Arch Linux

Lazer

Banned

Registered: 2007-08-02

Posts: 111

Arch good for school lab (locked down terminals)?

I am wanting to switch my school's computer lab over to Linux, but I have been given the task of making a system with similar functionality to the current Windows XP system. (The reason I am able to do this is because the IT infrastructure of this part of the school isn't bound by the county's Windoze because it's PTA funded. Also, the filternazi software is server based (I can tell because my Live CDs still get filtered net.))

What it needs to be doing is: web browsing, office work (OpenOffice already in use, so that's easy enough), and be hard to mess with. I think Arch would be good because these machines are almost bleeding-edge and the newer processor optimizations would be good. Not to mention it's not bloated and is more confusing to script kiddies than Ubuntu, Fedora, etc.) I do, however, need a little more help as to how to do these.

I'm thinking KDE. Fluxbox + iDesk would be my second choice but KDE for simplicity and familiarity (for some people) would be better, plus its automatic handling of things many people get confused by. What I need to know there is: what is the difference between KDE and KDEmod?

As for web, it's Firefox (*ahm* I mean "Gran Parasido", Arch users). I need to know how to lockdown Firefox to prevent students from bookmarking, accessing proxy settings (transparent proxies), installing extensions, etc. I know quite a few people who would really abuse those.

For office, it's obvious to use OpenOffice. It's heavier than I'd like, but the hardware can handle it. It's also familiar for some of the people there.

As for hard to mess with, I mean tinkernazi lockdown on the system. Keeping people from changing the KWin theme, installing via Pacman, changing desktop background, etc.

I need to make an ISO for quickly installing this system wherever needed, fully configured (the whole lab's hardware is identical). Also, I need to be able to SSH in from home to work out problems. I'm kind of new to a lot of this, so I could use help with that.

I'm also trying to learn some Python and PyGTK to make my "Stupidity Safeguard" program, which is a simple lockdown program requiring the root password for shutting down X, killing system processes, etc. I initially thought of it to keep myself from stupidly hitting unknown key combos, but thought it would work well for this. So, if you could direct me to some resources to aid in that, and especially how to require root privileges to configure it, I'd appreciate it.

Thanks in advance,
Sajro

Misfit138

Misfit Emeritus

From: USA

Registered: 2006-11-27

Posts: 4,167

Website

Re: Arch good for school lab (locked down terminals)?

Have you seen this unofficial project? http://bbs.archlinux.org/viewtopic.php?id=43892
May help, being a preconfigured live system.

---

Amiga 1000 microATX mod

abhidg

Member

From: City of Kol

Registered: 2006-07-01

Posts: 184

Website

Re: Arch good for school lab (locked down terminals)?

if you used gnome you could try sabayon and pessulus to lock down desktop settings. KDE also has a kiosk mode or sth like that.

Fatsobob

Member

From: Colorado

Registered: 2006-06-27

Posts: 126

Re: Arch good for school lab (locked down terminals)?

Well what you could do is get one computer working and ghost over all of the images if the hardware matches.

SiC

Member

From: Liverpool, England

Registered: 2008-01-10

Posts: 428

Re: Arch good for school lab (locked down terminals)?

How is the network currently setup, you said it was a windows network... is it xp? 98? How is user authentication currently managed? what about user data storage, is it centralised or is each machine standalone?

If you are planning on using KDE, why not use konqueror instead of firefox, then you would have less to worry about regarding extension installs etc.

vogt

Member

From: Toronto, Canada

Registered: 2006-11-25

Posts: 389

Re: Arch good for school lab (locked down terminals)?

Out of order suggestions:
As far as limiting user priviledges: linux is quite able to do that without external programs: use filesystem permissions, and if that is too limited maybe ACLs (for the filesystem)?

You cannot stop users from killing their own processes, unless you remove execute permissions for anything like kill, for them (which might break stuff). But how is that bad?

So you set the important directories such as ~/.mozilla ~/.kde chmod 644, owner root (though firefox may need to write cookies, cache... those files/directories can be writable), and have the users not run as root obviously.

If X runs as a different user than the current one, and has M-C backspace disables (something you can set in xorg.conf), I don't think you can kill it (presumably with a script over and over again, resulting in a DoS)

SSH is likely to be blocked by the servers...

KDEmod is modular (so you only get what you want), has lots of patches, and it has a nice default theme.

To 'clone' installations:
- make the installation you want (strong root passwd, automatic logins...)
- remaster a bootable cd (arch's ftp installer), adding an image of the desired disk image (dd) + a script that copies the desired image to the harddisk (like dd if=/image of=/dev/sda), and prompts you for hostname...

It would be a pain to update each system individually: you probably want them all to be pulling their configs (most of /etc, /home/user/.*) from a version control server holding a tested version automatically, since updating arch needs human intervention sometimes (so you update one, test it, push changes to a server (one of the computers), and everybody gets updated shared pkg cache?).

And a way to eventually (in the somewhat distant future) combine all that wasted diskspace: hammer

So, to make it all work painlessly takes a bit of scripting for the updating.

SiC

Member

From: Liverpool, England

Registered: 2008-01-10

Posts: 428

Re: Arch good for school lab (locked down terminals)?

It would be a pain to update each system individually: you probably want them all to be pulling their configs (most of /etc, /home/user/.*) from a version control server holding a tested version automatically, since updating arch needs human intervention sometimes (so you update one, test it, push changes to a server (one of the computers), and everybody gets updated shared pkg cache?).

Add pacman -Syu as a cron job and have a local server mirroring the main repositories. Bob is your proverbial family member.

vogt

Member

From: Toronto, Canada

Registered: 2006-11-25

Posts: 389

Re: Arch good for school lab (locked down terminals)?

Add pacman -Syu as a cron job and have a local server mirroring the main repositories. Bob is your proverbial family member.

The issue with that solution is that the occasional human intervention necessary to keep arch working properly won't happen.

Cactus' solution of pxe / network boot here also seems like a good idea.

SiC

Member

From: Liverpool, England

Registered: 2008-01-10

Posts: 428

Re: Arch good for school lab (locked down terminals)?

true enough,not gonna argue with that one