[EdLUG] Locking down Ubuntu 14.04

Wed Sep 30 19:05:09 UTC 2015

Hi Tai,

Thanks for your reply.  We want to prevent the users from downloading child
pornography to the hard drive.

On Wed, Sep 30, 2015 at 11:35 AM, Edinburgh Linux Users Group <
edlug at lists.edlug.org.uk> wrote:

> Hi Christian
>
> It may be useful to clarify what specifically you want to prevent and why
> -- stopping users from saving to the local computer and losing files for
> their own sake is one consideration (the angle I was taking); stopping them
> from leaving personal files behind is another (which would be solvable
> simply with the guest account); preventing download of "improper" files is
> yet a different consideration...
>
> What's the specific goal / situation you are trying to guard against?
>
>
>
> ===
> Tai Kedzierski
>
> Affordable Office IT for Freelance and Startup Businesses
> http://helpuse.com/
>
>   I use www.libreoffice.org
>
> *"Open Source Free Software is a matter of liberty, not price."*
> http://bit.ly/foss-why-care
>
>
> On 30 September 2015 at 19:28, Edinburgh Linux Users Group <
> edlug at lists.edlug.org.uk> wrote:
>
>> HI Tai,
>>
>> Thanks again for the thought, but we are primarily interested in making
>> sure that a use cannot download improper files to the hard drive.  Tracking
>> is interesting, but probably not helpful enough.    :-)
>>
>> On Wed, Sep 30, 2015 at 11:19 AM, Edinburgh Linux Users Group <
>> edlug at lists.edlug.org.uk> wrote:
>>
>>> Just found a tool called inotify which can monitor directories for
>>> immediate changes. Using this it might be possible to create something that
>>> notifies users immediately when they attempt to save to home/desktop
>>>
>>> Just need to make sure it only notifies for relevant items...
>>>
>>> --Tai
>>>
>>> // Sent from a mobile device; rogue typos may be lurking
>>> On 30 Sep 2015 18:59, "Edinburgh Linux Users Group" <
>>> edlug at lists.edlug.org.uk> wrote:
>>>
>>>> Hi,
>>>>
>>>> Thanks for the suggestions, Tai.  Someone else here locally in SF also
>>>> cautioned that making the home dir not writeable would cause app errors.
>>>> So I think that is out.  Thanks for the thought, though!
>>>>
>>>> On Wed, Sep 30, 2015 at 10:49 AM, Edinburgh Linux Users Group <
>>>> edlug at lists.edlug.org.uk> wrote:
>>>>
>>>>> Admittedly I hadn't tested that suggestion yet, it was more of a rush.
>>>>>
>>>>> I did think of the guest account, but it allows users to save to the
>>>>> home dir and desktop (even though that's purged later)
>>>>>
>>>>> Probably marking the home folder as read-only would prevent apps from
>>>>> creating/modifying config files, but I'd be a little surprised if anything
>>>>> actually crashed in this setup..... I'll give it a test later on the way
>>>>> home myself in a VM. Bus commutes are boring like that....
>>>>>
>>>>>
>>>>>
>>>>> ===
>>>>> Tai Kedzierski
>>>>>
>>>>> Affordable Office IT for Freelance and Startup Businesses
>>>>> http://helpuse.com/
>>>>>
>>>>>   I use www.libreoffice.org
>>>>>
>>>>> *"Open Source Free Software is a matter of liberty, not price."*
>>>>> http://bit.ly/foss-why-care
>>>>>
>>>>>
>>>>> On 30 September 2015 at 18:33, Edinburgh Linux Users Group <
>>>>> edlug at lists.edlug.org.uk> wrote:
>>>>>
>>>>>>
>>>>>> On Wed, 30 Sep 2015, at 06:06 PM, Edinburgh Linux Users Group wrote:
>>>>>>
>>>>>> Here's how I understand the reasoning:
>>>>>> The shelter does not want residents saving files to the hard drive ;
>>>>>> specifically, they want to make sure the residents are actively pushed by
>>>>>> the system towards their pen drives
>>>>>>
>>>>>> I assume the computers are going to be available in the shelter as
>>>>>> stationary workstations - not for roaming around with.
>>>>>>
>>>>>> *Id est*: The requirement of not being able to write to disk is not
>>>>>> so much a security requirement, but rather to ensure residents are saving
>>>>>> their personal documents to the right place - is this correct?
>>>>>>
>>>>>>
>>>>>> Given these goals, perhaps the easiest solution would be to create a
>>>>>> non-admin user for residents to log in as.
>>>>>> Then, using super user, remove the write permissions on the home
>>>>>> directory (make it non-writable), and change its owner and group to root
>>>>>> (make it so the user can't turn write-ability back on)
>>>>>>
>>>>>> adduser user
>>>>>> chmod -R 555 /home/user
>>>>>> chmod -R root:rrot /home/user
>>>>>>
>>>>>> Thus they won't be able to write into the downloads or documents
>>>>>> folders etc, but a mounted flash drive would work fine.
>>>>>>
>>>>>>
>>>>>> Doesn't ubuntu have a guest login where the homedir is tmpfs?
>>>>>>
>>>>>> Doing as suggested above will make most DEs barf and crash!
>>>>>>
>>>>>> Graeme
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> EdLUG mailing list
>>>>>> EdLUG at lists.edlug.org.uk
>>>>>> https://lists.edlug.org.uk/mailman/listinfo/edlug
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> EdLUG mailing list
>>>>> EdLUG at lists.edlug.org.uk
>>>>> https://lists.edlug.org.uk/mailman/listinfo/edlug
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Christian Einfeldt
>>>>
>>>> _______________________________________________
>>>> EdLUG mailing list
>>>> EdLUG at lists.edlug.org.uk
>>>> https://lists.edlug.org.uk/mailman/listinfo/edlug
>>>>
>>>>
>>> _______________________________________________
>>> EdLUG mailing list
>>> EdLUG at lists.edlug.org.uk
>>> https://lists.edlug.org.uk/mailman/listinfo/edlug
>>>
>>>
>>
>>
>> --
>> Christian Einfeldt
>>
>> _______________________________________________
>> EdLUG mailing list
>> EdLUG at lists.edlug.org.uk
>> https://lists.edlug.org.uk/mailman/listinfo/edlug
>>
>>
>
> _______________________________________________
> EdLUG mailing list
> EdLUG at lists.edlug.org.uk
> https://lists.edlug.org.uk/mailman/listinfo/edlug
>
>

-- 
Christian Einfeldt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.edlug.org.uk/pipermail/edlug/attachments/20150930/809e0aa8/attachment.html>