Hello. I work at a shelter (actually, a big warehouse that is "first stage transitional housing"), and I'd like to set up another computer for them. I got a very old Pentium (32 MB ram) that I set up with Windows 98. I recently have acquired a better computer (400 MHz), and I'd like to put Debian on it. The game Supertux would be a real hit (games from Wiering Software, like Charlie the Duck, are very popular with the crew I work with).

The problems I had with Windows 98 are:

• difficult to find games that are not "shareware", which often only allow part of the game to be played, sometimes with annoying messages.
• some users will spend all day creating shortcuts for the desktop -- I've had to erase hundreds of these. The "Start" button, as a means to find and start programs, does not register with most users.
• some users will delete programs, or mess around with system settings.

So, Debian seems the perfect choice. However, I want to make it both accessible and secure (a slight contradiction, I realize, but I think it's possible). I plan to set up gdm to automatically log in as a default user, without needing to type in a password. And, for the default user, I would like to set it up so that the desktop cannot be altered. I will set up personal users who can alter their desktops till their heart's content (via logging in), but I want the general public interface to remain clear and clean. Basically, how do I alter the permissions of users?

I really want to find a way to prevent hundreds of shortcuts being put on the default desktop (I'm not exaggerating when I say "hundreds"). Thanks in advance for any suggestions and/or pointers. Suggestions of games I can install (from either deb packages, or from source) are appreciated too.

Linux is ideal for kiosk machines, which is more or less what you seek to create here. File permissions are a huge topic to explain to someone who has no idea where to begin. These fine folks have done it far better than I could:

http://www.linuxsecurity.com/content/view/118181/49/

Thanks for the link to the educational stuff about permissions. Quite interesting. I did not realize what the numbers (ie, 755) meant before.

Anyway, I created a user account named "guest", with password "guest". I made gdm automatically log into this user after 30 seconds. Then, using nautilus, I switched the permissions of the home directory, and the desktop directory, to read and execute (555), eliminating write permissions. This accomplished what I wanted. But, when I rebooted the machine, I was no longer allowed to log back into the guest account.

I then tried to switch the home directory of guest, via the Users Administration Tool (aka Users and Groups, a gnome gui device for messing about with users and groups settings). I figured that I could eliminate write privileges from guest for everything, but hopefully the machine would log into that directory. Then, for web browsing, I could allow others to have write privileges on the necessary mozilla directory within the other users home directory (that "guest" would currently be visiting. Needless to say, I was unable to log in as "guest" to this home directory; so, this was not a go.

If there is a way to prevent users from having write access, and still being able to log in, please let me know. Thanks.

PS, PenguinPwrdBox, goodluck on the Cisco lab.

Ha! I figured it out! I eliminated write access to the Desktop, and eliminated Read access to guest's home directory (preserving write access). That did it. Users will not be able to screw around with the set-up. (perhaps via the console, or something -- but hey, if they can get that far, kudos to them -- it means they're learning).

Is this machine connected to the Internet ???

If so, I would make sure that no SSH or FTP server is running. A user with the name 'Guest' and the password 'Guest' is not what you call 'secure'. I have hundreds of break-in attempts on my Debian server everyday which use name lists to try to get into my machine (so they try for example 20 times with usernames like "root, admin, guest, apache, default". So I would definetaly change the username and password to something not so obvious. Or make sure that no connections are allowed from such users from the outside.

Good luck setting up the machine!!!

It won't be used as a server of any kind. And I'll likely set-up a firewall (perhaps Guarddog). But you're probably right, a username/password that is less obvious to outsiders, but known to the insiders (ie, the shelter-name, or the postal code) would be better. Since the machine will be automatically logging in, the password probably won't matter for the clients of the shelter.

My recently contemplated set-up, eliminating Read access to guest's home directory (preserving write access) is an awkward set up, that only half works. I think I'll not worry about the home directory, and just leave it as permission 755.

Porn is another issue I'm not sure how to handle. Management of the shelter wants some safe guards here. Initially I was going to set up the extension Blockxxx (which works similar to
adblock) on Firefox, and hide Epiphany, and Konqueror. However, Firefox works terribly on Debian. And I felt that eventually someone would find Konqueror. Instead, I downloaded a proxy server filter list from the internet, at http://www.ericphelps.com/security/pac.htm, and set this up.

This works reasonably well. The problem is that any user can change this set up. For example, in Mozilla, any user can go to edit, preferences, advanced, proxies, and change it. Is there a way to prevent users from altering the preferences in browsers? Or any other suggestions (ie, a UserContent.css file, or something)?

About user permissions, someone suggested kde's kiosktool, found in the testing (Etch) repositories of Debian packages. I tried this, and was initially quite excited. However, after my system crashed several times, I gave up this. I find KDE a cluttered mess anyway. I do rely on some of its programs, though, and kiosktools has broken some of them (konqueror, guarddog). I managed to fix konqueror by reinstalling and reconfiguring. Guarddog is still buggered up though. If anyone has any tips on fixing it, please share.

For blocking porn, I've decided to go with squid and dansguardian. I really should have two computers (a proxy server, and the client). But, alas, I don't. So, I'm attempting to hide the proxy server on the one computer (I found out how to lock Mozilla's preferences, and I've removed Epiphany, and removed Desktop Preferences, from the Applications menu.) If anyone knows how to remove the Debian Menu from the applications menu, do share. Thanks.