[plug] public access PCs

David Godfrey info at sbts.com.au
Sat Oct 10 00:58:35 UTC 2015


Hi Gavin,

Similar to Oliver's suggestion, I would start with the idea that the 
install should be "static".
Logging out and back in should reset the drive content to a "clean" state.

There are many ways to achieve this such as

  * a simple(?) netboot
  * run as a fullscreen, static disk, virtual box guest, in a minimal
    debian install with X and no win manager for the host
  * install as a "live" image like Ubuntu used to (and probably still
    does) with persistence turned off.
  * At boot time copy a "master partition" over the install using rsync
    for speed to put the system in a known state.
    This would require a few minor layers of protection, such as making
    sure the "master" is read only to everyone. can be done by using a
    read-only filesystem like cramfs or many others.
  * As long as the user has no rights EVER to alter anything outside
    their home directory, (no sudo, no su, limited secondary groups)
    delete the user at logout, and create new user at login

I am sure there are many other options.
For security, if the network is fast enough, the use of RSYNC would 
allow the "master" images for most/all of these options to be resident 
on a server, and the local copy updated via rsync. this allows easier 
management, and makes it essentially impossible for a user to alter the 
master.

For the delete/create a user option, you can store any ~/* things that 
need to be auto generated in /etc/skel
Keep in mind, that the more you put in here, the more likely it is that 
you will need to update it if there is a software update done to the 
master image. eg: a config file for firefox has a new option added.
Obviously you could just use rsync to overwrite the home dir instead of 
delete/create.


Yes, you could build or use a "locked down" linux, but if, somehow, 
there are changes made to the system via some exploit it is harder to 
fix, and potentially could be overlooked for some time.
Using "static" images that get written over the "in use" install is 
often simpler, and allows for more freedom for the user to learn.

Under normal scenarios for a system like this regardless of the method 
used, I would make sure the individual users don't have many group 
permissions and no root permissions as it simplifies things and limits 
the chance that they will manage to have a negative impact on your network.

NOTE: on the "live" image option.  Ubuntu (and others) used to and 
likely still do (haven't tried in a few years) offer a live CD that can 
be either non-persistent, or persistent with respect to changes. This 
was achieved by having a master image in a read-only filesystem that was 
mounted first. A ram based fs was then "joined" with that mount point. 
This effectively made the read-only filesystem appear writeable for the 
duration of the boot.
Persistence was achieved by locating the "ram based" filesystem on a 
disk partition instead of in ram.

Regards
David G


On 08/10/15 11:46, Gavin Chester wrote:
> Hi folks,
>
> I am looking into re-purposing some redundant WinXP laptops (Dell
> Latitudes) into simple, locked down public access PCs for my students to
> use in a govt highschool setting.
>
> What I expect is a bit more than a web kiosk, in that I want web surfing
> along with libreoffice and some specialist apps such as inkscape,
> librecad, and gimp - all locked down with no other 'bloat' and
> everything reset after use. IOW, the small range of specialist software
> precludes using google docs along with web browsing. Oh, and a 'pretty'
> but locked-down icon-driven desktop would be essential. Kids these days
> barely know how to use a word processor - even if they have phone apps
> for all sorts of things!
>
> Students will have to enter a username and password to access the school
> proxy server for surfing, but beyond that anonymous logins are probably
> best to simplify not having to authenticate their use with the schools
> server. IOW,  I don't expect them to access the school's Win server
> drives, but if it can ...
>
> I've done a lot of searching and even some testing, but finding it hard
> to find exactly what I'm looking for. I also know I could 'roll my own'
> from a minimalist distro like puppy, or tinycore, but time is an issue,
> I wonder if any of you have experience with specific custom distros that
> have an iso or quick setup that you could recommend?
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20151010/8c092ba6/attachment.html>


More information about the plug mailing list