How to lock down the CD/DVD player based on the user's group in Red Hat Enterprise Linux (RHEL) 7

Updated -

Background

Red Hat Enterprise Linux (RHEL) 7 relies on udev and systemd to manage devices. In previous releases of RHEL udev was used exclusively.

When a user logs in through the Graphical User Interface (e.g. gdm), devices of interest for the user (e.g. CD/DVD player, sound card, etc.) are set/mounted up automatically by systemd with the required permissions.

Symmetrically, when the user logs out, permissions are removed from the devices accessible to the user, or the device is unmounted all together.

Disabling auto-mounting of the CD/DVD player in the Graphical User Interface

RHEL 7 relies on udisks and udev to manage device access and auto-mounting when logged in through the Graphical User Interface. By default, logged-in users in active log-in sessions are permitted to perform operations (for example, mounting, unlocking or modifying) on devices attached to the seat their session is on.
udisks itself relies on polkit for access management.
Please refer to the udisks(8) and polkit(8) manpages for details.

In order to deny read access to the CD/DVD player by unauthorized users, a simple polkit policy rule can be written. Policy rules are written in Javascript.
In the example below, access to /dev/sr0 is denied to users not part of the cdrom group:

# cat /etc/polkit-1/rules.d/01-dvd.rules
/* Allow members of the cdrom group to mount /dev/sr[0] devices */
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.udisks2.filesystem-mount")
    {
        var device = action.lookup("device");
        if (device === "/dev/sr0")
        {
            if (subject.isInGroup("cdrom"))
            {
                return polkit.Result.YES;
            } else {
                return polkit.Result.NO;
            }
        }
    }
});

Testing that it works

  1. create the file
  2. restart the Polkit service: systemctl restart polkit.service
  3. log off from the user interface
  4. login as a user not part of the cdrom group
  5. check that the DVD cannot be mounted: the user should get an Unable to access ... error when clicking on the DVD

Disabling write access to the CD/DVD player for unauthorized users

Not having the DVD mounted in the user interface doesn't mean the cannot write to it using a CD recording tool such as Brasero.
To avoid unauthorized users to write to a device, a modification to the standard udev rules must be performed.
Technically, the udev rules in /usr/lib/udev/rules.d/70-uaccess.rules tag devices which should be available to users with the uaccess tag.
Because of that, upon logging onto the graphical interface, the systemd-logind service will set up an ACL to let the user write to the device, as shown below:

# getfacl /dev/sr0
getfacl: Removing leading '/' from absolute path names
# file: dev/sr0
# owner: root
# group: cdrom
user::rw-
user:test:rw-
group::rw-
mask::rw-
other::---

In the example above, we can see that even though /dev/sr0 is owned by root:cdrom and only root:cdrom has read-write capabilities, a new ACL user:test:rw- has been automatically created to allow the test user to read and write to the device. This is what we want to avoid.
Unfortunately for now, the only solution is to duplicate the /usr/lib/udev/rules.d/70-uaccess.rules file into /etc/udev/rules.d/70-uaccess.rules and modify the file to remove tagging of cdrom devices with the uaccess tag, as shown below (unified diff):

# diff -u /usr/lib/udev/rules.d/70-uaccess.rules /etc/udev/rules.d/70-uaccess.rules
--- /usr/lib/udev/rules.d/70-uaccess.rules  2017-04-21 09:03:53.000000000 +0200
+++ /etc/udev/rules.d/70-uaccess.rules  2017-08-01 15:27:34.291000000 +0200
@@ -21,8 +21,9 @@
 ENV{ID_HPLIP}=="1", TAG+="uaccess"

 # optical drives
-SUBSYSTEM=="block", ENV{ID_CDROM}=="1", TAG+="uaccess"
-SUBSYSTEM=="scsi_generic", SUBSYSTEMS=="scsi", ATTRS{type}=="4|5", TAG+="uaccess"
+# Prevent automatic rw access for users
+#SUBSYSTEM=="block", ENV{ID_CDROM}=="1", TAG+="uaccess"
+#SUBSYSTEM=="scsi_generic", SUBSYSTEMS=="scsi", ATTRS{type}=="4|5", TAG+="uaccess"

 # Sound devices
 SUBSYSTEM=="sound", TAG+="uaccess" \

By doing so, after a reboot of the machine, the optical drives will not be tagged with uaccess tag, causing systemd-logind not to create the ACL when the user logs in.

Testing that it works

  1. create the file
  2. reboot
  3. login as a regular user
  4. from a terminal as root, verify that no ACL has been created: getfacl /dev/sr0

Enabling write access to the CD/DVD player for users part of a dedicated group

Now that Disabling write access to the CD/DVD player for unauthorized users is implemented, regular users not in the cdrom group will not be able to write or read the DVD.
Note however that if Disabling auto-mounting of the CD/DVD player in the Graphical User Interface is not implemented as well, then the user will still have access to the DVD (for reading) because udisks will mount the device anyway while being root.
In case you would like to use another group than cdrom for privileged users to be able to write the DVD, the solution is to modify the default udev rule responsible for that assignment.
The udev default rules are part of /usr/lib/udev/rules.d/50-udev-default.rules. A few lines in that file are assigning the cdrom group to the corresponding devices.
To modify these lines, instead of modifying /usr/lib/udev/rules.d/50-udev-default.rules directly (which is not recommended because it will be overwritten upon package update), create a new file in /etc/udev/rules.d responsible for that, as shown below (in the example, a new cdwriter group is used):

# cat /etc/udev/rules.d/99-dvd-writing.rules 
SUBSYSTEM=="block", KERNEL=="sr[0-9]*", GROUP="cdwriter"
SUBSYSTEM=="scsi_generic", SUBSYSTEMS=="scsi", ATTRS{type}=="4|5", GROUP="cdwriter"
KERNEL=="sch[0-9]*", GROUP="cdwriter"
KERNEL=="pktcdvd[0-9]*", GROUP="cdwriter"
KERNEL=="pktcdvd", GROUP="cdwriter"

Assuming you created a local cdwriter group for that purpose and assigned some users to that group, then these users will be able to write to the DVD.
In case the cdwriter group is not local to the system, the GID of the group should be used in the /etc/udev/rules.d/99-dvd-writing.rules instead .

Testing that it works

  1. create the file
  2. reboot
  3. login as a regular user
  4. open Brasero and go to Tools->Blank: no disc should be available
  5. logout
  6. login as a user part of the cdwriter group
  7. open Brasero and go to Tools->Blank: a disc should be available

Comments