[EdLUG] Locking down Ubuntu 14.04
Edinburgh Linux Users Group
edlug at lists.edlug.org.uk
Wed Sep 30 18:20:13 UTC 2015
Just found a tool called inotify which can monitor directories for
immediate changes. Using this it might be possible to create something that
notifies users immediately when they attempt to save to home/desktop
Just need to make sure it only notifies for relevant items...
--Tai
// Sent from a mobile device; rogue typos may be lurking
On 30 Sep 2015 18:59, "Edinburgh Linux Users Group" <
edlug at lists.edlug.org.uk> wrote:
> Hi,
>
> Thanks for the suggestions, Tai. Someone else here locally in SF also
> cautioned that making the home dir not writeable would cause app errors.
> So I think that is out. Thanks for the thought, though!
>
> On Wed, Sep 30, 2015 at 10:49 AM, Edinburgh Linux Users Group <
> edlug at lists.edlug.org.uk> wrote:
>
>> Admittedly I hadn't tested that suggestion yet, it was more of a rush.
>>
>> I did think of the guest account, but it allows users to save to the home
>> dir and desktop (even though that's purged later)
>>
>> Probably marking the home folder as read-only would prevent apps from
>> creating/modifying config files, but I'd be a little surprised if anything
>> actually crashed in this setup..... I'll give it a test later on the way
>> home myself in a VM. Bus commutes are boring like that....
>>
>>
>>
>> ===
>> Tai Kedzierski
>>
>> Affordable Office IT for Freelance and Startup Businesses
>> http://helpuse.com/
>>
>> I use www.libreoffice.org
>>
>> *"Open Source Free Software is a matter of liberty, not price."*
>> http://bit.ly/foss-why-care
>>
>>
>> On 30 September 2015 at 18:33, Edinburgh Linux Users Group <
>> edlug at lists.edlug.org.uk> wrote:
>>
>>>
>>> On Wed, 30 Sep 2015, at 06:06 PM, Edinburgh Linux Users Group wrote:
>>>
>>> Here's how I understand the reasoning:
>>> The shelter does not want residents saving files to the hard drive ;
>>> specifically, they want to make sure the residents are actively pushed by
>>> the system towards their pen drives
>>>
>>> I assume the computers are going to be available in the shelter as
>>> stationary workstations - not for roaming around with.
>>>
>>> *Id est*: The requirement of not being able to write to disk is not so
>>> much a security requirement, but rather to ensure residents are saving
>>> their personal documents to the right place - is this correct?
>>>
>>>
>>> Given these goals, perhaps the easiest solution would be to create a
>>> non-admin user for residents to log in as.
>>> Then, using super user, remove the write permissions on the home
>>> directory (make it non-writable), and change its owner and group to root
>>> (make it so the user can't turn write-ability back on)
>>>
>>> adduser user
>>> chmod -R 555 /home/user
>>> chmod -R root:rrot /home/user
>>>
>>> Thus they won't be able to write into the downloads or documents folders
>>> etc, but a mounted flash drive would work fine.
>>>
>>>
>>> Doesn't ubuntu have a guest login where the homedir is tmpfs?
>>>
>>> Doing as suggested above will make most DEs barf and crash!
>>>
>>> Graeme
>>>
>>>
>>> _______________________________________________
>>> EdLUG mailing list
>>> EdLUG at lists.edlug.org.uk
>>> https://lists.edlug.org.uk/mailman/listinfo/edlug
>>>
>>>
>>
>> _______________________________________________
>> EdLUG mailing list
>> EdLUG at lists.edlug.org.uk
>> https://lists.edlug.org.uk/mailman/listinfo/edlug
>>
>>
>
>
> --
> Christian Einfeldt
>
> _______________________________________________
> EdLUG mailing list
> EdLUG at lists.edlug.org.uk
> https://lists.edlug.org.uk/mailman/listinfo/edlug
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.edlug.org.uk/pipermail/edlug/attachments/20150930/fca8ba24/attachment.html>
More information about the EdLUG
mailing list