From kragen@dnaco.net Tue Aug 25 08:43:46 1998 Date: Tue, 25 Aug 1998 08:43:45 -0400 (EDT) From: Kragen To: Deanna Phillips cc: clug-user@clug.org Subject: Re: Linux Lab Computer and Teaching Opportunity In-Reply-To: <19980824180910.A27733@crystal.iac.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Keywords: X-UID: 1395 Status: O X-Status: On Mon, 24 Aug 1998, Deanna Phillips wrote: > I'm a few weeks new to the list and a few months new to intensive use > of Linux. I work for a local University, and would like to put a Linux > computer into one of our public labs (which are now all Windows and Mac > OS) for student use. Does anyone have any suggestions about what I > should and should not make available on it? I can't decide if I should > just go all out and let them tear it up, hoping that they will learn in > the process, or restrict it in order to save myself a few headaches. My recommendations: - give people user-level access to it, preferably with accounts. (Do you have any Unix systems at your university already? Perhaps you could share logins, passwords, and even home directories.) - Don't give out free root access. That means password-protecting the BIOS setup, turning off being able to boot from a floppy or CD-ROM, not having Win95 installed on the machine, and password-protecting LILO's options if you use LILO. People will still be able to do all kinds of nifty things with it (including log in remotely, run services like FSP or httpd, browse the Web, do ray-tracing, etc.). (You might want to turn off the ability for just anyone to run services like httpd. Recent experimental kernels have this ability. You could also run a cron job with netstat -a that mails you if it sees suspicious sockets in the LISTEN state.) Oh, and look at the various recent security advisories, and try not to install more privileged stuff than you have to. (Of course, if you have public Win95 machines in the same lab, it might be kind of silly to go to all this trouble to secure the Linux machine.) You should probably put a couple of "user" entries in the /etc/fstab to let people mount and unmount floppies and CD-ROMs. With Linux, restricting access to "root" doesn't significantly impede access to anything useful -- just the ability to administer the system. It's built from the ground up to support such restrictions, and as a result, they don't get in people's way the way they do on Win9x and Macs. Kragen -- Kragen Sitaker We are forming cells within a global brain and we are excited that we might start to think collectively. What becomes of us still hangs crucially on how we think individually. -- Tim Berners-Lee, inventor of the Web