On Sun, Jul 16, 2000 at 02:02:27PM -0700, Joseph de los Santos wrote: #disclaimer: i have never actually tried this.
> Hoping someone can help me out with this..for example I want an ordinary > user that when he or she logs in a terminal this is what will happen: > 1.automatically starts x-window xdm or wdm sound like a safer option here. > 2.all hot keys will be disabled..ie cntrl+alt+del etc. touch /etc/shutdown.allow > 3.run netscape automatically and it will remain opened and it cannot be > closed without giving the correct password. the password part i have no idea, but i *think* you should be able to make it so quitting netscape will logout the user, which should be close to what you want no? i would use xdm for the login, this prevents the user from going back to console 1 (control-alt-F1 which cannot be disabled) and suspending X, which may or may not yield a shell depending on how you started X. create an .xsession file like so: #!/bin/sh exec /usr/lib/netscape/473/communicator/communicator-smotif.real that `should' cause netscape to be launched as the window manager, when netscape dies, the session ends and the user is logged out. set the users shell to /bin/true or better /usr/local/sbin/nologin (ported from OpenBSD, simply spits out contents of /etc/nologin.txt or `This account is currently not available.' yes i know about falselogin, but falselogin is about 10 times more code then nologin ;-)) add whatever fake shell to /etc/shells if xdm/wdm require a valid shell for logins. (probabaly depends on pam config in wdm's case) this way they should not be able to login with a shell and should not be able to break out of netscape. beware however that they may still be able to get a shell through netscape by possibly tinkering with the helper application settings, to say launch /usr/bin/X11/rxvt -e /bin/bash. just be aware that whatever you come up with is unlikely to be 100% foolproof, an expert user will likely be able to break out of the restricted environment and get a full shell. unless you perhaps chroot the entire environment which would be a royal pain... it also sounds like the users in question will have phisical access which opens up a entire bag of worms on its own, in this case you must secure the machine itself inside a secure case of some sort, password lilo and the bios, remove the floppy and CDROM, forbid access to the power cable and reset/power buttons etc etc. -- Ethan Benson http://www.alaska.net/~erbenson/
pgp08sIzJpLau.pgp
Description: PGP signature
