[EdLUG] Locking down Ubuntu 14.04

Edinburgh Linux Users Group edlug at lists.edlug.org.uk
Wed Sep 30 17:58:37 UTC 2015 

Hi,

Thanks for the suggestions, Tai.  Someone else here locally in SF also
cautioned that making the home dir not writeable would cause app errors.
So I think that is out.  Thanks for the thought, though!

On Wed, Sep 30, 2015 at 10:49 AM, Edinburgh Linux Users Group <
edlug at lists.edlug.org.uk> wrote:

> Admittedly I hadn't tested that suggestion yet, it was more of a rush.
>
> I did think of the guest account, but it allows users to save to the home
> dir and desktop (even though that's purged later)
>
> Probably marking the home folder as read-only would prevent apps from
> creating/modifying config files, but I'd be a little surprised if anything
> actually crashed in this setup..... I'll give it a test later on the way
> home myself in a VM. Bus commutes are boring like that....
>
>
>
> ===
> Tai Kedzierski
>
> Affordable Office IT for Freelance and Startup Businesses
> http://helpuse.com/
>
>   I use www.libreoffice.org
>
> *"Open Source Free Software is a matter of liberty, not price."*
> http://bit.ly/foss-why-care
>
>
> On 30 September 2015 at 18:33, Edinburgh Linux Users Group <
> edlug at lists.edlug.org.uk> wrote:
>
>>
>> On Wed, 30 Sep 2015, at 06:06 PM, Edinburgh Linux Users Group wrote:
>>
>> Here's how I understand the reasoning:
>> The shelter does not want residents saving files to the hard drive ;
>> specifically, they want to make sure the residents are actively pushed by
>> the system towards their pen drives
>>
>> I assume the computers are going to be available in the shelter as
>> stationary workstations - not for roaming around with.
>>
>> *Id est*: The requirement of not being able to write to disk is not so
>> much a security requirement, but rather to ensure residents are saving
>> their personal documents to the right place - is this correct?
>>
>>
>> Given these goals, perhaps the easiest solution would be to create a
>> non-admin user for residents to log in as.
>> Then, using super user, remove the write permissions on the home
>> directory (make it non-writable), and change its owner and group to root
>> (make it so the user can't turn write-ability back on)
>>
>> adduser user
>> chmod -R 555 /home/user
>> chmod -R root:rrot /home/user
>>
>> Thus they won't be able to write into the downloads or documents folders
>> etc, but a mounted flash drive would work fine.
>>
>>
>> Doesn't ubuntu have a guest login where the homedir is tmpfs?
>>
>> Doing as suggested above will make most DEs barf and crash!
>>
>> Graeme
>>
>>
>> _______________________________________________
>> EdLUG mailing list
>> EdLUG at lists.edlug.org.uk
>> https://lists.edlug.org.uk/mailman/listinfo/edlug
>>
>>
>
> _______________________________________________
> EdLUG mailing list
> EdLUG at lists.edlug.org.uk
> https://lists.edlug.org.uk/mailman/listinfo/edlug
>
>


-- 
Christian Einfeldt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.edlug.org.uk/pipermail/edlug/attachments/20150930/5b1cd760/attachment-0001.html>

More information about the EdLUG mailing list