[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: EDU Win Lab



On Sat, 8 May 1999, Michael A Hamblin wrote:

> 
> I think the main reason I would want to see Linux used in classrooms is
> for the increased security it brings, although there are other compelling
> reasons. I don't know how familiar you are with Linux Dan, so don't feel
> like I'm trying to patronize you :) A properly configured Linux machine
> could easily be set up so that someone could not just go in and change the
> settings. For example, if a card catalog program was running in a stock 
> Windows 95/98 machine, a user could do anything they wanted, including
> wiping the machine. But a Linux machine with a 'guest' account running
> the card catalog software without any more set up than that would be
> pretty much safe from the regular attacks that plague Windows 95 machines.


I have been hacking around linux for about 4 years now, and am very versed
in the security of multiple users, etc.  My problem with this lab comes
from securing things from the user themselves.  I don't want a student to
mess up their own desktop settings.  I was hopeing that some else had
already tried to secure KDE in this way, but I guess I will have to sit
down and spend a few hours figureing out which files need write access,
and which ones do not.

 
> (Similarly user accounts on a Linux box are distinct. I can configure
> backgrounds, screensavers, etc for my account and in no way affect another
> user's account. Thus we eliminate the "background" wars common in Windows
> labs, which waste kids time. Also password-locked screensavers that are a
> rather constant annoyance on Windows labs are simple problems to fix in
> Linux. Just log into the machine, become root and kill the screensaver or
> login process. This is trivially easy to do, and at most requires an
> instruction sheet for less-computer savvy teachers.)

I have been able to show the lab tech at this school how to do basic
things, like ssh into a system, do a killall -9 soffice.bin when students
try to open star office 18 times ( have you ever seen a linux box with a
load over 50?  try opening star office 18 times, in one go).


 > But lemme discuss real quick about how Linux could help even in a
> situation where you are locked into using Windows. For machines which are
> public access, a minimum Windows installation is probably adequate. This
> may not be the case in a Windows lab with Office and development programs
> for Windows (sigh, some ppl will insist on using Microsoft programs for
> writing programs. Best to be prepared, eh?) but this trick may still work
> now that hard drive sizes are getting huge. When you first install
> Windows and fdisk, split your hard drive into two equally sized partitions
> and install Windows on the first partition. Then use your handy Linux on a
> floppy (you do have one of these, right?) and `dd` the first partition to
> the second, and mark the second unwriteable (it's late I don't remember
> the exact term I'm looking for). You can do this easily like this:
> `dd if=/dev/hda1 of=/dev/hda2 bs=512`. Then, when the Windows partition
> goes completly haywire, just `dd` it back the other way, by swapping hda1
> with hda2. [If that seems to complicated, consider the alternative of
> reinstalling Windows 95 from scratch :) ]


This would be a very good way of doing it, I might suggest this to the lab
admin at the local community college, she is right now stuck using
fortress.


> Now I'm sure ghost will do the same thing, but I'm not familiar with it. I
> suspect it's not free and not as trivial as this it. Also this little
> trick will work with an image file on a network drive as well (some boot
> disks support certain network cards and NFS mounts).


Ghost is not free, but it does work well off of a network boot disk (so
would your dd method, just use a file.   The good thing with ghost (could
be done with tar as well), is that the partitions do not need to be the
same size, or identical drives/partitions.

 > Another possible trick with Windows 95/98 is changing the shell
to > something besides the explorer shell. Set the shell to your library
> program, or even compile a shell like 'litestep' with limited features.
> Windows in inherently insecure, so whenever possible I would reccommend
> using Linux instead. If I was setting up a card catalog system which would
> work under Linux, I think I would set it up like this. Each machine that a
> human accesses is a terminal or client, and those machine connect to a
> server which cannot be accessed directly except by staff. If we want
> machines outside the library to be able to access the library database, we
> can set up another network for the client machines. That way you can add
> as many new library terminals as you like without wasting IP space, since
> they don't need anything more than to connect to the server. Also it
> severly limits what someone can do if they do get root access to a
> machine.
> 
>  (Rest of Network)+ - + Library Server
>                         [ PII Server ] + + - Client Machine
>                                          + - Client Machine
>                                          + - Client Machine
>                                          + - Printer
>                                          + - and so on...
> 
> This doesn't provide for web-surfing machines in the library network,
> although if you wanted that it would be possible to set it up. But this
> model is very simplistic and serves a very specific purpose. If you wanted
> web browsing machines I might still keep them on the library network, but
> would use another box for IP Masquerading and move the Library Server off
> to the main network, and give it a web-based interface. And when you set
> up the machines, make sure that they are physically arranged so that a
> teacher or the librarians can see what everyone is doing in a quick
> glance.
> 
> Enough for me for tonight... :)
>


			Harry