On Wed, 2003-05-28 at 21:53, Ed Harrison wrote:
** Reply to message from Christopher Mahmood <ckm@suse.com> on Wed, 28 May 2003 16:04:54 -0700
# A better solution is to force all traffic to port 80 and 443 through # a proxy that the user has to authenticate to in order to use. Of # course, the kids can always just find an open proxy somewhere that # they can use to bypass this restriction as well. Once they get that # sophisticated they'd probably figure out that they can just boot # with 'init=/bin/sh' in order to change root's passwd (and the # restrictions) or boot from something like the live eval cd.
In cmos, I have disabled booting from cd and floppy.
In grub, the command line is md5 password protected. Default linux is the only choice they have.
Grub is in the mbr and dual-boot to their mom's win98 is also md5 password protected.
Wow. You've done some hard work here. If you trust the lock on the case, you should be alright.
For the time being I have added sudo /sbin/ifdown eth0 to each $HOME/.bashrc per the suggestion from Basil Fowler, but how long will it take them to learn enough linux to know they can edit that file without root permission?
This is the problem with locking down users that are *supposed* to be on the local machine. There are an infinite number of problems here. I've seen a lot of tiresome posts about chmod'ing the executable bits of networkable programs, when the point is that it's very easy to wget a new copy of Mozilla and stuff it in your home directory. I think you're wasting your time here.
I don't know anything about proxies, except I use privoxy on my machine. What kind of proxy are you referring to?
You're on the right track here. I would recommend that you get a second computer and make it a proxying firewall. This other computer can just be an el cheapo P100 castoff or something. (Mine's a 200, and it's great.) The point is that you must combine a proxy with a firewall. I don't see how you could do this on your workstation alone, but I've not thought about it real hard. Plus, if this war of privileges esacalates, and the kids get into it, they could root the workstation. (From what I read, it's not that hard, but the process is _greatly_ facilitated if you have a local login. On a separate firewall, you could keep this advantage out of their hands.) What you need to do on the firewall is to NOT forward packets. In your firewall rules, you only let the proxy get out to the net from the firewall itself. Setup your proxy for authentication, and don't give the kids credentials. Then they just _won't_ get to the internet, for any kind of communication. If you want them to have email, you can open that up for them, or just collect their mail on the firewall (ala fetchmail), and let them pick it up there. By now, it's starting to become clear that this is an exercise, not in technology, but psychology. I'm guessing these kids need some sort of office program? for school? Else -- once you've "cut the cord" -- why bother with a computer these days? It's a Linux computer, so it's _probably_ not for games. The bottom line is that it'd be a whole lot easier to spend $500 on a new Dell, set it in the corner without access, let them have at it, and revoke the rights to the computer that's connected. (Then I guess they could open the box, put in a network card, and take your cable while you're gone. Oh well, back to square one.) As someone else pointed out, there's no lack of opportunity to go to a friend's house and do whatever they want. Shoot, the American Library Association campaigns hard every year to keep the computers at the library completely wide open to every piece of garbage on the net. All the free porn you want at the library! Woohoo! HTH, dk -- David "Dunkirk" Krider, http://www.davidkrider.com Acts 17:28, "For in Him we live, and move, and have our being." Linux: Will you use the power for good... or for AWESOME?