[EdLUG] Locking down Ubuntu 14.04
Edinburgh Linux Users Group
edlug at lists.edlug.org.uk
Wed Sep 30 18:35:21 UTC 2015
Hi Christian
It may be useful to clarify what specifically you want to prevent and why
-- stopping users from saving to the local computer and losing files for
their own sake is one consideration (the angle I was taking); stopping them
from leaving personal files behind is another (which would be solvable
simply with the guest account); preventing download of "improper" files is
yet a different consideration...
What's the specific goal / situation you are trying to guard against?
===
Tai Kedzierski
Affordable Office IT for Freelance and Startup Businesses
http://helpuse.com/
I use www.libreoffice.org
*"Open Source Free Software is a matter of liberty, not price."*
http://bit.ly/foss-why-care
On 30 September 2015 at 19:28, Edinburgh Linux Users Group <
edlug at lists.edlug.org.uk> wrote:
> HI Tai,
>
> Thanks again for the thought, but we are primarily interested in making
> sure that a use cannot download improper files to the hard drive. Tracking
> is interesting, but probably not helpful enough. :-)
>
> On Wed, Sep 30, 2015 at 11:19 AM, Edinburgh Linux Users Group <
> edlug at lists.edlug.org.uk> wrote:
>
>> Just found a tool called inotify which can monitor directories for
>> immediate changes. Using this it might be possible to create something that
>> notifies users immediately when they attempt to save to home/desktop
>>
>> Just need to make sure it only notifies for relevant items...
>>
>> --Tai
>>
>> // Sent from a mobile device; rogue typos may be lurking
>> On 30 Sep 2015 18:59, "Edinburgh Linux Users Group" <
>> edlug at lists.edlug.org.uk> wrote:
>>
>>> Hi,
>>>
>>> Thanks for the suggestions, Tai. Someone else here locally in SF also
>>> cautioned that making the home dir not writeable would cause app errors.
>>> So I think that is out. Thanks for the thought, though!
>>>
>>> On Wed, Sep 30, 2015 at 10:49 AM, Edinburgh Linux Users Group <
>>> edlug at lists.edlug.org.uk> wrote:
>>>
>>>> Admittedly I hadn't tested that suggestion yet, it was more of a rush.
>>>>
>>>> I did think of the guest account, but it allows users to save to the
>>>> home dir and desktop (even though that's purged later)
>>>>
>>>> Probably marking the home folder as read-only would prevent apps from
>>>> creating/modifying config files, but I'd be a little surprised if anything
>>>> actually crashed in this setup..... I'll give it a test later on the way
>>>> home myself in a VM. Bus commutes are boring like that....
>>>>
>>>>
>>>>
>>>> ===
>>>> Tai Kedzierski
>>>>
>>>> Affordable Office IT for Freelance and Startup Businesses
>>>> http://helpuse.com/
>>>>
>>>> I use www.libreoffice.org
>>>>
>>>> *"Open Source Free Software is a matter of liberty, not price."*
>>>> http://bit.ly/foss-why-care
>>>>
>>>>
>>>> On 30 September 2015 at 18:33, Edinburgh Linux Users Group <
>>>> edlug at lists.edlug.org.uk> wrote:
>>>>
>>>>>
>>>>> On Wed, 30 Sep 2015, at 06:06 PM, Edinburgh Linux Users Group wrote:
>>>>>
>>>>> Here's how I understand the reasoning:
>>>>> The shelter does not want residents saving files to the hard drive ;
>>>>> specifically, they want to make sure the residents are actively pushed by
>>>>> the system towards their pen drives
>>>>>
>>>>> I assume the computers are going to be available in the shelter as
>>>>> stationary workstations - not for roaming around with.
>>>>>
>>>>> *Id est*: The requirement of not being able to write to disk is not
>>>>> so much a security requirement, but rather to ensure residents are saving
>>>>> their personal documents to the right place - is this correct?
>>>>>
>>>>>
>>>>> Given these goals, perhaps the easiest solution would be to create a
>>>>> non-admin user for residents to log in as.
>>>>> Then, using super user, remove the write permissions on the home
>>>>> directory (make it non-writable), and change its owner and group to root
>>>>> (make it so the user can't turn write-ability back on)
>>>>>
>>>>> adduser user
>>>>> chmod -R 555 /home/user
>>>>> chmod -R root:rrot /home/user
>>>>>
>>>>> Thus they won't be able to write into the downloads or documents
>>>>> folders etc, but a mounted flash drive would work fine.
>>>>>
>>>>>
>>>>> Doesn't ubuntu have a guest login where the homedir is tmpfs?
>>>>>
>>>>> Doing as suggested above will make most DEs barf and crash!
>>>>>
>>>>> Graeme
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> EdLUG mailing list
>>>>> EdLUG at lists.edlug.org.uk
>>>>> https://lists.edlug.org.uk/mailman/listinfo/edlug
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> EdLUG mailing list
>>>> EdLUG at lists.edlug.org.uk
>>>> https://lists.edlug.org.uk/mailman/listinfo/edlug
>>>>
>>>>
>>>
>>>
>>> --
>>> Christian Einfeldt
>>>
>>> _______________________________________________
>>> EdLUG mailing list
>>> EdLUG at lists.edlug.org.uk
>>> https://lists.edlug.org.uk/mailman/listinfo/edlug
>>>
>>>
>> _______________________________________________
>> EdLUG mailing list
>> EdLUG at lists.edlug.org.uk
>> https://lists.edlug.org.uk/mailman/listinfo/edlug
>>
>>
>
>
> --
> Christian Einfeldt
>
> _______________________________________________
> EdLUG mailing list
> EdLUG at lists.edlug.org.uk
> https://lists.edlug.org.uk/mailman/listinfo/edlug
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.edlug.org.uk/pipermail/edlug/attachments/20150930/b18b662b/attachment.html>
More information about the EdLUG
mailing list