on Fri, Jul 23, 2004 at 08:15:36AM -0400, Steve Glines ([EMAIL PROTECTED]) wrote: > Karsten M. Self wrote: > > > on Fri, Jul 23, 2004 at 01:13:53AM -0700, Paul Johnson ([EMAIL PROTECTED]) wrote: > > > >>Justinas <[EMAIL PROTECTED]> writes: > >> > >> > >>> There is an computer game club with 49 computers running > >>>linux. I would be glad to hear any suggestions how to build entirely > >>>system that forbids users to execute any other programs or scripts, > >>>only games, browsers and some office programs. The main aim of this, > >>>to keep computer out of trash and make administrators life > >>>easer. Could somebody share experience on some kind computer kiosk > >>>systems. Any suggestions, critics are acceptable. > >> > >>Don't install more than you need installed. That'll get you about 90% > >>there. The last 10% can be taken care of with groups and file > >>permissions, or if you want to overkill it, the ACL permission support > >>in 2.6 might be of help (however, I don't use ACL support, don't know > >>how well it works, and have more or less been waiting for success or > >>horror stories which have yet to materialize from what I've seen). > > > > > > ...user state in ramdisk and/or copied into the user's account at > > startup. And a watchdog to slay the user if critical files disappear or > > are changed. > > > > One of the better descriptions I've seen of a Linux Kiosk configuration > > is JWZ's DNA Lounge systems. San Francisco nightclub, typically filled > > with several hundred highly individualistic patrons under varying > > influences astrological to zoological, and overall both reliable and > > usable. GIYF. > > Just invoke users shell as bash -r
Not sufficient. RTFM. You'll find that the restrictions within a restricted bash shell are dropped when executing shell scripts. Which is a handy way for doing various things. And hence, rather limiting. I'd look at a chroot or UML jail for additional security. Peace. -- Karsten M. Self <[EMAIL PROTECTED]> http://linuxmafia.com/~karsten Ceterum censeo, Caldera delenda est. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]