Lock down Linux machine?

Question:

ed smith

2014-03-04 08:53:13 UTC

I am setting up a Linux machine that I only want the users to access a mail client, a web browser and possibly pdf viewer. I have installed lubuntu on the machines as they are old and it seems suitable for what I need. I have hooked the machine up to a Windows AD domain and the user will log in with thier domain username.

How can I remove the applications like games/settings/etc from the menus? They can't currently do much without sudo, but it would be good if they couldn't see anything but the web browser and mail client in the menu.

I have looked on google and can't seem to find much about remove them, the reason for moving all clients to linux is because windows xp is running out and it will be cheaper. Just want to see if it can be locked down like currently using Windows Group Policy AD server.

Thanks

Four answers:

ratter_of_the_shire

2014-03-04 09:59:47 UTC

You either have to remove the applications from the machine, and make the home directory and removable devices nonexecutable.

First method is just to remove the application from the machine.

Second is to implement a ACL policy.

Third is groups, make sure the users aren't in the USB, games, or audio group.

Fourth is modify the .desktop files to that they don't show up in the menu, but that' won't prevent access on the command line. If you lock the terminal emulator, if a person can switch to a terminal, they can pop up a terminal emulator in the desktop session from it, if they have permission to run a terminal emulator.

https://wiki.archlinux.org/index.php/LXDE#Application_menu_editing

Fifth I would suggest a read-only home directory, and use aufs (or other unioning file system) to with a tempfs to handle changes on this session, but to new one on every log in. That way even if setting are changed, it's for that session only, and if a person has a good reason for permanent changes, they can request them from you. You might even set up a network folder to be available to people can drop documents into it they want to keep.

Personally I would implement a combination of the first, third and fifth options.

Person You May Know

2014-03-04 09:38:55 UTC

Try MenuLibre this is an "Advanced menu editor that provides modern features in a clean, easy-to-use interface. All without GNOME dependencies, so even lightweight systems can benefit from the sanity that MenuLibre offers. MenuLibre is your one-stop shop for menus in Linux, whether you use Gnome, LXDE, XFCE, or Unity" . - Taken from website.

To download/install this from either Synaptic Package Manager, Ubuntu Software Center ( Not available on Lubuntu Software Center, but since it's a derivative to will work) or via this website: http://smdavis.us/projects/menulibre/

Marvin

2014-03-04 15:00:48 UTC

Back in Admin school they showed us how to do this. It is much simpler than the other a sewers suggest. You need only edit the 'passed' file in etc. Do a search on the passed file.

At the moment I cannot look it up.

edit: chsh -s /sbin/nologin {username} Will accomplish the same.

jerry t

2014-03-04 10:18:04 UTC

It sounds like a kiosk mode linux would work for you.

http://ze.phyr.us/kiosk-mode-in-linux/

You can get more ideas by googling for linux kiosk mode.

ⓘ

This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.

about - legalese