[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: how to automatically execute things?



On Sun, Jul 16, 2000 at 02:02:27PM -0700, Joseph de los Santos wrote:

#disclaimer: i have never actually tried this.

> Hoping someone can help me out with this..for example I want an ordinary
> user that when he or she logs in a terminal this is what will happen:
> 1.automatically starts x-window

xdm or wdm sound like a safer option here.

> 2.all hot keys will be disabled..ie cntrl+alt+del etc.

touch /etc/shutdown.allow

> 3.run netscape automatically and it will remain opened and it cannot be
> closed without giving the correct password.

the password part i have no idea, but i *think* you should be able to
make it so quitting netscape will logout the user, which should be
close to what you want no?

i would use xdm for the login, this prevents the user from going back
to console 1 (control-alt-F1 which cannot be disabled) and suspending
X, which may or may not yield a shell depending on how you started X.  

create an .xsession file like so:

#!/bin/sh
exec /usr/lib/netscape/473/communicator/communicator-smotif.real

that `should' cause netscape to be launched as the window manager,
when netscape dies, the session ends and the user is logged out.

set the users shell to /bin/true or better /usr/local/sbin/nologin
(ported from OpenBSD, simply spits out contents of /etc/nologin.txt or
`This account is currently not available.'  yes i know about
falselogin, but falselogin is about 10 times more code then nologin
;-))

add whatever fake shell to /etc/shells if xdm/wdm require a valid
shell for logins. (probabaly depends on pam config in wdm's case) 

this way they should not be able to login with a shell and should not
be able to break out of netscape.

beware however that they may still be able to get a shell through
netscape by possibly tinkering with the helper application settings,
to say launch /usr/bin/X11/rxvt -e /bin/bash.

just be aware that whatever you come up with is unlikely to be 100%
foolproof, an expert user will likely be able to break out of the
restricted environment and get a full shell.  unless you perhaps
chroot the entire environment which would be a royal pain...  

it also sounds like the users in question will have phisical access
which opens up a entire bag of worms on its own, in this case you must
secure the machine itself inside a secure case of some sort, password
lilo and the bios, remove the floppy and CDROM, forbid access to the
power cable and reset/power buttons etc etc. 

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpLK7IOhYAyJ.pgp
Description: PGP signature


Reply to: