Re: [newbie] RE: kiosk?
On Tuesday 12 Nov 2002 11:49 pm, Derek Jennings wrote: On Tuesday 12 Nov 2002 11:24 pm, Schwenk, Jeanie wrote: I'm not sure if a kiosk is what will solve my problem. Advice would be very appreciated. Here's the problem: I am putting a linux pc in our fab (semiconductor) as a test to prove to management that linux is a viable, inexpensive option to utilize in our manufacturing plant. (verses new xterms at $6K or more a pop, new servers, or new windows pizza boxes). I need to prevent the technicians from hacking the box, from surfing, from installing ... you name it. They need to be able to run ONLY the guis/programs that allow manufacturing to continue smoothly. What is the best way to have the machine automatically boot into a window manager that has only a background menu pick that I can program? It does not have to start any software upon restart but that would be a plus. Thanks. Jeanie Something like this ? http://www.oeone.com/products/desktop.html It uses Mozilla as a sort of centralised interface to apps. Works on RedHat and now also Mandrake. Alternatively you could just define user accounts which have a limited set of menu items, and no shell available. If you modify the users 'PATH' to remove /usr/bin for example, then they will be unable to run any application other than ones you specifically put in their path by creating a symlink from the application to some directory in their PATH. Look at /etc/profile to see the PATH available to all users, and ~/.bash_profile to see how the PATH is modified for individual users. derek If I can rubbish my own suggestion - Changing the Path on its own does not improve security since anyone who knows the 'long path' to an application can still run it. But here are two more suggestions for 'locking it down.' Change the permissions on /usr/bin (and other directories containing apps) to 750 root,admin where admin is a group containing trusted users. This will prevent any untrusted user from executing any of those apps. Then for any app you want available to all, make the permissions 755. The next step in complexity is to use PAM (Pluggable Authentication Modules). The best way to describe PAM is by example. halt is the name of the application to stop a computer. If you want to run it you execute /usr/bin/halt, but /usr/bin/halt is not actually the halt application. It is a symlink to another application called consolehelper. When you want to run halt you first go to consolehelper which compares the name of the application it was called by (halt) with a list of files in /etc/pam.d If there is a file in there of the same name, then the contents of that file are used to determine if the user making the request has sufficient rights. Looking at the contents of /etc/pam.d/halt shows us the tests performed. These lines mean that it is OK for root to use halt, but other users have to pass a security test first. If the test is passed execution passes over to the halt command which is actually held in /sbin/halt For a description of the Pam commands see http://www.kernel.org/pub/linux/libs/pam/ As for Window Managers, you can use anything you like. With KDE for example you could modify all the Hot Keys to disable features like Alt+F2 (execute command). Using menudrake you can customise the menus, and apply them across all Window Managers, and stopping services like mgetty will disable console access ( Ctl+Alt+F1 etc) With browsers, you can configure konqueror for example to not show its menu bar, so depriving users of the chance to alter settings, and squid-guard can be used to block access to all internet sites other than work related ones to stop them surfing porn on the late shift. You could have endless fun with this project :) derek Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] RE: kiosk?
On Wed, 2002-11-13 at 10:24, Schwenk, Jeanie wrote: I'm not sure if a kiosk is what will solve my problem. Advice would be very appreciated. Here's the problem: I am putting a linux pc in our fab (semiconductor) as a test to prove to management that linux is a viable, inexpensive option to utilize in our manufacturing plant. (verses new xterms at $6K or more a pop, new servers, or new windows pizza boxes). I need to prevent the technicians from hacking the box, from surfing, from installing ... you name it. They need to be able to run ONLY the guis/programs that allow manufacturing to continue smoothly. What is the best way to have the machine automatically boot into a window manager that has only a background menu pick that I can program? It does not have to start any software upon restart but that would be a plus. Thanks. Jeanie What you can do is to setup an account on the linux box that is a normal user - and have either BLACKBOX or WINDOWMAKER as the primary WM - setup a menu of ONLY your preferred application and a LOGOFF option. On the same token, you can have a customized GNOME2 or KDE3 desktop/menu system with only those applications, or even better, have a WM setup to run the application directly after the logon (using either scripts or what-have-you). I would, overall, suggest BLACKBOX as it's a minimalistic wm and very easy to edit the config files as the superuser - mere minutes and you could have a very well done and very secure setup. Stephen -- Thu Nov 14 07:55:00 EST 2002 |____ | | / \ /| |'-. | | .\__/ || | | | | _ / `._ \|_|_.-' | | | / \__.`=._) (_ |kuhn media australia | |/ ._/ || |http://kma.0catch.com | |'. `\ | | |stephen kuhn | ;/ / | | |email: [EMAIL PROTECTED] | smk ) /_/| |.---.| |mobile: 0410-728-389 | ' `-`' |linux user:267497 If the Tao is great, then the operating system is great. If the operating system is great, then the compiler is great. If the compiler is great, then the application is great. If the application is great, then the user is pleased and there is harmony in the world. The Tao gave birth to machine language. Machine language gave birth to the assembler. The assembler gave birth to the compiler. Now there are ten thousand languages. Each language has its purpose, however humble. Each language expresses the Yin and Yang of software. Each language has its place within the Tao. But do not program in COBOL if you can avoid it. -- Geoffrey James, The Tao of Programming Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [newbie] RE: kiosk?
On Wed, 2002-11-13 at 11:10, Schwenk, Jeanie wrote: I wasn't sure what information to include in the initial email. The software that would be running is industry specific. Windows applications would be running via citrix server. The main program would be a swing gui used for processing pods of wafers. We have many creative individuals here who are bored as well. Others are just hacks who live to be a pain in the patootie. If games, browsers, music, videos etc. are able to be installed, management will NEVER allow linux in the fab. Can't allow them command line access, period. Right now, I have the only linux desktop in the entire company. That has to change (yes, I'm a zealot). Getting a linux pc the fab will make linux visible to all levels of management. If it's visible and it costs them no money (I'm using a recycled PC), management will buy into the idea that linux is the way to go. We know it is, but the phb's do not. And I have to be able to show the same level of control and security our current options have. So to top it off, whatever software might be available to help in this area has to be open source as there's no budget right now for me to do this. But I am compelled to do it. Jeanie The only main issue that I would see with this environment would be to get a Citrix client working on the linux desktop. I've found an alternative at: http://sdsusa.com/jwt/ - they have a Citrix client for linux. I would strongly recommend using a very BARE window manager - not even KDE or GNOME or ICEWM for this workstation. As I've had to provide slave terms and dumb terms before, you will have to lock down the workstation in such a manner that only you will be able to make direct modifications to the system - since you're already running linux on YOUR desktop, you can use VNC to administer this workstation without ever leaving your own workstation. As in Solaris boxes in a production environment, the menus for the working account have only the necessary applications listed, along with a logoff - and that's it. You can use BLACKBOX, FLUXBOX, XFCE and Enlightenment. With Enlightenment, there are a few themes that actually have desktop icons - which would make it all the more easy for you to configure and lock down - only a matter of editing text menus - literally. At least with Enlightenment, you could dress up the desktop in such a manner as to make it ascetically pleasing and elegant. IMHO Stephen -- Thu Nov 14 08:10:00 EST 2002 |____ | | / \ /| |'-. | | .\__/ || | | | | _ / `._ \|_|_.-' | | | / \__.`=._) (_ |kuhn media australia | |/ ._/ || |http://kma.0catch.com | |'. `\ | | |stephen kuhn | ;/ / | | |email: [EMAIL PROTECTED] | smk ) /_/| |.---.| |mobile: 0410-728-389 | ' `-`' |linux user:267497 THE STORY OF CREATION or THE MYTH OF URK In the beginning there was data. The data was without form and null, and darkness was upon the face of the console; and the Spirit of IBM was moving over the face of the market. And DEC said, Let there be registers; and there were registers. And DEC saw that they carried; and DEC separated the data from the instructions. DEC called the data Stack, and the instructions they called Code. And there was evening and there was morning, one interrupt ... -- Rico Tudor Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] RE: kiosk?
On Tuesday 12 Nov 2002 11:24 pm, Schwenk, Jeanie wrote: I'm not sure if a kiosk is what will solve my problem. Advice would be very appreciated. Here's the problem: I am putting a linux pc in our fab (semiconductor) as a test to prove to management that linux is a viable, inexpensive option to utilize in our manufacturing plant. (verses new xterms at $6K or more a pop, new servers, or new windows pizza boxes). I need to prevent the technicians from hacking the box, from surfing, from installing ... you name it. They need to be able to run ONLY the guis/programs that allow manufacturing to continue smoothly. What is the best way to have the machine automatically boot into a window manager that has only a background menu pick that I can program? It does not have to start any software upon restart but that would be a plus. Thanks. Jeanie Something like this ? http://www.oeone.com/products/desktop.html It uses Mozilla as a sort of centralised interface to apps. Works on RedHat and now also Mandrake. Alternatively you could just define user accounts which have a limited set of menu items, and no shell available. If you modify the users 'PATH' to remove /usr/bin for example, then they will be unable to run any application other than ones you specifically put in their path by creating a symlink from the application to some directory in their PATH. Look at /etc/profile to see the PATH available to all users, and ~/.bash_profile to see how the PATH is modified for individual users. derek Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [newbie] RE: kiosk?
I wasn't sure what information to include in the initial email. The software that would be running is industry specific. Windows applications would be running via citrix server. The main program would be a swing gui used for processing pods of wafers. We have many creative individuals here who are bored as well. Others are just hacks who live to be a pain in the patootie. If games, browsers, music, videos etc. are able to be installed, management will NEVER allow linux in the fab. Can't allow them command line access, period. Right now, I have the only linux desktop in the entire company. That has to change (yes, I'm a zealot). Getting a linux pc the fab will make linux visible to all levels of management. If it's visible and it costs them no money (I'm using a recycled PC), management will buy into the idea that linux is the way to go. We know it is, but the phb's do not. And I have to be able to show the same level of control and security our current options have. So to top it off, whatever software might be available to help in this area has to be open source as there's no budget right now for me to do this. But I am compelled to do it. Jeanie -Original Message- From: Spencer [mailto:sdander;oberon.ark.com] Sent: Tuesday, November 12, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: Re: [newbie] RE: kiosk? On November 12, 2002 03:24 pm, Schwenk, Jeanie wrote: I'm not sure if a kiosk is what will solve my problem. Advice would be very appreciated. Here's the problem: I am putting a linux pc in our fab (semiconductor) as a test to prove to management that linux is a viable, inexpensive option to utilize in our manufacturing plant. (verses new xterms at $6K or more a pop, new servers, or new windows pizza boxes). I need to prevent the technicians from hacking the box, from surfing, from installing ... you name it. They need to be able to run ONLY the guis/programs that allow manufacturing to continue smoothly. What is the best way to have the machine automatically boot into a window manager that has only a background menu pick that I can program? It does not have to start any software upon restart but that would be a plus. Thanks. Jeanie Wow, that's a tall order. Icewm would be the window manager to use. It's totally configurable to what ever you want on a desktop. What sort of apps would you want to run? Is this all possible? You bet, but we need a lot more information. Unwanted hacking or installing is easy to control, just don't release the root password. There is probably others on the list that can help but to me, this would be an interesting challenge. Spence Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] RE: kiosk?
On November 12, 2002 04:10 pm, Schwenk, Jeanie wrote: Jeanie, setting up a limited usage linux box is relatively easy (see Dereks email about PATHS. Citrix also has ICA clients for Linux so getting things setup shouldn't be too difficult. Spence I wasn't sure what information to include in the initial email. The software that would be running is industry specific. Windows applications would be running via citrix server. The main program would be a swing gui used for processing pods of wafers. We have many creative individuals here who are bored as well. Others are just hacks who live to be a pain in the patootie. If games, browsers, music, videos etc. are able to be installed, management will NEVER allow linux in the fab. Can't allow them command line access, period. Right now, I have the only linux desktop in the entire company. That has to change (yes, I'm a zealot). Getting a linux pc the fab will make linux visible to all levels of management. If it's visible and it costs them no money (I'm using a recycled PC), management will buy into the idea that linux is the way to go. We know it is, but the phb's do not. And I have to be able to show the same level of control and security our current options have. So to top it off, whatever software might be available to help in this area has to be open source as there's no budget right now for me to do this. But I am compelled to do it. Jeanie -Original Message- From: Spencer [mailto:sdander;oberon.ark.com] Sent: Tuesday, November 12, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: Re: [newbie] RE: kiosk? On November 12, 2002 03:24 pm, Schwenk, Jeanie wrote: I'm not sure if a kiosk is what will solve my problem. Advice would be very appreciated. Here's the problem: I am putting a linux pc in our fab (semiconductor) as a test to prove to management that linux is a viable, inexpensive option to utilize in our manufacturing plant. (verses new xterms at $6K or more a pop, new servers, or new windows pizza boxes). I need to prevent the technicians from hacking the box, from surfing, from installing ... you name it. They need to be able to run ONLY the guis/programs that allow manufacturing to continue smoothly. What is the best way to have the machine automatically boot into a window manager that has only a background menu pick that I can program? It does not have to start any software upon restart but that would be a plus. Thanks. Jeanie Wow, that's a tall order. Icewm would be the window manager to use. It's totally configurable to what ever you want on a desktop. What sort of apps would you want to run? Is this all possible? You bet, but we need a lot more information. Unwanted hacking or installing is easy to control, just don't release the root password. There is probably others on the list that can help but to me, this would be an interesting challenge. Spence Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] RE: kiosk?
Jeanie; Who's fab? I'm new to linux, but not to what you're trying to do. My experience is Solaris and most things translate. I just don't know the particulars. In Solaris, you could configure the workstation to act as an Xterm; running everything from a remote Xserver. If I understand correctly, this would be the same as spending the $6k in your post. By the way, this doesn't address the paranoia about the operators. If you're working for a semiconductor house, you probably have plenty of old sparcs that I know can be used as Xterms. Most Window managers allow you to define the menus on a per account basis. Create an account with only the production apps and logoff (no shells) defined. If you can't use a login manager, Solaris had something called a restricted shell. If linux has it, you can use that to make sure they get to your limited X setup. Hope I've helped Gary On Tuesday 12 November 2002 03:24 pm, Schwenk, Jeanie wrote: I'm not sure if a kiosk is what will solve my problem. Advice would be very appreciated. Here's the problem: I am putting a linux pc in our fab (semiconductor) as a test to prove to management that linux is a viable, inexpensive option to utilize in our manufacturing plant. (verses new xterms at $6K or more a pop, new servers, or new windows pizza boxes). I need to prevent the technicians from hacking the box, from surfing, from installing ... you name it. They need to be able to run ONLY the guis/programs that allow manufacturing to continue smoothly. What is the best way to have the machine automatically boot into a window manager that has only a background menu pick that I can program? It does not have to start any software upon restart but that would be a plus. Thanks. Jeanie Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com