Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: most damage a troll can make without root access

  1. #11
    Join Date
    Sep 2009
    Beans
    234

    Re: most damage a troll can make without root access

    Quote Originally Posted by sammiev View Post
    You can only keep the honest person out.
    this seems to often be the case with many different types of rules and laws.

  2. #12
    Join Date
    Jun 2008
    Location
    Tennessee
    Beans
    3,413

    Re: most damage a troll can make without root access

    If you:
    - disable booting from anything but the main HDD in BIOS
    - Lock down the BIOS with a password
    - Lock down the recovery entries in GRUB with a password
    - padlock the chassis

    Then you'll have effectively taken care of the LiveCD/USB issue for the casual troll. There aren't many people out there determined enough to troll to cut through a padlock and yank out the MB battery.

    Alternately, lock the CPU in a ventilated cabinet. No media, no liveboot.

  3. #13
    Join Date
    Feb 2005
    Location
    Melbourne, Australia
    Beans
    13,505
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: most damage a troll can make without root access

    Quote Originally Posted by van_Zeller View Post
    Hi all,

    I'm working in a hostel that has a computer for the guests to use. this computer (a simple nettop) was struggling with all the stuff it had, plus Vista, so I installed ubuntu 11.10. It's nice, clean, legal and fast. So far, so good.

    What worries me is that it's a pretty standard ubuntu installation, because I really don't know how to set up an internet kiosk. You can, for instance, open a terminal.

    So, my question is: what is the worst a possible linux-knowing troll could do, using the terminal, without having access to the root password?
    You could always remove the hard drive and just leave a Ubuntu Live CD locked in the CD drive and boot off that - or a Live USB device inside the PC with no persistence.

    Fresh system with each boot.
    Regards, David.
    Please use the Forum search and Wiki search for immediate help
    Please mark your thread as Solved when appropriate
    New to technical forums?: How To Ask Questions The Smart Way

  4. #14
    Join Date
    Feb 2008
    Beans
    1,145
    Distro
    Xubuntu

    Re: most damage a troll can make without root access

    Quote Originally Posted by lykwydchykyn View Post
    Alternately, lock the CPU in a ventilated cabinet. No media, no liveboot.
    I like this idea. Nice.

    Just make sure you have it on a UPS, first.
    Help yourself: Ubuntu Docs - Ubuntu Packages

  5. #15
    Join Date
    Apr 2007
    Beans
    40

    Re: most damage a troll can make without root access

    The bios is locked already, so it's not possible (afaik) to boot from a usb drive without this password.

    Also, I will disable the recovery mode as soon as I can get to it.

    Quote Originally Posted by dcstar View Post
    You could always remove the hard drive and just leave a Ubuntu Live CD locked in the CD drive and boot off that - or a Live USB device inside the PC with no persistence.

    Fresh system with each boot.
    I was thinking about this as I fell asleep yesterday: I could set up a "master" copy of the home folder somewhere where the user has no write permissions. On each reboot I could replace whatever was in the home folder with this "clean" version (using a script + cron)

    What do you thing of this solution?
    Last edited by van_Zeller; October 31st, 2011 at 02:58 PM.

  6. #16
    Join Date
    Apr 2007
    Beans
    40

    Re: most damage a troll can make without root access

    Quote Originally Posted by lykwydchykyn View Post
    Well, they could pretty much trash the desktop, fill the browser with nasty shortcuts, drop scripts in there to do all kinds of malicious things.

    But rather than discuss that, why don't we discuss how to lock this thing down properly?

    I've set up a few internet kiosks in my day, usually I just override the kiosk user's .xinitrc file to only launch a simple window manager, rsync a fresh copy of the home directory, then launch a browser full-screen in an endless loop (so that when the browser is closed it just relaunches).

    Basically, my .xinitrc might look something like this:
    Code:
    xset s off
    xset -dpms
    
    matchbox-window-manager &
    
    while true; do
      rsync -qr --delete /usr/local/kiosk/ /home/kiosk/
      chromium-browser --app=http://example.com
    done
    This, of course, assumes that you have matchbox-window-manager installed, and that you have a clean copy of kiosk's home directory under /usr/local (you can put it anywhere that isn't writeable by the kiosk user).

    Let me know if this sounds useful, I can offer more suggestions. Been doing this kind of thing for years.
    Just read this properly. Sounds like a great idea, except for the browser loop. I don't want to restrict my guests *that* much, they sometimes need to edit a file or something (think boarding passes, or long emails, shared expeses on excel etc). Also, the night shift guys uses the machine to study, he may need libreoffice as well.

  7. #17
    Join Date
    Jun 2008
    Location
    Tennessee
    Beans
    3,413

    Re: most damage a troll can make without root access

    Quote Originally Posted by van_Zeller View Post
    Just read this properly. Sounds like a great idea, except for the browser loop. I don't want to restrict my guests *that* much, they sometimes need to edit a file or something (think boarding passes, or long emails, shared expeses on excel etc). Also, the night shift guys uses the machine to study, he may need libreoffice as well.
    That's just an example. You can launch any desktop shell you want to launch there, the key is the rsync which does what you were just describing -- copies a fresh copy of the home directory from a read-only location.

    If you want to restrict what apps can be used, sound like a good task for apparmor.

  8. #18
    Join Date
    Sep 2006
    Beans
    7,199
    Distro
    Lubuntu Development Release

    Re: most damage a troll can make without root access

    Quote Originally Posted by lykwydchykyn View Post
    That's just an example. You can launch any desktop shell you want to launch there, the key is the rsync which does what you were just describing -- copies a fresh copy of the home directory from a read-only location.
    +1

    Be sure to use the option --delete with rsync to remove extraneous files from the home directory.

  9. #19
    Join Date
    Nov 2006
    Beans
    1,205

    Re: most damage a troll can make without root access

    How vicious is this Troll cause he could take a hammer and

  10. #20
    Join Date
    May 2007
    Location
    The New Forest
    Beans
    Hidden!
    Distro
    Xubuntu Development Release

    Re: most damage a troll can make without root access

    forkbombs removed - see forum announcement.

    ATTENTION ALL USERS: Malicious Commands

    ... UbuntuForums has a strict zero-tolerance policy when it comes to posting dangerous commands ...

    http://ubuntuforums.org/announcement.php?f=150
    Forum Social IRC Channel
    Xubuntu IRC Support
    Xubuntu Support

    Please do not PM me about Registration issues without having been asked to. I will tell you to post here

Page 2 of 3 FirstFirst 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •