On Tuesday 12 Nov 2002 11:49 pm, Derek Jennings wrote: > On Tuesday 12 Nov 2002 11:24 pm, Schwenk, Jeanie wrote: > > I'm not sure if a kiosk is what will solve my problem. Advice would be > > very appreciated. > > > > Here's the problem: I am putting a linux pc in our fab (semiconductor) > > as a test to prove to management that linux is a viable, inexpensive > > option to utilize in our manufacturing plant. (verses new xterms at $6K > > or more a pop, new servers, or new windows pizza boxes). I need to > > prevent the technicians from hacking the box, from surfing, from > > installing ... you name it. They need to be able to run ONLY the > > guis/programs that allow manufacturing to continue smoothly. > > > > What is the best way to have the machine automatically boot into a window > > manager that has only a background menu pick that I can program? It does > > not have to start any software upon restart but that would be a plus. > > > > Thanks. > > > > Jeanie > > Something like this ? > http://www.oeone.com/products/desktop.html > > It uses Mozilla as a sort of centralised interface to apps. Works on RedHat > and now also Mandrake. > > > Alternatively you could just define user accounts which have a limited set > of menu items, and no shell available. If you modify the users 'PATH' to > remove /usr/bin for example, then they will be unable to run any > application other than ones you specifically put in their path by creating > a symlink from the application to some directory in their PATH. > > Look at /etc/profile to see the PATH available to all users, and > ~/.bash_profile to see how the PATH is modified for individual users. > > derek
If I can rubbish my own suggestion - Changing the Path on its own does not improve security since anyone who knows the 'long path' to an application can still run it. But here are two more suggestions for 'locking it down.' Change the permissions on /usr/bin (and other directories containing apps) to 750 root,admin where admin is a group containing trusted users. This will prevent any untrusted user from executing any of those apps. Then for any app you want available to all, make the permissions 755. The next step in complexity is to use PAM (Pluggable Authentication Modules). The best way to describe PAM is by example. halt is the name of the application to stop a computer. If you want to run it you execute /usr/bin/halt, but /usr/bin/halt is not actually the halt application. It is a symlink to another application called consolehelper. When you want to run halt you first go to consolehelper which compares the name of the application it was called by (halt) with a list of files in /etc/pam.d If there is a file in there of the same name, then the contents of that file are used to determine if the user making the request has sufficient rights. Looking at the contents of /etc/pam.d/halt shows us the tests performed. These lines mean that it is OK for root to use halt, but other users have to pass a security test first. If the test is passed execution passes over to the halt command which is actually held in /sbin/halt For a description of the Pam commands see http://www.kernel.org/pub/linux/libs/pam/ As for Window Managers, you can use anything you like. With KDE for example you could modify all the Hot Keys to disable features like Alt+F2 (execute command). Using menudrake you can customise the menus, and apply them across all Window Managers, and stopping services like mgetty will disable console access ( Ctl+Alt+F1 etc) With browsers, you can configure konqueror for example to not show its menu bar, so depriving users of the chance to alter settings, and squid-guard can be used to block access to all internet sites other than work related ones to stop them surfing porn on the late shift. You could have endless fun with this project :) derek
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
