User Desktop Policies

[bigtomrodney]

I will be setting up a system for administration in a few days, with the primary goal being able to keep normal users away from the information on it. Now a windows machine (All the users are Windows users) would be grand for the job, but I'm obviously glad someone has asked to set up a linux machine, always glad to spread the word. there are two things I'd like to be able to do - kinda security, this forum was the nearest I had, relating to policies and such.

• How can I prevent any OS reaction from pressing ctrl-alt-del? Remember these are windows users who are used to locking their stations 30-40 times a day.
  
• How can I prevent users switching to VTs using ctrl+alt+F$ ? I would like the system to stay strictly GUI once configured, not so much for security but I don't want anyone tweaking or any power users getting any ideas.

Any help would be appreciated!

This is only gonna lead to 101 other questions.....

[bigtomrodney]

Not a blip!!!
Poor show lads!

Answer to the first one for anyone else who's looking -

edit the system's response to ctrl-alt-del by modifying /etc/inittab. Either comment out the following line, or add the switch -a to restrict it's access to users in the file /etc/shutdown.allow.

ca::ctrlaltdel:/sbin/shutdown -r -t 4 now

Will return if I get the other answer.

[bigtomrodney]

Sniff....Posting again to my own thread

Nah, just feel it would be wrong not to pass on this stuff, particularly because I haven't seen it covered before here.

To disable virtual terminals, there are also entries in /etc/inittab

Just never really understood these parts before.

Code:

# getty-programs for the normal runlevels
# <id>&#58;<runlevels>&#58;<action>&#58;<process>
# The "id" field  MUST be the same as the last
# characters of the device &#40;after "tty"&#41;.
1&#58;2345&#58;respawn&#58;/sbin/mingetty --noclear tty1
2&#58;2345&#58;respawn&#58;/sbin/mingetty tty2
3&#58;2345&#58;respawn&#58;/sbin/mingetty tty3
4&#58;2345&#58;respawn&#58;/sbin/mingetty tty4
5&#58;2345&#58;respawn&#58;/sbin/mingetty tty5
6&#58;2345&#58;respawn&#58;/sbin/mingetty tty6

Change the lines to look like this:

Code:

1:2345:respawn:/sbin/mingetty --noclear tty1
2:234:respawn:/sbin/mingetty tty2
3:234:respawn:/sbin/mingetty tty3
4:234:respawn:/sbin/mingetty tty4
5:234:respawn:/sbin/mingetty tty5
6:234:respawn:/sbin/mingetty tty6

I was reading that you should leave one VT active, which doesn't suit my needs 100% but at least I've made progress here.

[Xenon]

You've done well getting that information, I'm finding it useful for a start as I have been wondering how it could be done. The main reason bein that at my school, the sysadmin and I are both wanting to get Linux more itno the network but some software means that it is still nearly all Windows.
I was keen to know how you could get similar user restrictions as Microsoft's "Active Directory" provides. I think something like this is required as being a normal user on a Linux box it seems that you are given so many oppertunities to enter the root password whereas on a AD domain client you can even get anywhere whereby you could enter a password.

[sarumont]

You've done well getting that information, I'm finding it useful for a start as I have been wondering how it could be done. The main reason bein that at my school, the sysadmin and I are both wanting to get Linux more itno the network but some software means that it is still nearly all Windows.
I was keen to know how you could get similar user restrictions as Microsoft's "Active Directory" provides. I think something like this is required as being a normal user on a Linux box it seems that you are given so many oppertunities to enter the root password whereas on a AD domain client you can even get anywhere whereby you could enter a password.

OpenLDAP will solve your centralized authentication needs.

http://www.openldap.org for a start.

[Xenon]

I would be nice to convert but there is a huge amount of work to be done at the minute and OpenLDAP has been seen as a possible way forward. The main problem is due to some of the software required, which is also the reason why two web servers are required, one running IIS *shudder*, just to support the software.
I'm sure plenty of people can think of way to solve this situation, I would be glad to hear them, they just wont be likely to happen until possibly August when the nework is be rearranged but by then all the XP and server 2003 and licences will have been purchased. This is going to be a definite upgrade as there are currently two networks, one running on NT servers and the other running on 2000 servers, they are rather overloaded.

I am, however, interested in playing with LDAP myself, that is after I have finished playing with the other stuff I want to :P