac1 3.2.0-32-generic #51-Ubuntu SMP Wed Sep 26 21:33:09 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

We are training institute and we are trying our best to disable CD/DVD drive for all users on the laptops.

None of the options listed here seem to work on Ubuntu 12.04 LTS, How to disable CD-ROM and USB for normal users in Linux?

We tried all the following approaches,

Using System BIOS

Unfortunately the laptop BIOS does not have option disable DVD drive. It only has option to disable boot from DVD, which we did
Using /etc/group

According to this document http://ubuntuguide.org/wiki/Ubuntu:Precise , following is note,

"To use the cdrom, you must belong to cdrom. To use hot-pluggable devices, you must belong to plugdev. "

The Unix user we are using (user tngusr1) does not belong to any of the these groups in /etc/group file.

Result: User is able to access CD/DVD ROM, and if user put's in blank disc (CD/DVD), then it will load the disc and if brasero is installed, user is able to write new disc
Using chmod on /media and /cdrom

Changed permissions for /cdrom and /media
- chmod 000 /cdrom
- chmod 000 /media
Result: Yet no differece. Impact is if user put's in disc (CD/DVD) with content on it, then it will not load. But if user put's in blank disc (CD/DVD), then it will load the disc and if brasero is installed, user is able to write new disc
Disable Hal's CD-ROM Polling

Based on steps listed in following document "disable Hal's CD-ROM Polling" href: www.ehow.com/how_7509420_disable-hals-cdrom-polling.html

shell> hal-disable-polling --device /dev/scd0

Result: No difference. Blank disc loads as usual and user is able to write new DVD rom
Disable AutoMount for CDROM

Based on document here disable AutoMount for CDROM

Result: May be helpful for beginner. But anyone with 1 month experience on Unbuntu knows how to enable it back and load the CDR blank disc (CD/DVD) and write disc. Also if user opens file explorer from menu, blank cdrom is available on left tree, giving indication that cdrom loaded successfully.
Define a custom Mount Point

Defined a custom Mount Point based on details here,

Added following line in /etc/fstab, hoping that new CD will mount at /media, and since we did chmod 000 /media hoping that it will not load the disc

/dev/cdrom /media auto user,noauto,exec,utf8 0

Result: No difference. Blank disc loads as usual and user is able to write new DVD rom
Manage via UDEV rules

Created a UDEV rule in folder "/etc/udev/rules.d/81-cddrive.rules" as follows,

ENV{ID_CDROM}=="?*", RUN+="/opt/devscripts/checkcd.sh"

Plan was when we determine that "/opt/devscripts/checkcd.sh" was called, then from this automatically restart system.

Result: No difference. So far even though we inserted blank disc multiple times, everytime disc gets loaded, but the script never gets called. Not sure if we using the approach here with trying to use UDV rules to monitor CDROM usage.

EDIT (New): 8. More tries with via UDEV Initialization rules

8.1) Modified following files and commented all lines that were creating /dev mappings for CD/DVD Rom drives,

/lib/udev/rules.d/75-cd-aliases-generator.rules and
/etc/udev/rules.d/70-persistent-cd.rules

8.2) Created a new file here /etc/udev/rules.d/10-custom-cd.rules and added following rules ,

SUBSYSTEMS=="scsi", DRIVERS=="sr", OPTIONS+="ignore_device",OPTIONS+="last_rule" 

SUBSYSTEM=="block", ENV{ID_CDROM}=="?*", ENV{ID_PATH}=="pci-0000:00:1f.2-scsi-5:0:0:0", OPTIONS+="ignore_device", OPTIONS+="last_rule"

Tried with this one also, removing SUBSYSTEMS=="scsi"

DRIVERS=="sr", OPTIONS+="ignore_device", OPTIONS+="last_rule"

8.3) Removed all the following /dev entries,

sudo rm /dev/cdrom /dev/cdrw /dev/dvdrw /dev/dvd /dev/sr0

Note: "/dev/sr0" keeps getting created automatically, and other folders got created again after recent updates. But still if these were working can keep removing them /etc/rc.local

Result: With CDROM related UDEV rules commented, and after restarting machine, again manually deleting /dev/sr0, and with no CDROM related UDEV rules active, excepted for the newly created OPTIONS+="ignore_device" ones, and no entries in /dev, Blank disc loads as usual and user is able to write new DVD Rom

Tried all approaches listed on internet. Please provide a option to disable cdrom mounting on laptop. Goal is if user inserts any kind of disc (blank, audio, with files), ubuntu should not mount cdrom at all. It's ok if cdrom is disable for all users also.

Edit: adding UDEV info for device information. Following the output from "udevadm"

(other parent level info)
- looking at parent device '/devices/pci0000:00/0000:00:1f.2/host5/target5:0:0/5:0:0:0':
- KERNELS=="5:0:0:0"
- SUBSYSTEMS=="scsi"
- DRIVERS=="sr"
- ATTRS{device_blocked}=="0"
- ATTRS{type}=="5"
- ATTRS{scsi_level}=="6"
- ATTRS{vendor}=="hp "
- ATTRS{model}=="DVDWBD TS-LB23P "
- ATTRS{rev}=="0100"
- ATTRS{state}=="running"
- ATTRS{timeout}=="30"
- ATTRS{iocounterbits}=="32"
- ATTRS{iorequest_cnt}=="0x11d"
- ATTRS{iodone_cnt}=="0x114"
- ATTRS{ioerr_cnt}=="0x2"
- ATTRS{evt_media_change}=="0"
- ATTRS{dh_state}=="detached"
- ATTRS{queue_depth}=="1"
- ATTRS{queue_ramp_up_period}=="120000"
- ATTRS{queue_type}=="none
(other child level info)

. . . any reason you can't just unplug the CD-ROM drive? Seems like the only way to be sure. — voretaq7, Nov 14 '12 at 17:19
I'm wondering if anyone ever got an answer for this question? I am a CentOS user, but thought I might be able to gleam some results. Is there a way to comment in an access restriction at user level to the CD/DVD device on a machine running Linux? — jadire, Oct 18 '13 at 17:14

Dmitry · Answer 1 · 2012-11-14T18:14:17.287

3

You can put a kernel module called sr_mod to a modprobe blacklist. It will prevent it from autoloading on system startup:

echo "blacklist sr_mod" >> /etc/modprobe.d/blacklist-sr_mod.conf

Without SCSI cdrom driver loaded the system won't discover the device at all. But this solution will not work against some experienced users which can load the module by hands by calling sudo modprobe sr_mod from a terminal.

If you wait for a more radical solution, you can simply remove the module file from the file system:

rm /lib/modules/$(uname -r)/kernel/drivers/scsi/sr_mod.ko

But don't forget to make some backups because you will not able to use cd-rom drive at all since next reboot after this operation

edited Nov 14 '12 at 18:14

answered Nov 14 '12 at 18:09

Dmitry

461
3
5

Thanks for the reply. Still not working though. On "Ubuntu 12.04 LTS", looks like "sr" driver is now inbuilt as part of Kernel. In following folder, **/lib/modules/$(uname -r)/kernel/drivers/scsi/** which maps to **/lib/modules/3.2.0-32-generic/kernel/drivers/scsi** there is no file called, **sr_mod.ko**. There are no mod's matching with scsi, sr or cd in "lsmod" output either. – markgearn Nov 15 '12 at 14:42
There are no results from any of the following. **lsmod | grep -i sr**, **lsmod | grep -i cd**, **lsmod | grep -i dvd**, **lsmod | grep -i scsi** Please let me know if there is any other way to disable CD/DVD Rom drive. Eagerly trying out all possible options. For Desktops i could pull out the power cord for CD/DVD ROM Drive. Looks like it's not so trivial for Laptop. So trying to disable using OS approach. – markgearn Nov 15 '12 at 14:44
Try the dirty trick: simply remove the device file: `rm /dev/scd0` (or `sr0` or wherever cdrom device file is located). If it will be enough then you can just add this line to `/etc/rc.local` and the file will be removed every time system boots or you can find a more elegant way by writing an udev rule like this: `DRIVERS=="sr", OPTIONS="ignore_device"` – Dmitry Nov 15 '12 at 16:48
Tried with UDEV initialization rules also. Updated the original question with more content in new section **EDIT (New): 8. More tries with via UDEV Initialization rules**. Even this did not work either. Please let me know if you know of any other options. Thanks again for your help. – markgearn Nov 15 '12 at 18:53
Well, that is embarrassing. Restricting acces to a device was always as harder as revoking permissions from a user to the device file. I suppose there is another file in `/dev` which we have not considered (`brasero` have to read/write to the file to read/write to a disk) or `sr0` or `scd0` is still available for read/write to the user (check it out by `ls -l /dev/`). – Dmitry Nov 15 '12 at 19:50

score 0 · Answer 2 · answered Aug 20 '13 at 13:56

0

Why not just unplug the cdrom drive cable?

answered Aug 20 '13 at 13:56

user186319

11

1

Because it's a laptop and so there isn't one. – Michael Hampton Aug 20 '13 at 13:58
`laptop there isn't one` even laptop didn't have visible one but you can unplug it after removing it covers , I'm thinking doing it to save power and maybe and find away to completely remove DVD from my laptop and cover it remained hole somehow to save weigh . – Salem F Jul 19 '18 at 14:58

score 0 · Answer 3 · edited Apr 13 '17 at 12:37

0

Rather than disable the device, perhaps you disable access to the device? The eject command has an -i option, so you might try:

eject -i on /dev/sr0

First you'll need to change one of the udev rules as outlined here:

https://unix.stackexchange.com/questions/104791/how-can-i-disable-the-button-of-my-cd-dvd-drive

edited Apr 13 '17 at 12:37

Community

1

answered Feb 26 '14 at 22:53

moosamus

1
1

this did the trick. – Dec 28 '15 at 02:51

Completely disable CD/DVD Rom access to all users on Ubuntu 12.04 LTS?

3 Answers3