You are not logged in.

#1 2012-11-27 03:18:37

agent_smith
Member
Registered: 2012-11-10
Posts: 13

Completely blocking off use of the terminal for certain users?

I was wondering if it was possible to completely restrict certain users from using the terminal.  I already have sudo working for only the admin, but I would like to make the terminal completely unavailable for non-admin users.

I understand they can't do much with sudo, but I don't want them to be looking at extremely long list of blocked websites (possible but they can't delete or write over it) or looking at manuals for applications.  I essentially want to keep the user uninformed and unable to do anything but web browse and create documents.

Thank you.

[EDIT]

As requested
I am going to use XFCE4 or E17 as the DE.  Or I may do both (E17 is in alpha, but it has been stable when I have used it, but I wouldn't mind having a plan B).  I would like to use Slim as my DM, but I'm ok with other things.  I'm trying to make things lightweight because the laptops are old.

Also, sorry for the dumb questions.  I would learn more thoroughly on how to use it, but I have schooling and other activities.

Last edited by agent_smith (2012-11-30 05:08:39)

Offline

#2 2012-11-27 03:50:29

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,441
Website

Re: Completely blocking off use of the terminal for certain users?

You can't allow them access to the internet and prevent them from reading man pages ... man pages are available online.

You can, however, quite easily only provide them launchers for the applications you want them to use.

With no access to log in to other ttys and no general launcher program (like dmenu or gmrun) they could only run what you provide.

EDIT: if you want more specifics, however, you'd need to provide details of the WM/DE.

Last edited by Trilby (2012-11-27 03:51:14)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#3 2012-11-28 04:39:28

Kilzool
Member
From: Ireland
Registered: 2010-08-04
Posts: 232

Re: Completely blocking off use of the terminal for certain users?

You could write your own SHELL, and chroot them into it.

Offline

#4 2012-11-29 05:30:13

agent_smith
Member
Registered: 2012-11-10
Posts: 13

Re: Completely blocking off use of the terminal for certain users?

Trilby wrote:

  You can, however, quite easily only provide them launchers for the applications you want them to use.

With no access to log in to other ttys and no general launcher program (like dmenu or gmrun) they could only run what you provide.

EDIT: if you want more specifics, however, you'd need to provide details of the WM/DE.

I'm going to use a dual DE with E17 and XFCE (the idea behind that is to use something that looks similar but have one that is absolutely stable).

Do you think it would be practical to set up a complex shortcut to the terminal and then just delete the .desktop file later?  I don't know if it is possible (or practical) to have two different icon sets for two different users....

Offline

#5 2012-11-29 05:33:18

agent_smith
Member
Registered: 2012-11-10
Posts: 13

Re: Completely blocking off use of the terminal for certain users?

Kilzool wrote:

You could write your own SHELL, and chroot them into it.

As much as I would like to write my own SHELL, and chroot them into it, I'm not an advanced enough user to do something like that. hmm  Maybe someday, but not at the moment.

Offline

#6 2012-11-29 12:07:17

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,441
Website

Re: Completely blocking off use of the terminal for certain users?

agent_smith wrote:

Do you think it would be practical to set up a complex shortcut to the terminal and then just delete the .desktop file later?  I don't know if it is possible (or practical) to have two different icon sets for two different users....

What on earth ...

Why set up any shortcut to a terminal?  If you don't want them to have access to it, just don't give them access to it.

And yes, different users will have entirely different setups.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#7 2012-11-29 15:46:04

mparusinski
Member
Registered: 2012-11-23
Posts: 4

Re: Completely blocking off use of the terminal for certain users?

Try to uninstall any graphical terminal emulators and block access to the Ctrl-Alt-Fx key combinations, then install a terminal emulator locally for the admin account and make sure it the file permissions are set in such a way only the admin can execute it. Installing application locally will most likely require you to compile a package by hand with a custom PREFIX.

Instead of uninstalling terminal emulators you can also try to set the file permissions of the terminal emulators applications so only the admin and root can execute it.

Last edited by mparusinski (2012-11-29 15:47:55)

Offline

#8 2012-11-29 16:04:20

jakobcreutzfeldt
Member
Registered: 2011-05-12
Posts: 1,041

Re: Completely blocking off use of the terminal for certain users?

Well there's GNU RUSH (Restricted User Shell). It says it's for remote users but as a shell, I don't see why it wouldn't also work for terminal emulators. You can then just write rules to severely limit what the users can do.

Why not just modify the read permissions of the files you want to hide? Why hide manuals from the users? Why hide a list of blocked sites when they're just going to find out what they are by trial and error anyway? I guess I don't like this kind of severe lockdown so I just don't understand...

Offline

#9 2012-11-29 19:51:08

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,441
Website

Re: Completely blocking off use of the terminal for certain users?

Clearly they are able to log in, right?  So I assume the login goes strait to X.  And if the WM only has bindings or launchers for the applications you'd want them to have access to, they'd have no way of running anything else.

Sure, they could switch to another vt, but all they can do there is log in - at which point you'll either have X set to start on that vt too, or X will fail to load and they'll be logged out.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#10 2012-11-30 04:51:46

Kilzool
Member
From: Ireland
Registered: 2010-08-04
Posts: 232

Re: Completely blocking off use of the terminal for certain users?

agent_smith wrote:
Kilzool wrote:

You could write your own SHELL, and chroot them into it.

As much as I would like to write my own SHELL, and chroot them into it, I'm not an advanced enough user to do something like that. hmm  Maybe someday, but not at the moment.

You may have to, as this is the perfect solution.  Perhaps someone has one.  big_smile

The perk of using this:  They could google anything, but wouldn't be able to do it with a limited shell -
you restrict them to what you want them to do - or not do.

Offline

#11 2012-11-30 05:00:59

agent_smith
Member
Registered: 2012-11-10
Posts: 13

Re: Completely blocking off use of the terminal for certain users?

jakobcreutzfeldt wrote:

Why not just modify the read permissions of the files you want to hide? Why hide manuals from the users? Why hide a list of blocked sites when they're just going to find out what they are by trial and error anyway? I guess I don't like this kind of severe lockdown so I just don't understand...

Well, it's going to be used as an operating system for student laptops at a high school (it's a one laptop to one student ratio).  My objective is to keep them as productive as possible and to harden the system to the point that 99% of students won't be able to get around it.  I just don't want a list of websites going out on what's blocked and what's not blocked.  I figured the most practical way of going about it is to make sure they cannot use the terminal, block the tty, and to lock down grub.  After all, the high school student is one of the most destructive forces ever seen....

Offline

#12 2012-11-30 10:21:19

jakobcreutzfeldt
Member
Registered: 2011-05-12
Posts: 1,041

Re: Completely blocking off use of the terminal for certain users?

agent_smith wrote:
jakobcreutzfeldt wrote:

Why not just modify the read permissions of the files you want to hide? Why hide manuals from the users? Why hide a list of blocked sites when they're just going to find out what they are by trial and error anyway? I guess I don't like this kind of severe lockdown so I just don't understand...

Well, it's going to be used as an operating system for student laptops at a high school (it's a one laptop to one student ratio).  My objective is to keep them as productive as possible and to harden the system to the point that 99% of students won't be able to get around it.  I just don't want a list of websites going out on what's blocked and what's not blocked.  I figured the most practical way of going about it is to make sure they cannot use the terminal, block the tty, and to lock down grub.  After all, the high school student is one of the most destructive forces ever seen....

Got it, though you didn't *really* need to explain yourself since my questioning was off-topic and not helpful. smile  Yes, high schoolers are tempests, and guaranteed that you'll have at least one student who thinks he/she's too clever for his/her own good.

Well, I would look into RUSH that I mentioned above to restrict access to commands in the terminal and then I would make extensive use of file permissions to prevent reading website blocklists.  You definitely need to find a way to lock down GRUB to prevent loading in single-user mode.

Offline

#13 2012-12-05 22:47:02

agent_smith
Member
Registered: 2012-11-10
Posts: 13

Re: Completely blocking off use of the terminal for certain users?

Yeah, I'll have to look into it.  Should I leave it open for discussion or mark as solved?

Offline

Board footer

Powered by FluxBB