Re: Lock down user account in Debian/Gnome

To: Greg Vickers <g.vickers@qut.edu.au>
Cc: debian-user@lists.debian.org
Subject: Re: Lock down user account in Debian/Gnome
From: Matthew K Poer <matthewpoer@gmail.com>
Date: Tue, 06 Mar 2007 10:07:43 -0500
Message-id: <[🔎] 1173193664.4430.11.camel@localhost.localdomain>
In-reply-to: <[🔎] 45ECA5B6.4050301@qut.edu.au>
References: <[🔎] 45ECA5B6.4050301@qut.edu.au>

On Tue, 2007-03-06 at 09:20 +1000, Greg Vickers wrote:
> Hi all,
> 
> I am building a couple of PCs which will be used for public Internet 
> access in a small library. These PCs will also be on the same physical 
> network as the 'office' PCs. Obviously I'd like these PCs to have 
> seriously restricted access to the local network, what I'd like to know 
> is can anyone recommend a resource to me on locking down public access 
> Debian-based Linux computers?
> 
> Thanks,
> -- 
> Greg Vickers
> IT Security Engineer & Project Manager
> IT Security, Network Services,
> Information Technology Services
> Queensland University of Technology
> L12, 126 Margaret St, Brisbane
> 
> Phone: +61 7 3138 9536
> Mobile: 0410 434 734
> Fax: +61 7 3138 2921
> Email: g.vickers@qut.edu.au
> IT Security web site: http://www.its.qut.edu.au/itsecurity/
> 
> CRICOS No. 00213J
> 
i don't know exactly how to do all of the following, I'm just
brainstorming:
1. disable ttys other than 1 and 7 (main and X), or can you disable 1 as
well?
2. Don't bring up gnome-panel or gnome-desktop or anything that could
give the user a menu or xterm, or ability to launch a program. Maybe
just run 'metacity' instead of 'gnome-session,' but perhaps
'gnome-session' would help with kiosking  browser or something?
3. automatically bring up a web browser, maximized, when the user is
loggged in.
3.1 (I hate to recommend proprietary software, but) Opera has some sort
of Kiosk mode, I'm not sure about Firefox or Epiphany.
3.2 Epiphany would be great if you could keep it from being able to
launch commands, or having it's settings altered.
3.3 restrict the browser to only use http:// or https:// (no SFTP or
FTP)
3.4 Don't install java plugins or Flash.
4. On the network switch/router whatever, deny the IP of the kiosk
computers from the web-based router config.
5. Put yourself in the locked-down environment you've created, and try
to get out.
6. Keep logs in case you notice someone else has gotten out, so maybe
you can track what they've done.

That's all I've got for now.
-- 
Matthew K Poer

Reply to:

References:
- Lock down user account in Debian/Gnome
  - From: Greg Vickers <g.vickers@qut.edu.au>

Prev by Date: Re: Apt Pinning: Way of no return ?
Next by Date: Re: a dumb query? pls humor me
Previous by thread: Re: Lock down user account in Debian/Gnome
Next by thread: Re: Lock down user account in Debian/Gnome
Index(es):
- Date
- Thread