How to lock down user desktop?

[Mordocai]

Hello, i have been googling and doing other independent research for some time, but have not been able to find a good solution for my problem. Here is the situation:

I work for a local community college, and we currently have web kiosks set up around the college. They have fairly old hardware and are currently running windows XP. However, with all the group policies and scripts required to lock them down, it can take 10+ minutes for the students to log in(we want authentication for someone to be able to use them).

Now, I have managed to get a few test computers to run fedora with openLDAP authentication and LTSP giving them a desktop with firefox. Now, the problem is that we don't want the user to be able to do anything but run firefox and, on some of them, print. I have been using gnome, gconf, and sabayon(not the distribution, the user profile tool) to attempt to lock down the desktop. However, anyone can just right click the gnome menu and add back in everything i disabled. While they wouldn't be able to do much harm, the point is that if they want to do work, we want them to go to our computer labs, instead of the kiosks. The kiosks are just for looking things up or getting on their e-mail.

So, with this situation, any ideas on how to get it to work the way we want? I am willing to change desktop environments/windows managers, but I would like it to look nice, as this will be many student's first time using Linux, and I'd like to make as good of an impression as possible.

Thanks in advance,
Chris Carpenter

[SA.com]

Hello, i have been googling and doing other independent research for some time, but have not been able to find a good solution for my problem. Here is the situation:

I work for a local community college, and we currently have web kiosks set up around the college. They have fairly old hardware and are currently running windows XP. However, with all the group policies and scripts required to lock them down, it can take 10+ minutes for the students to log in(we want authentication for someone to be able to use them).

Now, I have managed to get a few test computers to run fedora with openLDAP authentication and LTSP giving them a desktop with firefox. Now, the problem is that we don't want the user to be able to do anything but run firefox and, on some of them, print. I have been using gnome, gconf, and sabayon(not the distribution, the user profile tool) to attempt to lock down the desktop. However, anyone can just right click the gnome menu and add back in everything i disabled. While they wouldn't be able to do much harm, the point is that if they want to do work, we want them to go to our computer labs, instead of the kiosks. The kiosks are just for looking things up or getting on their e-mail.

So, with this situation, any ideas on how to get it to work the way we want? I am willing to change desktop environments/windows managers, but I would like it to look nice, as this will be many student's first time using Linux, and I'd like to make as good of an impression as possible.

Thanks in advance,
Chris Carpenter

I am a bit unfamiliar with the apps you mentioned, but something seemed to click for me here.

When setting up the install in qParted, can you just add a "New User" and limit the Users permissions in a few files so they only have internet access ?

Each student would be made aware that the log in name would be say, "Student"and the pw perhaps name of college or similar. This just seems an easier way to go, anyone care to correct me on this ?

Also, if you really want to extend the Users experience, you might consider offering a different browser on each Kiosk, say Opera 10, SeaMonkey, Flock, Concorer, Firefox 3.6, Netscape 9 [now independently supported], perhaps a few others.

If you are up to it, you might even put different distros on each kiosk.

Hope This Helps !

steve

[reed9]

Permission wise, it shouldn't be too difficult.

By default, all your installed programs are executable by everyone. So for example, chromium browser on my system has the following permissions.

Code:

-rwxr-xr-x 1 root root 133 Feb  8 08:50 /usr/bin/chromium*

So it's owned by root and in the root group. Root has read, write, and execute permissions, the group has read and execute permissions, and everyone else also has read and execute permissions.

I could do

Code:

sudo chmod o-rw

and now

Code:

-rwxr-x--- 1 root root 133 Feb  8 08:50 /usr/bin/chromium*

Only root user and those in the root group can execute the program.

So you can remove execute permissions for all your programs, and then just add execute permissions for those programs you want the user to be able to run. Or create a group that gives specific access to certain programs.

chmod(1): change file access permissions - Linux man page