At my work, we have mini EeePc Laptops running xubuntu which are given out to students which allow them to do work in class, and recently i got back one which a user had put a password on, restricting access. =[

Of course i just re-imaged it and it worked perfectly, but thinking about it i didn't want more of these showing up, so i disabled the passwd command by typing 'chmod go-rx /usr/bin/passwd' which worked to my liking. =]

Doing this doesn't really limit the user, as they can go 'sudo passwd' and change my root password, which they could then go 'chmod go+rw /usr/bin/passwd' and mess with the computer, which isn't difficult to find online instructions to do so.

My problem is, i disabled sudo the same way (chmod go-rx) but being the user, i can't manage wireless connections and i can't shutdown, which can be a huge problem. doing (chmod go+rx) fixes this, but then they have sudo again!

does anyone know anyways around this, i would be very grateful if there is a way!

oalette

Take away their sudo access? Enter "visudo" and remove their lines.

You should remove the ability to run sudo passwd from the user that the students operate under.

You do this by modifying the sudoers file. You edit the file by invoking sudo visudo. You can read about the contents of the file with man sudoers. You can use an exclamation mark to deny permission to execute specific commands.

Understand that if you are letting the users run as an administrative user (i.e. the user you created during initial install), they can just sudo visudo and change it back. If they are running as an administrative account, there is nothing you can do that they can't undo if they know what you did.

You need to configure the machines to run as a non-root, non-administrative user. Once this is done, give the students the password to the "guest" or "student" account. Then, for maintenance, log in under the account you created on the install.

EDIT: Beaten to the punch by AlucardZero...

i can do that and it restricts their access fully, but i am unable to even open up the wireless connections page which also means that the connection will not automatically start. =[

is there anyway to use groups to get round this?

oalette

Thanks for the answer Dark Helmet, ill have to look into doing a full reinstall. if the install works with a new user which isn't the one i set it up with, then i'll have to deploy across 100 notebooks :S if all else fails i can just block passwd and hope they're not linux geeks ^^

cheers

oalette

Keep in mind that if you set up your system to be a multi-user system (e.g. "admin" for you, and "student" for the students), that a mischievous student can still cause grief: they can change the "student" password.

In that case though, you simply log in as admin, and change the password back (rather than re-imaging the entire system).

There are ways around that problem though. Cron jobs, logoff scripts, making the password files read-only, etc.

I solved it all by just going chmod a-rx /usr(or etc)/bin/passwd which is what stopped them from changing their own password, and it stops them from changing the root password with sudo (sudo passwd), which is what i needed in the first place

Now, im going to just block things like chmod, firefox, dpkg, and most of the fucntions becuase they only need Rm Connect

cheers for the help from both of you

Oalette.

^^ I'd really suggest not doing it this way - chmod'ing key system utils really isn't the way to go. The correct way though is of course to restrict their sudo access. If you have given them full access (and it sounds like you have) then they can do pretty much as much damage as they want on the machine.
Lock it down - set yourself/admins up as being able to sudo and nobody else.

if i may ask, how would i be able to do this? making a group and assinging sudo to this group?

if so how?


Oalette.

@devnull10:
If I understand what the OP has said, the problem comes from the fact that there are only two user accounts on the system:
1. root (which is not used)
2. the user created during the install process (which is used by everyone)

I say that because:
That quote, combined with the knowledge that *buntu systems assign the install-user to the admin group--which gives unrestricted sudo access--leads me to the two-user conclusion. If the students were not using an account in the admin group, they would not have privileges to execute sudo. And if the OP added that user to the sudoers file, then the OP should be familiar with how to lock them down.



@oalette:
That is why I suggested creating a new user. A user created after the initial install will not be added to the admin group. A user that is not in the admin group cannot execute sudo unless you explicitly give them permission.

You can configure sudo to give a user permission to execute a specific set of commands with sudo. For instance, you could allow a user to execute "sudo mount" or "sudo shutdown" or both. You would do that only if there was a need for it.

You need to read the man page for the sudoers file: man sudoers. To modify the sudoers file, you need to run sudo visudo. Once things are configured the way you want, then have the students login with the non-admin account.

As it is now, if they are using an admin account, there is nothing you can do that they cannot undo. Making the passwd file read-only? They can sudo chmod it back. Until you split the system so that the students use a non-admin account, you will be chasing your tail security-wise.

Ah sorry, I wasn't aware that there were only two accounts. One idea then may be to re-enable the root account and use that for configuration (I know people will argue against this but if the OP is forced to only have two accounts then you can't really have that account having sudo access). Ideally you would create yourself as a user as well with sudo rights and the original "student" account with no sudo rights.

Can you confirm your setup and what you can and cannot do (in terms of adding new users etc).


Remember that someone with sudo access could easily execute "sudo rm -rf /"...

In fact, what's to stop one of the kids from putting a bootable USB or live CD into one of these machines, installing whatever OS he/she wants, with or without a new password, and getting it to run naughty videos (for instance) on booting up? That's what I'd do if I were thirteen.
But perhaps the BIOS is locked?

Any system which is supposed to be locked-down should always have the bios locked.

Sorry for the slow reply, but ive been busy with server work recently :P
They would only be able to boot from usb, as these laptops do not have dvd drives.

Bios wasn't locked as the other technician who set up the laptops before me didn't do this.
i've managed to do the majority of the laptops, but seeing as i support the school single handed my time is valuable.

I might go by just doing a full re-install and creating a seperate user from the one installing, which people have recommended here.

If i can't get it to work the way i want it, it's not the end of the world, it's just that it would save me the time for re-imaging.

Thanks for all the help you have all given me!

Oalette.

It sounds as though you're doing them one-by-one. It should be possible to take one of them, get it right, and then clone the installation to all the others. I'm no expert on this -or anything else - but someone here can tell you, I'm sure.