:: Re: [DNG] F1 and special usernames …
Top Page
Delete this message
Reply to this message
Author: Rick Moen
Date:  
To: dng
Subject: Re: [DNG] F1 and special usernames on the login screen
Quoting Brad Campbell (lists2009@???):

> Rick I completely understand that sentiment, and none of my servers
> have a GUI on them. I just "assumed" (yeah, my mistake) that display
> managers were used only on single user desktop machines.


Predominantly, to be sure.

In the mid 1990s, when I helped build a Linux-based Internet cafe in San
Francisco (which _of course_ is an unusual use-case), we had some
interesting problems with this. Each of the Pentium Pro workstations on
the tables in the cafe ran xdm as display manager with a nice custom
image file as background to the login screen. The workstations were all
NIS & NFS clients -- and each was used only by a single local user (cafe
customer) at a time.

Early on, we played around with restricting ability to shutdown and
reboot by changing what the 'ca' directive in /etc/inittab did --
because we were painfully aware that some customers would try to mess
with the machines. This turned out to be a bad idea.

Basically, if you deprived some people of the ability to do painless local
console reboot, they'll be motivated to go pull the mains (AC) power
instead, with consequent greater risk of filesystem harm. So, it proved
smarter to let 'em reboot if they were determined to do so.

The NFS/NIS master, a beefy EISA/VLB 486, was a different matter, and we
came up with a good solution. The system box was upstairs in a locked
room, with long keyboard and video cables to the keyboard and monitor on
a table in the cafe. Customers could login there (no X11) to change/set
their passwords only: Their login shell permitted only that action.
Ctrl-Alt-Del was trapped and caused to do nothing.

We also deliberately set things up so that, if a customer found a way to
escalate privilege to root on any of the workstations, he/she would be
surprised to find himself/herself having -less- privilege than with a
regular user account. E.g., the NFS mounts were all exported with
root-squash.

Security guy Dan Farmer came to visit one day, did a bit of poking
around, and pronounced our security design 'sneaky' (meaning this as a
compliment).

-- 
Cheers,                              « On donne des conseils, mais on ne 
Rick Moen                            donne point la sagesse d'en profiter. »
rick@???                                     -- La Rochefoucauld
McQ! (4x80)