Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is there any way to set up an account that can only run a certain selection of applications?
Here's my situation. My wife and I control our kids' computer time by not giving them the password to their computer (which runs Debian). Basically we want them to do something other than sit in front of the screen playing games all day. My oldest is now in 1st grade and I would like to be able to give her an account on the computer that is only allowed access to apps she needs to do homework. That way she can enter her own password and we don't have to worry about it.
If it's not possible to do it through security then I suppose I can just remove all the menu entries for what I don't want her accessing, but that's a short term solution as I don't think it will be long before she discovers the shell.
My oldest is now in 1st grade and I would like to be able to give her an account on the computer that is only allowed access to apps she needs to do homework. That way she can enter her own password and we don't have to worry about it.
Don't let her log in from the console, don't let her switch Desktop Environments, don't let her kill Xorg, don't give her a terminal window, audit (as in service) what she accesses and use KDE Kiosk mode?
Quote:
Originally Posted by sisk
I don't think it will be long before she discovers the shell.
If your auditing shows she gained shell access first of all be happy she was interested to venture that far. If you can show her how to use it the right way. And BTW what can go wrong? You encrypted the stuff she shouldn't see and besides, you regularly make backups, don't you?..
i.e. you could use normal Unix file permissions and take execute permission off of "other" for the programs that are most of a problem. Put those programs in a group and leave exec on for the group (look out for any games that use groups for their own purposes though -- maybe you don't need to add a group at all, but just use the games group for this, which maybe the programs of interest already have as their group [ooh, except then she could mess with high scores, whoops]). Then put her in the group and take her out of the group as needed. I guess you'll have to make her log out when you're taking the privilege away (my pet peeve about groups).
Not on that computer, but it would only take me about 15 minutes to rebuild the system from someone running rm -r / on it. I'm really not at all worried about her damaging it. I'm more worried about her sitting on her computer playing Elsa and Anna Paper Dolls and Minecraft all day or calling random people on Skype. And yeah, the Skype thing is already a problem. Just last week I forgot to shut down and/or lock my machine before I went to bed and she was up at 4am calling everyone on my contact list. Thankfully there's no one on my list I'd be worried to let my kids talk to, but still...
Time to sit down and talk to those kids. Not only to teach them that "you're the parents around here," but also to talk about what's nice and what's not-so-nice about the Internet. It would be quite difficult to set up an account with a limited-shell that can only run certain applications, and I frankly think that it would be a technical solution to an educational problem.
It is possible to control every application from file system permissions. Generally you take or don't give access to those files. It isn't as easy as it might be in Microsoft actually. You'd have to do it one at a time or get entire directories at at time.
What most people might do is something like a kiosk mode but that may be too restrictive.
Guess you could create a new distro with just what she needs and add in what she needs later. Dual boot.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.