Arch Linux

vinceb

Member

From: Indianapolis, IN

Registered: 2011-03-08

Posts: 37

SOLVED: Need help setting up user restrictions/permissions at work

I am new to the Arch community in the last month after trying out the usual suspects in distributions. My only prior experience with Arch is setting up my tech machine with Linux and a few basic apps for customer backups. However, I have worked in IT for a while, it was just all Windows-based.

I want to use a spare machine we had laying around at our dog boarding/daycare facility as an employee time clock. More specifically, the time clock is web-based, so the computer only needs access to Firefox and LibreOffice and I would like to restrict it to their online system only. Also, I would like for it to print to the network Epson WorkForce 610 printer. I want the user account "employee" I created to be unable to load new software of any kind, change any settings, access a non-work website, etc. I figured I will maintain it, when necessary, using sudo.

Up to this point I have just loaded the basic install (32-bit), updated everything, and loaded the few extra things listed in the installation procedure such as sudo, gamin, samba, xorg, and some fonts. I have not yet loaded a desktop environment as I thought my specific needs may be easier with a certain one? I suppose I would prefer Xfce, as I have that on my tech machine, and it was simple enough for anyone to use at work for what I want. Besides that, I'm just going to load Firefox and LibreOffice, set up the network printer, and allow DVD-drive access for watching a training video and for viewing Word/Excel docs. I am hoping this is somewhat easily done, but if something is not possible that is okay. The 95% usage will be simply to punch in and punch out on the time clock online so as to keep the front computer free.

I am completely unaware in Linux how to accomplish this exactly and am not sure where to even look in the Wiki or forum search for this. I could have just loaded a fresh Windows XP Pro, but I am wanting to get deeper into the Linux community and become as familiar as I am with Windows.

Thanks for your help,
Vince

Last edited by vinceb (2011-04-14 18:44:35)

lives2evil

Member

From: GMT+7

Registered: 2010-03-21

Posts: 244

Re: SOLVED: Need help setting up user restrictions/permissions at work

To sum it up, you want make your system immutable to the user after your setup and gain certain limit to network access?
1) To make your system immutable to certain user. The most simple way I can think of is to disable all terminal and launcher programs.
- Add "exit" to the bottom of ~/.bashrc file. Make it immutable.

# chattr +i ~/.bashrc

- Disable your launcher program. Asuming you're installing xfce4.

# chmod 700 $(which xfrun4)

- Mount /home folder with noexec option. Edit your /etc/fstab, for example:

/dev/sda4 /home ext4 defaults,noexec 0 1

You might also want to add this option for CDROM and USB sticks.
2) Limit your network access. The easiest way is to use some sort of firefox extension, however it is strictly a weak method to do so.
Many other methods's available.
However, I personally hate such thing and wouldn't recommend you to do so. If you truely wish to do it, please do it yourself.

And that's it. I'm out of here.

---

tsujeruplive, tnarongisi... ... ... ... ɥsılƃuǝ sı sıɥʇ

vinceb

Member

From: Indianapolis, IN

Registered: 2011-03-08

Posts: 37

Re: SOLVED: Need help setting up user restrictions/permissions at work

Thanks for the tips. I will try it within the next day and see how it goes. What section of the Wiki should I read for further information?

the sad clown

Member

From: 192.168.0.X

Registered: 2011-03-20

Posts: 837

Re: SOLVED: Need help setting up user restrictions/permissions at work

Perhaps this will help you with your network restrictions:

https://wiki.archlinux.org/index.php/Parental_Control

---

I laugh, yet the joke is on me

Cerales

Member

Registered: 2011-01-04

Posts: 32

Re: SOLVED: Need help setting up user restrictions/permissions at work

If you want to limit internet entirely to the company website, you could change dhcpd.conf so that it won't update resolv.conf with name servers, so that users can't resolve DNS, and then add the IP for the company site to the hosts file. It won't block traffic if they navigate to an IP address but it'll cover most situations.

Awebb

Member

Registered: 2010-05-06

Posts: 6,286

Re: SOLVED: Need help setting up user restrictions/permissions at work

If you want to protect the config files from being changed, make another user the owner of the files and set them rw-r-r. Don't simply fire the chmod command on the whole folder, be selective.

vinceb

Member

From: Indianapolis, IN

Registered: 2011-03-08

Posts: 37

Re: SOLVED: Need help setting up user restrictions/permissions at work

I have had the computer at work now for a few days and it is working great! I made the Xfce look as close as possible to Windows for the ease of the employee use. I decided not to block other websites just in case it becomes necessary. Setting up printing was very easy to the network Epson via CUPS. I did mount the /home noexec, as well as set BIOS and GRUB passwords just in case.

Thanks for the help!