On Tue, Jan 03, 2006 at 03:24:22AM -0800, J.C. Roberts wrote:
> My dad (68 years old) has finally succeeded in destroying/infecteding
> his MS-Windows NT4 box, in spite of my best efforts to secure the darn
> thing (e.g. No MSIE, No "Microsoft Networking", stripped of just about
> everything MS-ish and with tons of hand made patches, behind an openbsd
> firewall... and so on and so forth). It lasted a good four years in the
> hands of a typical user that hates computers, clicks on everything and
> still expects everything to "just work" and work properly.
Not half bad!
> Dad thought the idea of needing to enter a password and remember an
> esoteric sudo command to shut down the system was just insane, so he
> wanted the KDE "Log Out" menu item to just shut the system down for him.
>
> This is where things get interesting... I know you can have a "shutdown"
> option in KDM but I don't want to run kdm mainly because the graphics on
> the OpenBSD XDM are much cooler. ;) -Actually, my reasoning is that xdm
> has been audited and has been wired into OpenBSD properly while kdm is
> an unknown, a port and I simply don't want to mess with it.
>
> # echo "xdm_flags=\"\"" >>/etc/rc.conf.local
>
> The first thing I did was add a "flag file" to my dad's home directory
> and made sure he cant modify or delete it.
>
> # touch /home/dad/.xshutdown
> # chown root:wheel /home/dad/.xshutdown
> # chmod 400 /home/dad/.xshutdown
>
> Since /etc/X11/xdm/TakeConsole runs with root permission on every user
> logout to prevent /dev/console sniffing I modified it to perform the
> shutdown if the flag file is found in the users home directory.
>
> # cat /etc/X11/xdm/TakeConsole
> #!/bin/sh
> # Reassign ownership of the console to root, this should disallow
> # assignment of console output to any random users's xterm
> # $Xorg: TakeConsole,v 1.3 2000/08/17 19:54:17 cpqbld Exp $
> # $OpenBSD: TakeConsole,v 1.3 2004/11/03 00:22:21 matthieu Exp $
> #
> chmod 622 /dev/console
> chown root /dev/console
> /usr/X11R6/bin/sessreg -d -l $DISPLAY -u /var/run/utmp \
> -x /usr/X11R6/lib/X11/xdm/Xservers $USER
>
> if [ -f "$HOME/.xshutdown" ]; then
> shutdown -hp now
> fi
> #
>
> This approach works perfectly but my questions are:
> Is there anything wrong with this approach?
> Is there's a better way to deal with the problem?
This is a hack. It will work, untill you upgrade X11 without being very
careful.
Why not just configure sudo to allow access to /sbin/halt without a
password from user dad? Of course, you then alter the KDE menu to do it
your way. And/or place a two-line shell script in ~dad/bin/halt:
#!/bin/sh
sudo /sbin/halt
> I know it's a "holy war" topic, but do you have a recommendation for an
> email client he could use?
Hannah's point on KMail is good. I don't know what he used previously,
but if that one is available for *nix, use it. If not, something
similar.
Basically, all mail clients suck. And the one that sucks less is not
very newbie-friendly.
Joachim
