<div dir="ltr"><div><div>Admittedly I hadn't tested that suggestion yet, it was more of a rush.<br><br></div>I did think of the guest account, but it allows users to save to the home dir and desktop (even though that's purged later)<br><br></div>Probably marking the home folder as read-only would prevent apps from creating/modifying config files, but I'd be a little surprised if anything actually crashed in this setup..... I'll give it a test later on the way home myself in a VM. Bus commutes are boring like that....<br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><br><br>===<br>Tai Kedzierski<br><br></div><div>Affordable Office IT for Freelance and Startup Businesses<br></div><div dir="ltr"><a href="http://helpuse.com/" target="_blank">http://helpuse.com/</a><br></div><br><div dir="ltr"><span></span><font size="1"><img src="http://www.free-mac-programs.com/images/applications/libreoffice.png" height="19" width="19"> I use <a href="http://www.libreoffice.org" target="_blank">www.libreoffice.org</a><br><br><i>"Open Source Free Software is a matter of liberty, not price."</i><br>
<a href="http://bit.ly/foss-why-care" target="_blank">http://bit.ly/foss-why-care </a><br></font><font size="2"><br></font></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On 30 September 2015 at 18:33, Edinburgh Linux Users Group <span dir="ltr"><<a href="mailto:edlug@lists.edlug.org.uk" target="_blank">edlug@lists.edlug.org.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>
<div><span class=""><div> </div>
<div>On Wed, 30 Sep 2015, at 06:06 PM, Edinburgh Linux Users Group wrote:<br></div>
<blockquote type="cite"><div dir="ltr"><div><div><div><div><div><div>Here's how I understand the reasoning:<br></div>
</div>
<div>The shelter does not want residents saving files to the hard drive ; specifically, they want to make sure the residents are actively pushed by the system towards their pen drives<br></div>
<div> </div>
</div>
<div>I assume the computers are going to be available in the shelter as stationary workstations - not for roaming around with.<br></div>
<div> </div>
</div>
<div><i>Id est</i>: The requirement of not being able to write to disk is not so much a security requirement, but rather to ensure residents are saving their personal documents to the right place - is this correct?<br></div>
<div><div> </div>
<div> </div>
</div>
<div>Given these goals, perhaps the easiest solution would be to create a non-admin user for residents to log in as.<br></div>
<div>Then, using super user, remove the write permissions on the home directory (make it non-writable), and change its owner and group to root (make it so the user can't turn write-ability back on)<br></div>
<div> </div>
</div>
<div>adduser user<br></div>
<div>chmod -R 555 /home/user<br></div>
<div>chmod -R root:rrot /home/user<br></div>
<div> </div>
<div>Thus they won't be able to write into the downloads or documents folders etc, but a mounted flash drive would work fine.<br></div>
<div> </div>
</div>
</div>
</blockquote></span><div>Doesn't ubuntu have a guest login where the homedir is tmpfs?<br></div>
<div> </div>
<div>Doing as suggested above will make most DEs barf and crash!<br></div>
<div> </div>
<div>Graeme<br></div>
<div> </div>
</div>
<br>_______________________________________________<br>
EdLUG mailing list<br>
<a href="mailto:EdLUG@lists.edlug.org.uk">EdLUG@lists.edlug.org.uk</a><br>
<a href="https://lists.edlug.org.uk/mailman/listinfo/edlug" rel="noreferrer" target="_blank">https://lists.edlug.org.uk/mailman/listinfo/edlug</a><br>
<br></blockquote></div><br></div>