Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: disable a user's access to specific programs

  1. #1
    Join Date
    Feb 2007
    Location
    Virginia
    Beans
    Hidden!

    disable a user's access to specific programs

    I've been using Ubuntu on my PCs for about five years and am evaluating Edubuntu for a school use. In short, how can I disable a user's access (a user below sudo level) on a PC to specific programs?

  2. #2
    Join Date
    Aug 2005
    Location
    Northern Michigan USA
    Beans
    1,780
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: disable a user's access to specific programs

    I run Ubuntu at a library and also would like to do this

  3. #3
    Join Date
    Jun 2008
    Location
    Tennessee
    Beans
    3,421

    Re: disable a user's access to specific programs

    Some desktop environments (KDE, XFCE) include a kiosk framework so that you can limit the functions a user can access; this way, could effectively remove the shortcuts to an application and the "run command" or terminal functions from the desktop, and make it impossible for the command to be run.

    Looks like Edubuntu now uses Unity, though, and AFAICT there is no kiosk framework for Unity.

    There are a couple of other approaches, of course, but they aren't perfect:

    - Build up a minimal environment from scratch, providing launchers for only those applications you want users to be able to run. This requires some knowledge and tinkering, of course.

    - Remove execute permissions from the program binaries using chmod, restricting execute to the owner & group only (which is root, so sudo users would be able to run those commands with sudo):
    Code:
    sudo chmod a-x /usr/bin/somebinary
    ...or to the admin group (which would allow admins to run them with or withou sudo):
    Code:
    sudo chown root:admin /usr/bin/somebinary && sudo chmod a-x /usr/bin/somebinary
    The basic problem with this approach is that your permissions will likely get "corrected" by updates to the program. So if you go this route, put the chmod/chown commands in a script and run it after updates.

    - Probably the "correct way" to do this is through PolicyKit, but I have no idea how to begin going about that. There isn't a GUI for policykit anymore either, so it involves hand-configuring some files in /etc/polkit-1/.

  4. #4
    Join Date
    Aug 2011
    Location
    52° N 6° E
    Beans
    2,865
    Distro
    Xubuntu 14.04 Trusty Tahr

    Re: disable a user's access to specific programs

    Making some entries in /etc/sudoers (or including something in /etc/sudoers.d/) should give fine-grained control over who can do what. I've never edited those files myself, so I can't be more specific, but help is available on the web. I'm not sure how things work with putting sudo before commands for which you don't need a password, but the affected users (those who are allowed to use the program) can include that in the launcher or make a bash alias for is.

    For some easy coarse control you can set up some groups, set certain programs as executable only for the group and put them in the correct group.
    Code:
    chmod 750 exam-result-manager
    chown root:teachers exam-result-manager
    assuming not everyone is allowed to use the exam result manager.

  5. #5
    Join Date
    Oct 2007
    Beans
    338

    Re: disable a user's access to specific programs

    http://askubuntu.com/questions/66718...ers-and-groups

    On a larger scale there is LTSP
    https://help.ubuntu.com/community/UbuntuLTSP

    This last one we used in schools worked very well but maybe overkill here.
    http://www.untangle.com/
    Last edited by chadk5utc; December 17th, 2012 at 09:14 PM.

  6. #6
    Join Date
    Aug 2005
    Location
    Northern Michigan USA
    Beans
    1,780
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: disable a user's access to specific programs

    thanks not easy for sure

  7. #7
    Join Date
    Feb 2007
    Location
    Virginia
    Beans
    Hidden!

    Re: disable a user's access to specific programs

    I think it is unfortunate that Edubuntu, an operating system that is "labelled" for education i.e. for children, is so challenging to configure. I know plenty of kids who left alone for ten minutes (heck, for five!) with an Ubuntu desktop could really get in some trouble.

    What would be useful would be blacklist/whitelist controls that don't require a terminal window and a string of sudo commands.

    I think I'm going to bail on Edubuntu and go with a kiosk program like IWK or Webconverger (even Chromium OS with a blacklist/whitelist on the browser).

  8. #8
    squakie is offline I Ubuntu, Therefore, I Am
    Join Date
    Oct 2012
    Beans
    2,238
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: disable a user's access to specific programs

    Access rights, and in particular when doing so at a user or group level, has never been easy. Every operating system I've worked with since "way back when" allowed you to set up access rights, and it takes some planning and thinking to do it right. I would look at a little wider scope than this one particular instance to see if there isn't more that you may need to do and therefore only do the big work once.

    Perhaps you actually would like some sort of menu system, with the menu being built at log in by user and/or group.

  9. #9
    Join Date
    Oct 2007
    Beans
    338

    Re: disable a user's access to specific programs

    I agree with Squakie on this it takes careful planning and thought with any operating system. Most end users never know its even done, they just know what they do at the office or school, whats allowed or not allowed or maybe more so what they can do and whats been blocked. Its called Role-based access control.

  10. #10
    Join Date
    Jun 2008
    Location
    Tennessee
    Beans
    3,421

    Re: disable a user's access to specific programs

    Quote Originally Posted by Charles-2007 View Post
    I think it is unfortunate that Edubuntu, an operating system that is "labelled" for education i.e. for children, is so challenging to configure. I know plenty of kids who left alone for ten minutes (heck, for five!) with an Ubuntu desktop could really get in some trouble.
    It is what it is. I didn't make it, just offering free advice.
    What would be useful would be blacklist/whitelist controls that don't require a terminal window and a string of sudo commands.
    It would be, and for all I know it may exist. I'm not aware of it, though. What would be a shame is if you dumped Edubuntu without giving this feedback to the actual developers. They may have a better solution, or it may at least give them some direction on what's lacking from the project.
    I think I'm going to bail on Edubuntu and go with a kiosk program like IWK or Webconverger (even Chromium OS with a blacklist/whitelist on the browser).
    If you just need a web browser, this isn't too hard to do. I have some tutorials on my blog, as well as a custom kiosk-oriented browser that I wrote. I use these quite successfully with LTSP on Ubuntu at a public library to deliver catalog terminals and other browser-based services. If that sounds useful, I can point you to some resources. If not, feel free to use what makes you happy.
    Last edited by lykwydchykyn; December 19th, 2012 at 04:28 AM.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •