On 13 Apr 2007, at 17:47, Peter Brooks wrote:
> Hello all,
> Over the past few days I've done a fresh install of Gentoo 2006.1 with
> gnome-light installed and the main purpose of providing a locked down
> machine for users.
> The machine in question is in use at a Student Radio Station, it's
> their studio pc that they read messages on and have access to music
> utilities.
>
> So far I've locked down a lot of things such as access to tty's,
> restarting X and used pessulus to help me along with gconf.
>
> I've also (thanks to dg) removed access to the terminal by the user by
> the use the lines:
> if [ "/bin/rbash" = "$SHELL" ]; then export PATH=""; fi
> if [ "${TTY/vc}" != "${TTY}" ]; then exit; fi
> if [ ! "${pts}" ]; then exit; fi
>
> in .bashrc and
> if [ "$(TTY/vc)" != "$(TTY)" ]; then exit; fi
>
> .bash_profile
>
>
> This has allowed the user to still log into gnome and any attempt to
> launch a terminal instantly closes it. I have also removed xterm &
> gnome-terminal and hard masked them (this might be removed now that
> terminals close themselves)
>
> Firstly I'd like to ask if anyone can see any holes in my security
> config and then I'm asking for any more recommendations to lock down
> the machine.
>
> One loophole I can see is that a user can create launchers still,
> hence they can create launchers and launch programs. One thought of
> mine around this is to change ownership of Desktop to root and stop
> them modifying the desktop.
> Though it's a bit rough.
>
> Another thing I'd like to disable is the ability to edit the
> applications menu, but a user can still right click on the main menu
> and select edit menu.
>
> Cheers for reading my paranoia.
Shame you picked Gnome - isn't this exactly what KDE Kiosk is
intended for?
http://enterprise.kde.org/articles/kiosk-lp.php
Peter
