Quoting Brad Campbell (lists2...@fnarfbargle.com): > Rick I completely understand that sentiment, and none of my servers > have a GUI on them. I just "assumed" (yeah, my mistake) that display > managers were used only on single user desktop machines.
Predominantly, to be sure. In the mid 1990s, when I helped build a Linux-based Internet cafe in San Francisco (which _of course_ is an unusual use-case), we had some interesting problems with this. Each of the Pentium Pro workstations on the tables in the cafe ran xdm as display manager with a nice custom image file as background to the login screen. The workstations were all NIS & NFS clients -- and each was used only by a single local user (cafe customer) at a time. Early on, we played around with restricting ability to shutdown and reboot by changing what the 'ca' directive in /etc/inittab did -- because we were painfully aware that some customers would try to mess with the machines. This turned out to be a bad idea. Basically, if you deprived some people of the ability to do painless local console reboot, they'll be motivated to go pull the mains (AC) power instead, with consequent greater risk of filesystem harm. So, it proved smarter to let 'em reboot if they were determined to do so. The NFS/NIS master, a beefy EISA/VLB 486, was a different matter, and we came up with a good solution. The system box was upstairs in a locked room, with long keyboard and video cables to the keyboard and monitor on a table in the cafe. Customers could login there (no X11) to change/set their passwords only: Their login shell permitted only that action. Ctrl-Alt-Del was trapped and caused to do nothing. We also deliberately set things up so that, if a customer found a way to escalate privilege to root on any of the workstations, he/she would be surprised to find himself/herself having -less- privilege than with a regular user account. E.g., the NFS mounts were all exported with root-squash. Security guy Dan Farmer came to visit one day, did a bit of poking around, and pronounced our security design 'sneaky' (meaning this as a compliment). -- Cheers, « On donne des conseils, mais on ne Rick Moen donne point la sagesse d'en profiter. » r...@linuxmafia.com -- La Rochefoucauld McQ! (4x80) _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng