Re: Gnome Lock Down

From: Tarjei Huse <tarjei nu no>
To: Paul Cooper <pgc ucecom com>
Cc: gnome-list gnome org
Subject: Re: Gnome Lock Down
Date: Mon Jun 10 17:19:01 2002

Hi, I know this might be like cursing in a church, but take a look at
the KDE-KIOSK project and maillinglist for people who's done this
before.

As for ease of administration, take a look at LTSP.(www.ltsp.org)
just my .003 c 
TH
Adam Williams wrote:
> 
> >>That's something I have been wondering for a while, as we use win2k/NT
> >>on our Desktops at work, and trying to convince the boss to switch to
> >>Gnome (as 50% of our servers run linux, so thats half the battle),
> >>but he wants the desktops locked down like in windows for the users (as
> >>sys admins were trusted, which is a damn good policy is u ask me), so
> >>currently Linux on the desktop is a no..no, due to this
> >>>he simplest solution is to make a .gnome and .gnome-desktop somewhere
> >>>and copy them back to $HOME everytime a user logins in.  Then they can
> >>change things but everything reverts between users.
> >>But they can still edit the menus and run other programs and just open a
> >>terminal and type away (that would be the first thing to go in this
> >>case)
> >One thing you could try in this case is to create a new 'bin' directory
> >just containing gnome and only the software that users are allowed to
> >use and then changing the path env variable PATH=/path/to/new/bin
> 
> An "easier" solution to the running rogue software is via file
> permissions, and more robust solution.  As in the sense of an internet
> cafe someone can run an absolute path.
> 
> >That way they cant get a terminal because it's not in the path (or if it
> >is for some reason the only stuff they can do is execute software they
> >allowed anyway).
> 
> so long as they don't /usr/XXXX/bin/gnome-terminal, etc...  Obviously
> this is a malicious user, not a stupid one, but every organization has a
> few.
> 
> >I wonder why you even need to run a desktop if you want a 'locked down'
> >system - why not run only a window manager (e.g. windowmaker, icewm,
> >blackbox) and only put the 'allowed' software in the menu (and then put
> >restrictive permissions on the menu file - the ability and ease to do
> >this may well determine which window manager).
> 
> Because a desktop provides alot of functionality that "average"
> competence users expect,  and again, restricting menu items doesn't
> prevent them from running applications.  Everything from GNOME itself to
> OO has a "Run" or some way to commence execution of an external
> application.  Not to mention all the functionality of the GNOME
> appletts, etc...  The point is to add control without compromising
> functionality (which is tough, I'll admit).  And window manager configs
> in a file really don't help centralized control,  one has to rely on
> rsyncs and other tie-in measures to keep N number of workstations up to
> date.
> 
> _______________________________________________
> gnome-list mailing list
> gnome-list gnome org
> http://mail.gnome.org/mailman/listinfo/gnome-list

References:
- Gnome Lock Down
  - From: pipis fakidomitis
- Re: Gnome Lock Down
  - From: Adam Williams
- Re: Gnome Lock Down
  - From: Mark Cooke
- Re: Gnome Lock Down
  - From: Paul Cooper
- Re: Gnome Lock Down
  - From: Adam Williams

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]