Find the answer to your Linux question:
Results 1 to 6 of 6
I will be setting up a system for administration in a few days, with the primary goal being able to keep normal users away from the information on it. Now ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133

    User Desktop Policies


    I will be setting up a system for administration in a few days, with the primary goal being able to keep normal users away from the information on it. Now a windows machine (All the users are Windows users) would be grand for the job, but I'm obviously glad someone has asked to set up a linux machine, always glad to spread the word. there are two things I'd like to be able to do - kinda security, this forum was the nearest I had, relating to policies and such.

    • How can I prevent any OS reaction from pressing ctrl-alt-del? Remember these are windows users who are used to locking their stations 30-40 times a day.
    • How can I prevent users switching to VTs using ctrl+alt+F$ ? I would like the system to stay strictly GUI once configured, not so much for security but I don't want anyone tweaking or any power users getting any ideas.


    Any help would be appreciated!

    This is only gonna lead to 101 other questions.....

  2. #2
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133
    Not a blip!!!
    Poor show lads!

    Answer to the first one for anyone else who's looking -

    edit the system's response to ctrl-alt-del by modifying /etc/inittab. Either comment out the following line, or add the switch -a to restrict it's access to users in the file /etc/shutdown.allow.

    ca::ctrlaltdel:/sbin/shutdown -r -t 4 now
    Will return if I get the other answer.

  3. #3
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133
    Sniff....Posting again to my own thread

    Nah, just feel it would be wrong not to pass on this stuff, particularly because I haven't seen it covered before here.

    To disable virtual terminals, there are also entries in /etc/inittab

    Just never really understood these parts before.

    Code:
    # getty-programs for the normal runlevels
    # <id>&#58;<runlevels>&#58;<action>&#58;<process>
    # The "id" field  MUST be the same as the last
    # characters of the device &#40;after "tty"&#41;.
    1&#58;2345&#58;respawn&#58;/sbin/mingetty --noclear tty1
    2&#58;2345&#58;respawn&#58;/sbin/mingetty tty2
    3&#58;2345&#58;respawn&#58;/sbin/mingetty tty3
    4&#58;2345&#58;respawn&#58;/sbin/mingetty tty4
    5&#58;2345&#58;respawn&#58;/sbin/mingetty tty5
    6&#58;2345&#58;respawn&#58;/sbin/mingetty tty6
    Change the lines to look like this:
    Code:
    1&#58;2345&#58;respawn&#58;/sbin/mingetty --noclear tty1
    2&#58;234&#58;respawn&#58;/sbin/mingetty tty2
    3&#58;234&#58;respawn&#58;/sbin/mingetty tty3
    4&#58;234&#58;respawn&#58;/sbin/mingetty tty4
    5&#58;234&#58;respawn&#58;/sbin/mingetty tty5
    6&#58;234&#58;respawn&#58;/sbin/mingetty tty6
    I was reading that you should leave one VT active, which doesn't suit my needs 100% but at least I've made progress here.

  4. #4
    Linux Newbie
    Join Date
    Jun 2005
    Location
    Whitstable, Kent, England
    Posts
    136
    You've done well getting that information, I'm finding it useful for a start as I have been wondering how it could be done. The main reason bein that at my school, the sysadmin and I are both wanting to get Linux more itno the network but some software means that it is still nearly all Windows.
    I was keen to know how you could get similar user restrictions as Microsoft's "Active Directory" provides. I think something like this is required as being a normal user on a Linux box it seems that you are given so many oppertunities to enter the root password whereas on a AD domain client you can even get anywhere whereby you could enter a password.
    The biggest security threat is the user.

  5. #5
    Linux Guru sarumont's Avatar
    Join Date
    Apr 2003
    Location
    /dev/urandom
    Posts
    3,682
    Quote Originally Posted by Xenon
    You've done well getting that information, I'm finding it useful for a start as I have been wondering how it could be done. The main reason bein that at my school, the sysadmin and I are both wanting to get Linux more itno the network but some software means that it is still nearly all Windows.
    I was keen to know how you could get similar user restrictions as Microsoft's "Active Directory" provides. I think something like this is required as being a normal user on a Linux box it seems that you are given so many oppertunities to enter the root password whereas on a AD domain client you can even get anywhere whereby you could enter a password.
    OpenLDAP will solve your centralized authentication needs.

    http://www.openldap.org for a start.
    "Time is an illusion. Lunchtime, doubly so."
    ~Douglas Adams, The Hitchhiker's Guide to the Galaxy

  6. #6
    Linux Newbie
    Join Date
    Jun 2005
    Location
    Whitstable, Kent, England
    Posts
    136
    I would be nice to convert but there is a huge amount of work to be done at the minute and OpenLDAP has been seen as a possible way forward. The main problem is due to some of the software required, which is also the reason why two web servers are required, one running IIS *shudder*, just to support the software.
    I'm sure plenty of people can think of way to solve this situation, I would be glad to hear them, they just wont be likely to happen until possibly August when the nework is be rearranged but by then all the XP and server 2003 and licences will have been purchased. This is going to be a definite upgrade as there are currently two networks, one running on NT servers and the other running on 2000 servers, they are rather overloaded.

    I am, however, interested in playing with LDAP myself, that is after I have finished playing with the other stuff I want to :P
    The biggest security threat is the user.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •