How to enforce read-only mode on every connected USB storage device

Today, I will show you how to put every connected USB storage device in read-only mode using udev dynamic device management, blockdev utility and additionally systemd service unit configuration.

udev

The simplest solution is to create udev rule to directly execute blockdev command, which will enforce read-only mode on every connected USB storage device. It will work on Debian Wheezy and Debian Jessie as well.

Create udev rule.

$ cat << EOF | sudo tee /etc/udev/rules.d/10-usb-ro.rules
SUBSYSTEMS=="usb",ACTION=="add",KERNEL=="sd*",RUN+="/sbin/blockdev --setro /dev/%k"
EOF

Reload udev configuration files afterwards.

$ sudo udevadm control --reload

udev and systemd

This solution will use systemd service unit configuration to execute above-mentioned blockdev command. It will work on Debian Jessie.

Create udev rule.

$ cat << EOF | sudo tee /etc/udev/rules.d/10-usb-ro.rules
SUBSYSTEMS=="usb",ACTION=="add",KERNEL=="sd*",ENV{SYSTEMD_WANTS}="enforce-usb-ro@%k"
EOF

Create systemd template.

$ cat << EOF | sudo tee /etc/systemd/system/enforce-usb-ro\@.service
[Unit]
Description=Enforce read-only mode on USB storage device
BindsTo=dev-%i.device

[Service]
Type=simple
ExecStart=/sbin/blockdev --setro /dev/%I
EOF

Reload udev configuration files afterwards.

$ sudo udevadm control --reload

Reload systemd configuration files too.

$ sudo systemctl daemon-reload

Additional notes

Notice that created rules will be applied only to newly connected devices.

Use the following command to verify read-only mode on connected devices.

$ sudo blockdev --report
RO    RA   SSZ   BSZ   StartSec            Size   Device
rw   256   512   512          0      1073741312   /dev/sr0
rw   256   512  4096          0      8589934592   /dev/sda
rw   256   512  4096       2048      8185184256   /dev/sda1
rw   256   512  1024   15990782            1024   /dev/sda2
rw   256   512  4096   15990784       401604608   /dev/sda5
ro   256   512  4096          0     15518924800   /dev/sdb
Milosz Galazka's Picture

About Milosz Galazka

Milosz is a Linux Foundation Certified Engineer working for a successful Polish company as a system administrator and a long time supporter of Free Software Foundation and Debian operating system.

Gdansk, Poland https://sleeplessbeastie.eu