[RndTbl] limited Linux Desktop?

Grigory Shamov Grigory.Shamov at umanitoba.ca
Mon Feb 6 16:53:46 CST 2017


Hi John,

Thanks! I was not aware of LTSP, will take a look.


--
Grigory Shamov
Westgrid/ComputeCanada Site Lead
University of Manitoba
E2-588 EITC Building,
(204) 474-9625




From: Roundtable <roundtable-bounces at muug.ca<mailto:roundtable-bounces at muug.ca>> on behalf of John Lange <john at johnlange.ca<mailto:john at johnlange.ca>>
Reply-To: Continuation of Round Table discussion <roundtable at muug.ca<mailto:roundtable at muug.ca>>
Date: Thursday, February 2, 2017 at 6:41 PM
To: Continuation of Round Table discussion <roundtable at muug.ca<mailto:roundtable at muug.ca>>
Subject: Re: [RndTbl] limited Linux Desktop?

The Linux Terminal Server Project was geared toward this, but it now appears un-maintained since 2013, which is fine because it's not a download but built into the distributions that support it.

http://www.ltsp.org/

Perhaps you are already aware/using it, but if not you might be able to get some useful ideas.

Alternatively, you could spin a new virtual machine for each desktop which is actually more typical way this is done these days. It requires more resources, the trade off is better security, though they could still navigate around the file system.

John

On Thu, Feb 2, 2017 at 5:24 PM, Trevor Cordes <trevor at tecnopolis.ca<mailto:trevor at tecnopolis.ca>> wrote:
On 2017-02-02 Grigory Shamov wrote:
> Hi All,
>
> somehow locked to the particular users and perhaps even particular
> apps?

Particular users can probably be handled with custom pam
rules/settings.  Particular apps is much harder.  I think you'd need to
create an install (perhaps virtual) that just has the apps you want
those users to use.

> I.e., so that any Filemanager would stay under selected paths the
> user has access to?

That's chroot-y if you want the OS to only show the user what's
in /home/foo in a secure way.  However, there's no chroot method that
will lock them in one data path without requiring copies of the
relevant bins/libs/etc for the apps you want to run.  I don't even
think any of the recent developments like cgroups, docker, etc, can
help you here.

Even trying to hardlink everything into a chroot environment under the
user's home dir wouldn't work I don't think because of the complexity
of login managers, and X in general.

Now you might be able to find a file manager that can be set to limit
views to certain paths, but without something at the OS layer locking
things down they can always escape somehow if they know what they are
doing (or bring up a shell).

If I'm understanding what it is you're trying to do correctly, I'm
afraid there may be no solution.  However, if you perhaps redefine your
policy goals of what exactly you're trying to protect against, perhaps
you can achieve those goals without locking things down as drastically
as you think you need to.
_______________________________________________
Roundtable mailing list
Roundtable at muug.ca<mailto:Roundtable at muug.ca>
https://muug.ca/mailman/listinfo/roundtable



--
John Lange

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://muug.ca/pipermail/roundtable/attachments/20170206/8f7398d0/attachment-0001.html>


More information about the Roundtable mailing list