Re: Gnome Lock Down



>>That's something I have been wondering for a while, as we use win2k/NT
>>on our Desktops at work, and trying to convince the boss to switch to
>>Gnome (as 50% of our servers run linux, so thats half the battle), 
>>but he wants the desktops locked down like in windows for the users (as
>>sys admins were trusted, which is a damn good policy is u ask me), so
>>currently Linux on the desktop is a no..no, due to this 
>>>he simplest solution is to make a .gnome and .gnome-desktop somewhere
>>>and copy them back to $HOME everytime a user logins in.  Then they can
>>change things but everything reverts between users.
>>But they can still edit the menus and run other programs and just open a
>>terminal and type away (that would be the first thing to go in this
>>case)
>One thing you could try in this case is to create a new 'bin' directory
>just containing gnome and only the software that users are allowed to
>use and then changing the path env variable PATH=/path/to/new/bin

An "easier" solution to the running rogue software is via file
permissions, and more robust solution.  As in the sense of an internet
cafe someone can run an absolute path.

>That way they cant get a terminal because it's not in the path (or if it
>is for some reason the only stuff they can do is execute software they
>allowed anyway).

so long as they don't /usr/XXXX/bin/gnome-terminal, etc...  Obviously
this is a malicious user, not a stupid one, but every organization has a
few.

>I wonder why you even need to run a desktop if you want a 'locked down'
>system - why not run only a window manager (e.g. windowmaker, icewm,
>blackbox) and only put the 'allowed' software in the menu (and then put
>restrictive permissions on the menu file - the ability and ease to do
>this may well determine which window manager).

Because a desktop provides alot of functionality that "average"
competence users expect,  and again, restricting menu items doesn't
prevent them from running applications.  Everything from GNOME itself to
OO has a "Run" or some way to commence execution of an external
application.  Not to mention all the functionality of the GNOME
appletts, etc...  The point is to add control without compromising
functionality (which is tough, I'll admit).  And window manager configs
in a file really don't help centralized control,  one has to rely on
rsyncs and other tie-in measures to keep N number of workstations up to
date.





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]