[EdLUG] Locking down Ubuntu 14.04

Edinburgh Linux Users Group edlug at lists.edlug.org.uk
Wed Sep 30 19:30:57 UTC 2015 

Hi,

thanks, I am downloading a couple of these kiosk distros now.  I will let
you know what I find after testing.  Thanks!

On Wed, Sep 30, 2015 at 11:45 AM, Edinburgh Linux Users Group <
edlug at lists.edlug.org.uk> wrote:

> some of these might be of help
> http://tuxdiary.com/2014/11/05/linux-distros-for-kiosks/
>
>
> --
> http://gplus.to/azmodie
> "Since light travels faster than sound, people appear bright until you
> hear them speak."  -- some bright spark
>
> On 30 September 2015 at 19:35, Edinburgh Linux Users Group <
> edlug at lists.edlug.org.uk> wrote:
>
>> Hi Christian
>>
>> It may be useful to clarify what specifically you want to prevent and why
>> -- stopping users from saving to the local computer and losing files for
>> their own sake is one consideration (the angle I was taking); stopping them
>> from leaving personal files behind is another (which would be solvable
>> simply with the guest account); preventing download of "improper" files is
>> yet a different consideration...
>>
>> What's the specific goal / situation you are trying to guard against?
>>
>>
>>
>> ===
>> Tai Kedzierski
>>
>> Affordable Office IT for Freelance and Startup Businesses
>> http://helpuse.com/
>>
>>   I use www.libreoffice.org
>>
>> *"Open Source Free Software is a matter of liberty, not price."*
>> http://bit.ly/foss-why-care
>>
>>
>> On 30 September 2015 at 19:28, Edinburgh Linux Users Group <
>> edlug at lists.edlug.org.uk> wrote:
>>
>>> HI Tai,
>>>
>>> Thanks again for the thought, but we are primarily interested in making
>>> sure that a use cannot download improper files to the hard drive.  Tracking
>>> is interesting, but probably not helpful enough.    :-)
>>>
>>> On Wed, Sep 30, 2015 at 11:19 AM, Edinburgh Linux Users Group <
>>> edlug at lists.edlug.org.uk> wrote:
>>>
>>>> Just found a tool called inotify which can monitor directories for
>>>> immediate changes. Using this it might be possible to create something that
>>>> notifies users immediately when they attempt to save to home/desktop
>>>>
>>>> Just need to make sure it only notifies for relevant items...
>>>>
>>>> --Tai
>>>>
>>>> // Sent from a mobile device; rogue typos may be lurking
>>>> On 30 Sep 2015 18:59, "Edinburgh Linux Users Group" <
>>>> edlug at lists.edlug.org.uk> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Thanks for the suggestions, Tai.  Someone else here locally in SF also
>>>>> cautioned that making the home dir not writeable would cause app errors.
>>>>> So I think that is out.  Thanks for the thought, though!
>>>>>
>>>>> On Wed, Sep 30, 2015 at 10:49 AM, Edinburgh Linux Users Group <
>>>>> edlug at lists.edlug.org.uk> wrote:
>>>>>
>>>>>> Admittedly I hadn't tested that suggestion yet, it was more of a rush.
>>>>>>
>>>>>> I did think of the guest account, but it allows users to save to the
>>>>>> home dir and desktop (even though that's purged later)
>>>>>>
>>>>>> Probably marking the home folder as read-only would prevent apps from
>>>>>> creating/modifying config files, but I'd be a little surprised if anything
>>>>>> actually crashed in this setup..... I'll give it a test later on the way
>>>>>> home myself in a VM. Bus commutes are boring like that....
>>>>>>
>>>>>>
>>>>>>
>>>>>> ===
>>>>>> Tai Kedzierski
>>>>>>
>>>>>> Affordable Office IT for Freelance and Startup Businesses
>>>>>> http://helpuse.com/
>>>>>>
>>>>>>   I use www.libreoffice.org
>>>>>>
>>>>>> *"Open Source Free Software is a matter of liberty, not price."*
>>>>>> http://bit.ly/foss-why-care
>>>>>>
>>>>>>
>>>>>> On 30 September 2015 at 18:33, Edinburgh Linux Users Group <
>>>>>> edlug at lists.edlug.org.uk> wrote:
>>>>>>
>>>>>>>
>>>>>>> On Wed, 30 Sep 2015, at 06:06 PM, Edinburgh Linux Users Group wrote:
>>>>>>>
>>>>>>> Here's how I understand the reasoning:
>>>>>>> The shelter does not want residents saving files to the hard drive ;
>>>>>>> specifically, they want to make sure the residents are actively pushed by
>>>>>>> the system towards their pen drives
>>>>>>>
>>>>>>> I assume the computers are going to be available in the shelter as
>>>>>>> stationary workstations - not for roaming around with.
>>>>>>>
>>>>>>> *Id est*: The requirement of not being able to write to disk is not
>>>>>>> so much a security requirement, but rather to ensure residents are saving
>>>>>>> their personal documents to the right place - is this correct?
>>>>>>>
>>>>>>>
>>>>>>> Given these goals, perhaps the easiest solution would be to create a
>>>>>>> non-admin user for residents to log in as.
>>>>>>> Then, using super user, remove the write permissions on the home
>>>>>>> directory (make it non-writable), and change its owner and group to root
>>>>>>> (make it so the user can't turn write-ability back on)
>>>>>>>
>>>>>>> adduser user
>>>>>>> chmod -R 555 /home/user
>>>>>>> chmod -R root:rrot /home/user
>>>>>>>
>>>>>>> Thus they won't be able to write into the downloads or documents
>>>>>>> folders etc, but a mounted flash drive would work fine.
>>>>>>>
>>>>>>>
>>>>>>> Doesn't ubuntu have a guest login where the homedir is tmpfs?
>>>>>>>
>>>>>>> Doing as suggested above will make most DEs barf and crash!
>>>>>>>
>>>>>>> Graeme
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> EdLUG mailing list
>>>>>>> EdLUG at lists.edlug.org.uk
>>>>>>> https://lists.edlug.org.uk/mailman/listinfo/edlug
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> EdLUG mailing list
>>>>>> EdLUG at lists.edlug.org.uk
>>>>>> https://lists.edlug.org.uk/mailman/listinfo/edlug
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Christian Einfeldt
>>>>>
>>>>> _______________________________________________
>>>>> EdLUG mailing list
>>>>> EdLUG at lists.edlug.org.uk
>>>>> https://lists.edlug.org.uk/mailman/listinfo/edlug
>>>>>
>>>>>
>>>> _______________________________________________
>>>> EdLUG mailing list
>>>> EdLUG at lists.edlug.org.uk
>>>> https://lists.edlug.org.uk/mailman/listinfo/edlug
>>>>
>>>>
>>>
>>>
>>> --
>>> Christian Einfeldt
>>>
>>> _______________________________________________
>>> EdLUG mailing list
>>> EdLUG at lists.edlug.org.uk
>>> https://lists.edlug.org.uk/mailman/listinfo/edlug
>>>
>>>
>>
>> _______________________________________________
>> EdLUG mailing list
>> EdLUG at lists.edlug.org.uk
>> https://lists.edlug.org.uk/mailman/listinfo/edlug
>>
>>
>
> _______________________________________________
> EdLUG mailing list
> EdLUG at lists.edlug.org.uk
> https://lists.edlug.org.uk/mailman/listinfo/edlug
>
>


-- 
Christian Einfeldt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.edlug.org.uk/pipermail/edlug/attachments/20150930/52ea5b08/attachment-0001.html>

More information about the EdLUG mailing list