On Tue, 8 Nov 2005, Alan K Melby wrote:
Can you set up [Knoppix] Linux so that it is impossible, or at least
difficult, for a user to switch to a virtual terminaln without re-booting?
Thanks for keeping us on-task; it's easy to get distracted into abstract
security discussions.
The file /etc/inittab controls what happens on the virtual terminals. So
users may be able to switch to them, but the inittab says whether there will
be anything useful on them. On my Ubuntu Linux machine, this is the part of
the file I'd comment out (by adding # at the beginning of each line, just like
the comment stuff at the top):
# /sbin/getty invocations for the runlevels.
#
# The "id" field MUST be the same as the last
# characters of the device (after "tty").
#
# Format:
# <id>:<runlevels>:<action>:<process>
#
# Note that on most Debian systems tty7 is used by the X Window System,
# so if you want to add more getty's go ahead but skip tty7 if you run X.
#
1:2345:respawn:/sbin/getty 38400 tty1
2:23:respawn:/sbin/getty 38400 tty2
3:23:respawn:/sbin/getty 38400 tty3
4:23:respawn:/sbin/getty 38400 tty4
5:23:respawn:/sbin/getty 38400 tty5
6:23:respawn:/sbin/getty 38400 tty6
The fact that it's running getty on each of the tty1-6 is what tells it to put
login prompts on the virtual terminals. This part of the file might also be
something to comment out:
# What to do when CTRL-ALT-DEL is pressed.
ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
One technique that can be very good at keeping users from playing around, but
takes a little more setting up is called a "chroot jail". chroot makes a
program think that a particular directory is actually the root directory "/"
of the entire system. You can have chroot automatically run when the system
starts and the default user is automatically logged in. If you disable write
permission for that user in the chroot directory, the user won't be able to
create any files in the jail. Then you put copies of just the programs the
user is allowed to run inside the jail.
-J
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
