dumpsterdivingdave
asked on
Lockdown
I currently have around 28 public use computers that are on windows XP with steady state to keep people from destroying the computers. I was toying around with switching over to linux, but have not been able to come up with a solution. I have read about Sabayon and Pessulus, but cannot seem to get them to work the way I want them. I want to have two accounts, an Admin, and a User. I want these restrictions to apply ONLY to the user account. Pessulus seems to force the restrictions on to ALL accounts which I do not want. I want to disable the following things:
Add/Remove Programs
Change Password
Make System Changes
Terminal
Any other items that would allow them to alter the system
I also want to limit the users session time to 30 minutes so that after using it for 30 minutes, they automatically get booted off the computer.
Currently, I have Ubuntu 8.04 installed on the desktop that will serve as the testbed/master image.
Add/Remove Programs
Change Password
Make System Changes
Terminal
Any other items that would allow them to alter the system
I also want to limit the users session time to 30 minutes so that after using it for 30 minutes, they automatically get booted off the computer.
Currently, I have Ubuntu 8.04 installed on the desktop that will serve as the testbed/master image.
ASKER
Actually, even with a standard user in ubuntu, they have WAY too many privelages. They can still open and run terminal, still use devices such as a flash drive, and still perform many functions such as changing the users password. In windows XP, you have to re-verify the password when you want to change it, but in Ubuntu, it seems that it does not ask you to verify the old password. If someone changes the password, then I get a call and have to travel out to that location to change it back. Not very productive in terms of travel costs and time. I'm pretty sure that the time thing can be accomplished with a script, but as far as the limits on the user account goes, I have no Idea.
Also, I believe I forgot to mention, but BASH is set as the default shell for all users.
As far as your link, it only provides very basic info about creating account, which I already knew. I need more detailed info that I can apply to a single user, or a group. That way, I can add that user to the locked down group, or just lockdown that user. Like I said, there will only be one limited user per computer. Setting up a server to handle these tasks is not possible as well.
Also, I believe I forgot to mention, but BASH is set as the default shell for all users.
As far as your link, it only provides very basic info about creating account, which I already knew. I need more detailed info that I can apply to a single user, or a group. That way, I can add that user to the locked down group, or just lockdown that user. Like I said, there will only be one limited user per computer. Setting up a server to handle these tasks is not possible as well.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yeah, I was thinking of setting up a group and then assinging the user to the group. The thought of a saved home directory to have a sort of solid state is another thing to do as well... I guess I could write a bash script to remove the old directory and then cp the saved directory over...
One problem I see with that however is how to protect it so that it does not get erased/overwritten by the user? Am I correct to assume the following:
Create the directory as root or my privelaged user, change permissions on the directory and all contents to 755. Setup a script in the users home directory something like the following:
cd /
rmdir /home/user/* -r
cp /home/user_save/* /home/user -r
That would take care of changes being made... I'll look into the group permissions tomorrow hopefully and see if I can find anything in there.
One problem I see with that however is how to protect it so that it does not get erased/overwritten by the user? Am I correct to assume the following:
Create the directory as root or my privelaged user, change permissions on the directory and all contents to 755. Setup a script in the users home directory something like the following:
cd /
rmdir /home/user/* -r
cp /home/user_save/* /home/user -r
That would take care of changes being made... I'll look into the group permissions tomorrow hopefully and see if I can find anything in there.
Ubuntu don't not run commands as root unless user either switch to root using
$sudo su - [and then run the commands he/she wants]
Or
$sudo the_command
Either one will give the asker most of what he wants to accomplish, what left is how to control users sessions to end in 30 min and NOT allowing users to change their passwords.
$sudo su - [and then run the commands he/she wants]
Or
$sudo the_command
Either one will give the asker most of what he wants to accomplish, what left is how to control users sessions to end in 30 min and NOT allowing users to change their passwords.
ASKER
I know that linux does not run commands without su or sudo. And I know how to add a user to the sudoers file to grant them the ability to execute the su/sudo command. However, there are things that can be done without super user privelages that I do not want the user to be able to do such as change the users password, powerdown the computer, etc. etc.
Since I can't seem to find anyone or any sites that detail how to do it I will just go back to using Windows XP with steady state on the account that I want to restrict. Steady state does all of those things PERFECTLY, however I wanted to take advantage of the additional software packages found in ubuntu, specifically edubuntu as these computers are placed in areas that are used by grade and middle school children.
Since I can't seem to find anyone or any sites that detail how to do it I will just go back to using Windows XP with steady state on the account that I want to restrict. Steady state does all of those things PERFECTLY, however I wanted to take advantage of the additional software packages found in ubuntu, specifically edubuntu as these computers are placed in areas that are used by grade and middle school children.
ASKER
the chmod allowed me to block them from changing the password, but there were still WAY too many doors open, so I am switching back to XP.
ASKER
I found a way to log a user out after X ammount of time... I do two things. First, I create a script from the admin account somewhere on the hard drive. In this case, ymember is the name of the account that I have to have logged out automatically. I then add a line to the end of the users .profile (/home/ymember/.profile) which launches the script I just made in the background. With the following in place, After 29 minutes the user sees the message box. One minute after that, the session is killed and they are logged out of the machine.
#logout script (/usr/bin/timedlogout)
sleep 1740
xmessage -center "The system will log you out in 1 minute. Please save all work to avoid loosing data." &
sleep 60
skill -KILL -u ymember
#.profile changes (/home/ymember/.profile)
/usr/bin/timedlogout &
This link can help you more on that:
http://www.freesoftwaremagazine.com/articles/users_in_ubuntu
I don't know of an application that can do the time limit on Linux.