[EdLUG] Locking down Ubuntu 14.04

Edinburgh Linux Users Group edlug at lists.edlug.org.uk
Wed Sep 30 18:29:00 UTC 2015 

HI Tai,

Thanks again for the thought, but we are primarily interested in making
sure that a use cannot download improper files to the hard drive.  Tracking
is interesting, but probably not helpful enough.    :-)

On Wed, Sep 30, 2015 at 11:19 AM, Edinburgh Linux Users Group <
edlug at lists.edlug.org.uk> wrote:

> Just found a tool called inotify which can monitor directories for
> immediate changes. Using this it might be possible to create something that
> notifies users immediately when they attempt to save to home/desktop
>
> Just need to make sure it only notifies for relevant items...
>
> --Tai
>
> // Sent from a mobile device; rogue typos may be lurking
> On 30 Sep 2015 18:59, "Edinburgh Linux Users Group" <
> edlug at lists.edlug.org.uk> wrote:
>
>> Hi,
>>
>> Thanks for the suggestions, Tai.  Someone else here locally in SF also
>> cautioned that making the home dir not writeable would cause app errors.
>> So I think that is out.  Thanks for the thought, though!
>>
>> On Wed, Sep 30, 2015 at 10:49 AM, Edinburgh Linux Users Group <
>> edlug at lists.edlug.org.uk> wrote:
>>
>>> Admittedly I hadn't tested that suggestion yet, it was more of a rush.
>>>
>>> I did think of the guest account, but it allows users to save to the
>>> home dir and desktop (even though that's purged later)
>>>
>>> Probably marking the home folder as read-only would prevent apps from
>>> creating/modifying config files, but I'd be a little surprised if anything
>>> actually crashed in this setup..... I'll give it a test later on the way
>>> home myself in a VM. Bus commutes are boring like that....
>>>
>>>
>>>
>>> ===
>>> Tai Kedzierski
>>>
>>> Affordable Office IT for Freelance and Startup Businesses
>>> http://helpuse.com/
>>>
>>>   I use www.libreoffice.org
>>>
>>> *"Open Source Free Software is a matter of liberty, not price."*
>>> http://bit.ly/foss-why-care
>>>
>>>
>>> On 30 September 2015 at 18:33, Edinburgh Linux Users Group <
>>> edlug at lists.edlug.org.uk> wrote:
>>>
>>>>
>>>> On Wed, 30 Sep 2015, at 06:06 PM, Edinburgh Linux Users Group wrote:
>>>>
>>>> Here's how I understand the reasoning:
>>>> The shelter does not want residents saving files to the hard drive ;
>>>> specifically, they want to make sure the residents are actively pushed by
>>>> the system towards their pen drives
>>>>
>>>> I assume the computers are going to be available in the shelter as
>>>> stationary workstations - not for roaming around with.
>>>>
>>>> *Id est*: The requirement of not being able to write to disk is not so
>>>> much a security requirement, but rather to ensure residents are saving
>>>> their personal documents to the right place - is this correct?
>>>>
>>>>
>>>> Given these goals, perhaps the easiest solution would be to create a
>>>> non-admin user for residents to log in as.
>>>> Then, using super user, remove the write permissions on the home
>>>> directory (make it non-writable), and change its owner and group to root
>>>> (make it so the user can't turn write-ability back on)
>>>>
>>>> adduser user
>>>> chmod -R 555 /home/user
>>>> chmod -R root:rrot /home/user
>>>>
>>>> Thus they won't be able to write into the downloads or documents
>>>> folders etc, but a mounted flash drive would work fine.
>>>>
>>>>
>>>> Doesn't ubuntu have a guest login where the homedir is tmpfs?
>>>>
>>>> Doing as suggested above will make most DEs barf and crash!
>>>>
>>>> Graeme
>>>>
>>>>
>>>> _______________________________________________
>>>> EdLUG mailing list
>>>> EdLUG at lists.edlug.org.uk
>>>> https://lists.edlug.org.uk/mailman/listinfo/edlug
>>>>
>>>>
>>>
>>> _______________________________________________
>>> EdLUG mailing list
>>> EdLUG at lists.edlug.org.uk
>>> https://lists.edlug.org.uk/mailman/listinfo/edlug
>>>
>>>
>>
>>
>> --
>> Christian Einfeldt
>>
>> _______________________________________________
>> EdLUG mailing list
>> EdLUG at lists.edlug.org.uk
>> https://lists.edlug.org.uk/mailman/listinfo/edlug
>>
>>
> _______________________________________________
> EdLUG mailing list
> EdLUG at lists.edlug.org.uk
> https://lists.edlug.org.uk/mailman/listinfo/edlug
>
>


-- 
Christian Einfeldt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.edlug.org.uk/pipermail/edlug/attachments/20150930/1fe4310b/attachment-0001.html>

More information about the EdLUG mailing list