|
Automatic Login in Linux
I am setting up about 5 computers on my school's network for gaming/wordprocessing purposes. I want to use them with Slackware, but not have separate user accounts for each person. I want to have the system boot, and automatically login as a user with minimal privilidges, just enough to do word processing and some gaming. I want KDE to automatically start as well. Some students are very smart, and use every work-around possible to get admin access to everything. Is there a way that I can secure the Linux system so that it is "un-screw-upp-able" and totally foolproof???
|
No. There is no such OS.
|
I haven't a clue about the auto-login--You might want to change the default runlevel to 4 (GUI login), that way, the console is out of the picture. Make the account only have write privileges to its home directory, and nothing else (Not even /var or /tmp). And finally, there ain't no such thing as foolproof boy! (That really needs to be read in a Southern accent). Unfortunately, you can't just deny them console access, even if you remove xterm... Linux will still have some virtual terminals running in case X decides to kick the bucket--as in the crtl-alt-backspace kicking of the bucket. Pick a really strong, complicated, root password. Punctuation is your friend. You could also limit the path available to the account, keep them away from commands like su, sudo, crond, at etc. You can make a system idiot-proof, but its hard to keep the hackers out if they can get physical access--all they have to do is power up the system off a boot disk and delete the root password from the file and set it to anything they like.
|
Heh, when i said "foolproof" i didn't mean literally - just enough to keep the smart students from putting in backdoors, etc. into the system :D
|
I don't know how you would set up your users, but changing it to runlevel 4 should make it auto login. The default in slackware is 3 and the default manager is GDM. Change it to make it KDM and configure KDM. It should let you autologin on boot.
/etc/inittab # These are the default runlevels in Slackware: # 0 = halt # 1 = single user mode # 2 = unused (but configured the same as runlevel 3) # 3 = multiuser mode (default Slackware runlevel) # 4 = X11 with KDM/GDM/XDM (session managers) # 5 = unused (but configured the same as runlevel 3) # 6 = reboot # Default runlevel. (Do not set to 0 or 6) id:4:initdefault: Then... Change the default session manager. /etc/rc.d/rc.4 # Tell the viewers what's going to happen... echo "Starting up X11 session manager..." # Try to use GNOME's gdm session manager: if [ -x /usr/bin/gdm ]; then exec /usr/bin/gdm -nodaemon fi # Not there? OK, try to use KDE's kdm session manager: if [ -x /opt/kde/bin/kdm ]; then exec /opt/kde/bin/kdm -nodaemon fi # If all you have is XDM, I guess it will have to do: if [ -x /usr/X11R6/bin/xdm ]; then exec /usr/X11R6/bin/xdm -nodaemon fi Just take out the part for GDM from if to fi. You don't have to, GDM will let you boot to KDE but if you don't have Gnome installed you will want it to boot to KDM. Now configure as root GDM KDM XDM whichever you choose. You may want to periodicaly change your root PW with kids hacking on the boxes. |
I believe there are some distros modified for 'kiosk' use, eg for use in internet cafe type environments, that are designed for limited access rights, you may be able to tweak one of those to suit your purposes? I dont know if there is one based on Slackware.
Also you may want to investigate using nic cards that support 'boot from lan' so you could start all the machines up at once. For instance my Linksys nic has a boot ROM Socket. I haven't investigated it, but I think you get an optional Boot ROM chip installed, then you can use Wake-on-Lan to fire up all your machines from the 'mother' pc. |
Here's what I would do:
first, set it up so it runs rc.4 initially. Then, I'd also fix it so that alt+ctrl+bkspce doesn't kill xfree. I would also make sure that alt+ctrl+del doesn't reboot. After that's set up, I would deny the users access to anything that isn't necessary for casual use. This means, no access to tar, gunzip, bunzip2, and the like. Basically, the only things they would need would be sh, cd, ls, mv, vi, and rm. As a kiosk, they wouldn't need access to any more commands. By denying the users the ability to untar, they would have a very difficult time trying to find stuff on the net they could use. Oh yeah, also make sure that they don't have access to automake. A no-brainer, but can be over-looked. In /etc/inittab, I would have no tty's available in rc.4, not even 6. If you need to do anything that requires root permission, I would suggest doing it remotely, probably through ssh or something along those lines. Oh yeah, another final thing, deny users access to folders that they don't need. This means no access to essentially everything but /home/user, /mnt, and some stuff in /usr and /bin. |
The real problem is that they are going to have physical access to the computer, which means the REAL smart ones can literally pull the plug to cause a reboot and then log into single user mode in which case they pretty much have root access.
I guess I don't know the answer to this, but is there any way to prevent LILO from displaying a boot prompt? |
Yes. Don't put in prompt I think.
|
to make it so lilo doesn't prompt, comment out the line that says
Code:
prompt |
thanks for all of the info! Its GREATLY appreciated. I suppose I could put some physical access restrictions on these computers. We really dont have people that are THAT smart, but there are a few who are, and quite a few who LOVE to mess up the comps, unfortunately. Also, stupidly, the school installed the power sockets and ethernet sockets in VERY easy access places for students, so it wouldn't really matter much if I secured access to the power cables. The only way that single user mode can be invoked is thru runlevel changes, or thru lilo, so if i disabled those (except from root), they wouldnt be able to get into single user, correct?
|
Dude I made C's D's and F's in school. DO NOT let me sit in front of your computer.
|
Quote:
I would also make sure that all daemons were shut down unless absolutely required and you have good firewalls in place. If the school has easily accessible ethernet sockets, someone might connect their own machine and try something like a buffer overflow attack. For the daemons you have to have running, check into using hosts.deny and hosts.allow to lock them down to a very limited number of IP address. If you need ssh, you can lock that down to specific users. A final thing to do might be to install a file monitor like Aide or Tripwire and have them scan on an hourly basis. I think you can set these up to email reports to you, so if anything fishy starts happening you would have an early warning. I'm not sure that you can ever completely secure a computer that someone has physical access to, but if you do follow what has been posted here, you will at least make it difficult. |
Yeah, that is why I love deep freeze with windows. The kids can fk around with anything they want, but Poof! Its back to normal when they reboot. They hate it :)
Is there a deep freeze equivalent for linux? |
Yah.. We're trying to do make the rest of the windows pc's do the Deep Freeze thing. Can it be done with the network boot? Windows as a network boot, i mean? Also, is there an equivalent to norton ghost that we could possibly use? all of the machines that are going to run linux have the exact same config, so that's always an option should it be messed up.
|
| All times are GMT -5. The time now is 02:46 AM. |