Re: How to Setup a Secure Guest Account [was] Password-protecting fedora.

[Matt Morgan <matt.morgan@xxxxxxxxxxxxxxxxxx>]

You also, for a shared login like that, should use a browser in a kiosk 
mode that doesn't allow changes to settings, history, etc. Unless you 
want to clean it up occasionally. Opera has a very good kiosk mode. 
Mozilla/Firefox has a lot of potential, but the kiosk modes I know about 
aren't there yet. When we do this at work (a big museum) it's usually 
for web-connected kiosk stations that we can't have porn, etc., popping 
up on. Also we don't want to fix them all the time. But at the moment we 
use MS Windows stations with severely restricted system policies for 
this, we haven't done a linux one yet.

Another way to do something similar is to make everything in the home 
directory readable only, not writable, but that will probably lead to a 
lot of errors here and there that may be hard to track down and fix.

Years ago I used to use rsh (restricted shell) for vendors uploading 
stuff to a unix server via modem. Basically upon login on that terminal 
(ttys0 or whatever) it would auto-login to an account under /bin/rsh, 
and immediately start a little upload app that, upon exit, logged them 
off. And rsh prevented things like hitting '!' to get a shell prompt. 
But I have no clue how to use it anymore, or how well it would work with 
a GUI. It's probably worth looking into.

The holy grail is the terminal server idea (Windows Terminal Server, 
Citrix, LTSP), but that's more effort probably than the posters here are 
interested in. It gives you the absolute most control over what logins 
can do.

On 03/09/2004 10:05 PM, Ow Mun Heng wrote:

>  
>
> > -----Original Message-----
> > From: Bevan C. Bennett [mailto:bevan@xxxxxxxxxxxxxxxx]
> >
> > Ow Mun Heng wrote:
> >    
> >
> > > > -----Original Message-----
> > > > From: Matt Morgan [mailto:matt.morgan@xxxxxxxxxxxxxxxxxx]
> > > >
> > > > I was talking about gdmflexiserver. In case it wasn't clear 
> > > >        
> > > >
> > > > from the part
> > >      
> > >
> > > > where I said "But I forget what it's called," I couldn't 
> > > > remember what it
> > > > was called :-). Fortunately a few other people wrote in about 
> > > > it as well.
> > > >
> > > > Yes, there are lots of ways to have more than one account 
> > > > loged into Unix
> > > > at the same time. Score one for Bjorn. gdmflexiserver makes 
> > > >        
> > it really
> >    
> >
> > > > easy, is the main reason I mentioned it. I thought it might help the
> > > > original poster, who was looking for a way to give people 
> > > > access to the
> > > > computer without them seeing his mail. The combination of a 
> > > > guest account
> > > > with a new login via gdmflexiserver would probably be the 
> > > > fastest/safest
> > > > way to so what he wants.
> > > >        
> > > <SNIP>
> > > Talking about guest users. ANyone has any pointers on how, 
> > > specifically to create a guest user? I mean, it must just be 
> > > able to perform/access _normal_ stuffs (eg: web browsing, office
> > > etc) and not have access to anything else?
> > >
> > > Main keyword here I guess is _very_limited_access. Even more
> > > restrictive than normal users.
> > >      
> > You can chgrp all the things in /usr/bin (or elsewhere) that 
> > you don't 
> > want guests using to a new group "real_users", then chmod 
> > o-rwx on them 
> > all. Add all your 'non-guest' users to the real_users group 
> > so they can 
> > continue to use them. This isn't strictly considered neccessary, as 
> > normal users can't mess up system files, and normal users (if 
> > properly 
> > configured) won't be allowed to see or edit each other's files either.
> >    
>
> Wow.. That's a real pain. Luckily I'm the only person using this 
> laptop
>
>  
>
> > > (since I presume that the user/password combo would be guest/guest)
> > >      
> > The name and password for any user are whatever you want them to be.
> >    
>
> That's not actually a question. more like a statement. Oh well..
>
> Thanks
>
>
>