Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 16
Hi there! My name is Oscar and Im running a project on my school, investigating the possibilities of using Linux instead of Windows. The major concern right now is the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2003
    Posts
    10

    Security issues on a school


    Hi there!
    My name is Oscar and Im running a project on my school, investigating the possibilities of using Linux instead of Windows.
    The major concern right now is the security - the techniicians is afraid that the students are going to try to hack the server, although Im pretty sure this won't happen since the students havent that kind of knowledge..
    Anyways - my plan is to restrict normal users to only be able to run selected software already installed on the system - can you make sure that downloaded software cant be installed or executed? Im thinking of different hacking tools.
    I do know a little about rights, and i reckon that you place students in a specific group with no executing rights (if its possibly)
    If the users cant login as root - then it shouldn't be any problem - is it?

    Please give me your thought's and ideas..

    By the way - we are using slackware and we are using a windows 2000 server as file server via samba.

    Regards Oscar

  2. #2
    Just Joined!
    Join Date
    Feb 2003
    Posts
    41
    i dont know 100% to your answer, but i wouldnt under estimate the kids, unless its elementary kids. in high school that was what we geeks took computer class for, was to try and hack the 'puters.

    good luck though

  3. #3
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    I truly wouldn't underestimate kids anyway. Not that they know their way around computers, and especially not UNIX, but they do know their way around the internet, and I recently read that there was a twelve year old boy in the UK that hacked Tony Blair's mail account thanks to a tool that he had downloaded.
    Anyway, security is a small issue as long as you keep a properly updated system. Bugs that allow cracking are fixed almost the same day that they are discovered. I wouldn't place the students in a group where they can't execute everything, though. Actually, it isn't even possible, since the heart of UNIX is that everyone should be allowed to run any program. But in a well configured system, it's not even necessary.
    When everythings comes around, a Linux based system is always more secure than a Windows based one, simply since there are less bugs (you will still need to keep your system updated, but that goes with Windows, too) and the bugs that are are fixed much quicker than on Windows.
    Linux in a school yields many other interesting possibilities, too, such as using X terminals and stuff. http://www.solucorp.qc.ca/xterminals/ is an interesting site on that, that tells you a little about the cons and pros. It's also easier to adapt exactly to your needs than Windows has ever been and will ever be, if only you know how it works. But don't worry, you'll always have us, right here! =)
    You others out there, Kerberos and NFS will suffice for a school, don't you think?

  4. #4
    Linux Engineer
    Join Date
    Jan 2003
    Location
    Lebanon, pa
    Posts
    994
    Kerebos and AFS would be more secure, you get some redunancy, and better performance. If you want to limit what software can be ran, create a chrooted shell and only put in what you want them to access. It will kinda give them a fake enviroment to work in where they can't touch your actual system. Yes a chroot can be broken out of but I doubt most students even know what chroot even is.

  5. #5
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    I don't think that a chroot would do much difference here, and it would probably be a lot more trouble than it's worth. After all, they can still put anything they want in their home dirs.
    I haven't tried AFS. I'll have to check that out.

  6. #6
    Linux Engineer
    Join Date
    Jan 2003
    Location
    Lebanon, pa
    Posts
    994
    What do you mean they can put anything they want in it? If you set a quota they can't. Even use chattr +i to prevent some dirs from being written to.

  7. #7
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    Yeah, quotas are one thing, but the thing was that they could run any programs that they download (unless they download a very large one, but that wasn't the issue).

    Of course it's possible to make them unable to write to their home dirs, but then there wouldn't be much meaning of having a home dir, would there? People usually do need to store things somewhere, after all.

  8. #8
    Linux Engineer
    Join Date
    Jan 2003
    Location
    Lebanon, pa
    Posts
    994
    Well you can restrict them from being able to d/l anything. Remove wget, ftp, scp, ect and only give them a few commands to use like I said.

  9. #9
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    Of course you _could_ restrict them to any given degree, but then what would be the point of having computers at all? I'm not worried about that there is anything that you cannot do, but in a school, everyone must be allowed fair use of a computer to be able to learn anything, as I see it. (And, technically, you could create a wget replacement in bash, but that wasn't my point)

  10. #10
    Linux Engineer
    Join Date
    Jan 2003
    Location
    Lebanon, pa
    Posts
    994
    Anyways - my plan is to restrict normal users to only be able to run selected software already installed on the system - can you make sure that downloaded software cant be installed or executed?
    Running a chrooted shell with only certain software available was my answer to his question. Most shell servers at schools are very restricted. My college had various shell servers which only you could use to code/test on different architectures. Also in a chrooted enviroment, it wouldn't matter what they would downlaod/execute because it wouldn't be in the actual system enviroment. It would be impossible for them to break anything besides their enviroment unless they could break out of the chroot jail and then gain root access. As I said, using chattr +i you could make it very hard to even break their own enviroment. I don't mean using that on their entire home dir, just like /bin, /lib, ect.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •