The locked-down desktop

Robert Brockway rbrockway-wgAaPJgzrDxH4x6Dk/4f9A at public.gmane.org
Sun May 15 17:45:25 UTC 2005


On Sat, 14 May 2005, Mike Newman wrote:

> So, I'm thinking that if you were to create a custom distro install

Hi Mike.  Locking down the desktop is a function of the window 
manager/desktop environment, not the distro.

When the account is setup a bunch of rc files can be dropped in, possibly 
via a script on a USB device, so no need to go to the trouble of 
developing yet another distro.  You can have locked-down users and non 
locked-down users using the same box as I have in one case (using Debian 
Woody).

> for this purpose, you could boot to a friendly splash screen and
> auto-login as a user who can only run these programs.

Avoid auto-login.  Logging in is not an arduous process.  I've 
desmonstrated that the completely computer illiterate understand the idea 
immediately.  Automatically logging in does not make life easier and does 
reduce security and functionality.

Linux is multi-user after all.  By forcing login as one user you 
prevent the others using the GUI from a seperate account (without starting 
multiple X servers).  This reduces much of the usefulness of the design of 
the system (eg, protection against deletes by other users, privacy, etc).

> I guess my first question is: has anyone done something like this before?

As user config - sure.

> Othewise:
> * How would you restrict which executables they could run? grsecurity?

I did it by allowing access to and thus execution only of what was in the 
window manager menu.  This kept the menu simple which is great for people 
not confortable with computers.  No shell was available.  Other options 
for doing this would include good old permissions.

If you use grsecurity I'd suggest doing it because you wanted the greater 
security it offers, not because you wanted to use RBAC to manage users.  
The setup will take longer.

> * Any ideas as to how *you* could push out updates to this setup?

Ssh into the box and pull updates?  You could automate this although I 
don't recommend it.

> My personal opinion is that the "average user" is certainly capable of
> learning to effectively use the Unix CLI, let alone GNOME or KDE.

I agree with this.  Before GUIs became common we know that many 
non-technical office workers used CLIs.  I've witnessed it myself many 
times.

> However, I don't think that plunking a newbie down in front of Windows
> XP Home and leaving them to it is very productive, either.

Agreed.

Cheers,
	Rob

-- 
Robert Brockway B.Sc.
Senior Technical Consultant, OpenTrend Solutions Ltd.
Phone: +1-416-669-3073 Email: rbrockway-wgAaPJgzrDxH4x6Dk/4f9A at public.gmane.org http://www.opentrend.net
OpenTrend Solutions: Reliable, secure solutions to real world problems.
Contributing Member of Software in the Public Interest (http://www.spi-inc.org)
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list