[plug] [OT] Interesting Computer Idea (for parents?)

[James Devenish]

As Arie mentioned, the first approximation is to 'lock down' the
approved apps onto your root partition and have home directories and tmp
directories on a 'no exec' partition. Then, the only programmes that can
be installed an executed are those on the root partition (which is under
your control). "Installing" software on the noexec partition would not
achieve anything, I assume. The time locks, groups, unlocking, etc, can
be moderated by cron, shell scripts, sudo, or whatever. Mac OS X (and
presumably Windows XP) come with GUI implementations of this sort of
thing, though the time-and password-based moderation is probably not a
standard feature in the consumer OSes. However, as Chris mentioned,
there would probably be loopholes that could circumvent these
protections (e.g. Java programmes can be 'executed' by the Java
interpreter without being directly 'executable' in the UNIX sense).
To defend more convincingly against savvy users and your own oversights,
you may have to use some form of kernel-level protection like systrace.
This will require modules to be loaded into your kernel.

In message <419B3793.9090400 at tigris.org>
on Wed, Nov 17, 2004 at 07:35:47PM +0800, Timothy White wrote:
> 2) It forces users to use a defined set of programs, what if the game 
> they want isn't in the games group because it's obscure? ...

If you're serious about this, wouldn't you know in advance what games
are approved?

> 3) What happens if they are still running the program at the end of the 
> time? A grace period then a kill?

Very good point. This is a classic loophole in multi-user systems.