On 24/04/07, Peter McGowan <peter.mcgowan@???> wrote:
>
>
> On 13 Apr 2007, at 17:47, Peter Brooks wrote:
>
> > Hello all,
> > Over the past few days I've done a fresh install of Gentoo 2006.1 with
> > gnome-light installed and the main purpose of providing a locked down
> > machine for users.
> > The machine in question is in use at a Student Radio Station, it's
> > their studio pc that they read messages on and have access to music
> > utilities.
> >
> > So far I've locked down a lot of things such as access to tty's,
> > restarting X and used pessulus to help me along with gconf.
> >
> > I've also (thanks to dg) removed access to the terminal by the user by
> > the use the lines:
> > if [ "/bin/rbash" = "$SHELL" ]; then export PATH=""; fi
> > if [ "${TTY/vc}" != "${TTY}" ]; then exit; fi
> > if [ ! "${pts}" ]; then exit; fi
> >
> > in .bashrc and
> > if [ "$(TTY/vc)" != "$(TTY)" ]; then exit; fi
> >
> > .bash_profile
> >
> >
> > This has allowed the user to still log into gnome and any attempt to
> > launch a terminal instantly closes it. I have also removed xterm &
> > gnome-terminal and hard masked them (this might be removed now that
> > terminals close themselves)
> >
> > Firstly I'd like to ask if anyone can see any holes in my security
> > config and then I'm asking for any more recommendations to lock down
> > the machine.
> >
> > One loophole I can see is that a user can create launchers still,
> > hence they can create launchers and launch programs. One thought of
> > mine around this is to change ownership of Desktop to root and stop
> > them modifying the desktop.
> > Though it's a bit rough.
> >
> > Another thing I'd like to disable is the ability to edit the
> > applications menu, but a user can still right click on the main menu
> > and select edit menu.
> >
> > Cheers for reading my paranoia.
>
> Shame you picked Gnome - isn't this exactly what KDE Kiosk is
> intended for?
Certainly yes but I'm a gnome man and there doesn't exist a kde-light unlike
gnome, my view is that if an application exists then a user can find a way
to it and hence limiting damage.
A tool for gnome exists called pessulus, it's quite good but has stonewalled
for now and just needs more development.
http://enterprise.kde.org/articles/kiosk-lp.php
>
> Peter
>
>
> --
> Please post to: Hampshire@???
> Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire
> LUG URL: http://www.hantslug.org.uk
> --------------------------------------------------------------
>
