Re: Restricted view of the filesystem

["Sayamindu Dasgupta" <sayamindu randomink org>]

On 7/7/07, guenther <guenther rudersport de> wrote:
> > In a deployment scenario, the desktop administrator should ideally be
> > able to define a restricted set of directories which users in a
> > profile will be able to view.  For example, a user may only be allowed
> > to view the contents of his home directory and its subdirectories.
> [...]
>
> > Thoughts/comments/suggestions are welcome :-).
>
> Clearly, this is just about defining "a view", not security related in
> any sense of the word, right?

No - this is not at all security related.

> If you are thinking security, this is the wrong approach. File ownership
> and permissions do this, or ACLs. This is not the duty of the graphical
> interface to handle and enforce. Can these users log in via a virtual
> terminal? Can they launch gnome-terminal, xterm, bash... Or even emacs?

No - they cannot. This kind of restriction would be implemented along
with the other lockdown options
(/desktop/gnome/lockdown/disable_command_line) :-)

> What is wrong with seeing the contents or /usr/share/icons? Ever set a
> custom icon for a launcher? What is bad about seeing the contents
> of /usr/share/man? Yelp does display man pages... This list goes on and
> on.

I agree that for a normal desktop user, there's no harm in seeing the
contents of /usr/share/icon or browsing through /usr/share/man.

However this kind of feature is targeted towards more specialised kind
of scenarios. For example, here's a usestory from the initial spec
document created by my SoC mentor:

<quote>
Let's go back to Alicia, the administrator for the internet cafe.  She
wants her customers to be able to save files on their home
directories:  she can afford to give students a modest amount of space
on her server's hard drive so that they can do school work and keep it
there.  However, Alicia wants to simplify the students' view of the
software by only showing the contents of home directories:  she
doesn't want students to see "File System" nor "Network Servers" in
the Nautilus places sidebar.

Alicia would therefore like to say that only certain directories (and
their subdirectories) should be visible to certain users.  One of the
customers, Ricardo Tapia, should only be able to see
/home/premium-customers/ricardo and its subdirectories --- he
certainly doesn't care to see /usr or /var.

Similarly, this limited view of the file system should also be seen in
the GTK+ file chooser.  See the section called "Scenario: Lock-down"
in
http://primates.ximian.com/~federico/docs/file-chooser-extension-spec/index.html
</quote>

Again, adding to the above, I have seen people administering LTSP in
University Internet browsing centers being uncomfortable with the fact
that users can find out the usernames of all the users in the system
simply by navigating via their file manager to /home (LTSP exports the
user home directories via NFS).
I have actually watched students randomly clicking on other users home
directories from /home - of course, they do not succeed in most of the
cases, but what if some user manages to mess up his/her home directory
permissions ? These users are not "expert users" or "power users", and
they often have very little knowledge of file permissions, etc. In
such a situation, restricting the "view" of nautilus to $HOME only,
along with restricting command line access would make the job of the
LTSP administrator much easier.

> Btw, would that GConf key you proposed be owned by the user? ;)

No - it would be a mandatory setting in most situations, I guess.

Warm regards,
Sayamindu

--
Sayamindu Dasgupta
[http://sayamindu.randomink.org/ramblings]