On Tue, Jan 03, 2006 at 03:24:22AM -0800, J.C. Roberts wrote: > My dad (68 years old) has finally succeeded in destroying/infecteding > his MS-Windows NT4 box, in spite of my best efforts to secure the darn > thing (e.g. No MSIE, No "Microsoft Networking", stripped of just about > everything MS-ish and with tons of hand made patches, behind an openbsd > firewall... and so on and so forth). It lasted a good four years in the > hands of a typical user that hates computers, clicks on everything and > still expects everything to "just work" and work properly.
Not half bad! > Dad thought the idea of needing to enter a password and remember an > esoteric sudo command to shut down the system was just insane, so he > wanted the KDE "Log Out" menu item to just shut the system down for him. > > This is where things get interesting... I know you can have a "shutdown" > option in KDM but I don't want to run kdm mainly because the graphics on > the OpenBSD XDM are much cooler. ;) -Actually, my reasoning is that xdm > has been audited and has been wired into OpenBSD properly while kdm is > an unknown, a port and I simply don't want to mess with it. > > # echo "xdm_flags=\"\"" >>/etc/rc.conf.local > > The first thing I did was add a "flag file" to my dad's home directory > and made sure he cant modify or delete it. > > # touch /home/dad/.xshutdown > # chown root:wheel /home/dad/.xshutdown > # chmod 400 /home/dad/.xshutdown > > Since /etc/X11/xdm/TakeConsole runs with root permission on every user > logout to prevent /dev/console sniffing I modified it to perform the > shutdown if the flag file is found in the users home directory. > > # cat /etc/X11/xdm/TakeConsole > #!/bin/sh > # Reassign ownership of the console to root, this should disallow > # assignment of console output to any random users's xterm > # $Xorg: TakeConsole,v 1.3 2000/08/17 19:54:17 cpqbld Exp $ > # $OpenBSD: TakeConsole,v 1.3 2004/11/03 00:22:21 matthieu Exp $ > # > chmod 622 /dev/console > chown root /dev/console > /usr/X11R6/bin/sessreg -d -l $DISPLAY -u /var/run/utmp \ > -x /usr/X11R6/lib/X11/xdm/Xservers $USER > > if [ -f "$HOME/.xshutdown" ]; then > shutdown -hp now > fi > # > > This approach works perfectly but my questions are: > Is there anything wrong with this approach? > Is there's a better way to deal with the problem? This is a hack. It will work, untill you upgrade X11 without being very careful. Why not just configure sudo to allow access to /sbin/halt without a password from user dad? Of course, you then alter the KDE menu to do it your way. And/or place a two-line shell script in ~dad/bin/halt: #!/bin/sh sudo /sbin/halt > I know it's a "holy war" topic, but do you have a recommendation for an > email client he could use? Hannah's point on KMail is good. I don't know what he used previously, but if that one is available for *nix, use it. If not, something similar. Basically, all mail clients suck. And the one that sucks less is not very newbie-friendly. Joachim