How to Enforce Read-Only Mounting of USB Drives

A Facebook user asked how to forbid write access to an external USB drive, allowing only for read-only access:

https://www.facebook.com/groups/2038459406441806/permalink/2247941888826889/

My very first idea was to use udev rules:

Create a file /etc/udev/rules.d/90-ro-usb.conf:

SUBSYSTEMS=="usb",ACTION=="add",KERNEL=="sd*",RUN+="/sbin/blockdev --setro /dev/%k"

and reload udev:

udevadm trigger
# or
udevadm control --reload

To enforce read-only mounting of all removable drives (taken from RedHat Security Guide):

SUBSYSTEM=="block",ATTRS{removable}=="1",RUN{program}="/sbin/blockdev --setro %N"

Other solutions (I have not tested them myself):

SUBSYSTEMS="usb",ENV{ID_FS_USAGE}=="filesystem",RUN+="/sbin/blockdev --setro /dev/%k"

ACTION=="add",KERNEL=="sd*",DRIVERS=="usb",RUN+="/sbin/blockdev --setro /dev/%k"

Instead of blockdev, you can use hdparm: RUN+="/sbin/hdparm -r1 /dev/%k"

How to Enforce Read-Only Mounting of USB Drives

Tagged on: security udev USB