** Reply to message from Derek Fountain on Tue, 27 May 2003 19:39:23 +0800 # What do you mean by "restrict"? Block all access? Just some sites? Email? # News? IM? Yes, block all access. At this time I don't think email will be a problem as Netscape (for them) serves as its own MTA. Ed Harrison, broadcasting on: L I N U X by SuSE (8.2), Kernel 2.4.20, X-server 4.3, PolarBarMailer 1.25a

** Reply to message from Joe Dufresne on Tue, 27 May 2003 18:40:59 -0700 # just make a group (like dialout) and only include as members those # people allowed to dial out. # # Joe I have a ADSL connection that is "always on". I want to restrict the boys from internet access without having to carry the modem to work with me. What devices, files, etc. do I need to give to the group to prevent the connection outbound? Ed Harrison, broadcasting on: L I N U X by SuSE (8.2), Kernel 2.4.20, X-server 4.3, PolarBarMailer 1.25a

I have a ADSL connection that is "always on". I want to restrict the boys from internet access without having to carry the modem to work with me.

Take the cable then. :o)

What devices, files, etc. do I need to give to the group to prevent the connection outbound?

You can't, I don't think. The ethernet connection doesn't work as a file, so there's nothing to restrict permissions on. If your boys know the root password, you're stuffed. If not, you have a few options, depending on how savvy they are. Your best bet is to set up a firewall, preferably, but not necessarily on another machine. That gives you maximum flexibility for controlling what goes in and out at what time. If total disconnection is the goal, set a cron job to take down the appropriate ethernet connection during your work hours. If just disconnecting from web sites would suffice, and the boys don't know too much, set up wwwoffle as a local proxy. That allows (IIRC) you to control which users can access the web service. Of course, if the boys know how to change the web browser's proxy, that won't work unless you use some iptables to force outbound web connections to go through it transparently. I can't think of anything else, but I might have missed something obvious! -- "...our desktop is falling behind stability-wise and feature wise to KDE ...when I went to Mexico in December to the facility where we launched gnome, they had all switched to KDE3." - Miguel de Icaza, March 2003

How about this!!! What about changing file permissions on all browser, mail, IRC, and FTP applications??? Definitely remove all of these types of applications from their /home/'sillyteenager' directories first, then secure the main applications by ensuring correct file permissions are set. Take a look at KDE Control Panel > Yast2 Modules > Security & Users > Security Settings as an option. The paranoid setting lets you (root) control user access to all X applications. Or do it manually with all applications that could access information from the internet. Also, make sure you have access to their desktops, by knowing their passwords or setting them up with password-less logins. This way you can see if they are using pictures of nude women as their desktop #5 backgrounds, or have the complete text of 'The Anarchists Cookbook' in their Documents directory ;-) (Don't laugh too loud) Or, just take a look at their /home directories from time to time, to see if their trying to circumvent anything. Also, you may want to change your root password on a regular basis. Just some random wanderings from the scrambled mind of the father of a teenage boy. Good Luck! Bernd -- "If you want to build a ship, don't drum up the men to gather wood, divide the work, and give orders. Instead, teach them to yearn for the vast and endless sea." Antoine de St. Exupery

How about this!!! What about changing file permissions on all browser, mail, IRC, and FTP applications??? Definitely remove all of these types of applications from their /home/'sillyteenager' directories first, then secure the main applications by ensuring correct file permissions are set. Take a look at KDE Control Panel > Yast2 Modules > Security & Users > Security Settings as an option. The paranoid setting lets you (root) control user access to all X applications. Or do it manually with all applications that could access information from the internet. Also, make sure you have access to their desktops, by knowing their passwords or setting them up with password-less logins. This way you can see if they are using pictures of nude women as their desktop #5 backgrounds, or have the complete text of 'The Anarchists Cookbook' in their Documents directory ;-) (Don't laugh too loud) Or, just take a look at their /home directories from time to time, to see if their trying to circumvent anything. Also, you may want to change your root password on a regular basis. Just some random wanderings from the scrambled mind of the father of a teenage boy. Good Luck! Bernd -- "If you want to build a ship, don't drum up the men to gather wood, divide the work, and give orders. Instead, teach them to yearn for the vast and endless sea." Antoine de St. Exupery

On Wednesday 28 May 2003 4:38 am, Derek Fountain wrote:

Your best bet is to set up a firewall, preferably, but not necessarily on another machine. That gives you maximum flexibility for controlling what goes in and out at what time. What about setting up a proxy? Then you could effectively disable their access to the .net just by revoking proxy-permissions? I haven't done this myself, but thought it might be a way forward :)

On May 28, 2003 04:38 pm, Fred A. Miller wrote:

The father had warned them about doing this a day before he asked me to "fix" the box. I had assured the boys that I could see to it that they no longer had access. They just smiled, and thought they'd find a way around the changes. It's a LOT easier to block access on a Linux box than on 'Bloze.

Kids today. In my day I would have just installed whatever I wanted when you left-))))) Nick

* Bernd (bernd@covenantmail.net) [030528 14:05]:

No way to install without root access. No way to download without a browser

Of course you can. There's nothing stopping you from installing whatever you want into your home directory. Even if you block all outgoing traffic as long as they have physical access to the machine they can change the root password. -- -ckm

On Thursday 29 May 2003 08.36, Basil Fowler wrote:

Another point,

Yo should protect Lilo with a password, otherwise you can boot into single user mode and then change the root password

If you can boot the machine at all, then you almost have to have physical access, and then all security is completely out the window.

Oh what a web you have to weave When you start to deceive!

I thought it was Oh what a tangled web we weave when first we practice to deceive

* Anders Johansson [05-29-03 01:55]:

On Thursday 29 May 2003 08.36, Basil Fowler wrote:

...

Another point,

Yo should protect Lilo with a password, otherwise you can boot into single user mode and then change the root password

If you can boot the machine at all, then you almost have to have physical access, and then all security is completely out the window.

...

Oh what a web you have to weave When you start to deceive!

I thought it was

Oh what a tangled web we weave when first we practice to deceive

One bright day in the middle of the night Two dead boys got up to fight Back to back they faced each other Drew their swords and shot each other A deaf policeman heard the noise He came and killed those two dead boys One bright day in the middle of the night As I was walkin' up the stair I saw a man who wasn't there He wasn't there again today Oh how I wish he'd go away (What the Blind Man Saw) -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience

** Reply to message from "Fred A. Miller" on Wed, 28 May 2003 16:38:09 -0400 # I have a client who was having this problem with his two # teenage social misfits. :) What I finally did, was # to remove them to another group, where they had NO access # to any installed browser. They have NO access to the Net, # except for email. 'Course, any junk mail for a prono. # site is a "bust" because they don't have access to a browser. # # The father had warned them about doing this a day before he # asked me to "fix" the box. I had assured the boys that I could # see to it that they no longer had access. They just smiled, # and thought they'd find a way around the changes. It's a # LOT easier to block access on a Linux box than on 'Bloze. # # Fred I realize that the name of the new group does not matter. But how did you "move" them, and how did you restrict that group to NO access to any installed browser? Ed Harrison, broadcasting on: L I N U X by SuSE (8.2), Kernel 2.4.20, X-server 4.3, PolarBarMailer 1.25a

** Reply to message from Christopher Mahmood on Wed, 28 May 2003 14:58:07 -0700 # Make the brower executable (or script) mode 750, change its group # to foo, and add users who can use it to group foo. Won't setting Konqueror to "foo" mess up a lot of stuff in KDE and SuSE? Ed Harrison, broadcasting on: L I N U X by SuSE (8.2), Kernel 2.4.20, X-server 4.3, PolarBarMailer 1.25a

** Reply to message from Christopher Mahmood on Wed, 28 May 2003 16:04:54 -0700 # A better solution is to force all traffic to port 80 and 443 through # a proxy that the user has to authenticate to in order to use. Of # course, the kids can always just find an open proxy somewhere that # they can use to bypass this restriction as well. Once they get that # sophisticated they'd probably figure out that they can just boot # with 'init=/bin/sh' in order to change root's passwd (and the # restrictions) or boot from something like the live eval cd. In cmos, I have disabled booting from cd and floppy. In grub, the command line is md5 password protected. Default linux is the only choice they have. Grub is in the mbr and dual-boot to their mom's win98 is also md5 password protected. I don't know anything about proxies, except I use privoxy on my machine. What kind of proxy are you referring to? For the time being I have added sudo /sbin/ifdown eth0 to each $HOME/.bashrc per the suggestion from Basil Fowler, but how long will it take them to learn enough linux to know they can edit that file without root permission? Ed Harrison, broadcasting on: L I N U X by SuSE (8.2), Kernel 2.4.20, X-server 4.3, PolarBarMailer 1.25a

On Thursday 29 May 2003 04:00, Derek Fountain wrote:

...

For the time being I have added sudo /sbin/ifdown eth0 to each $HOME/.bashrc per the suggestion from Basil Fowler, but how long will it take them to learn enough linux to know they can edit that file without root permission?

It does not matter if the .bashrc file is editable. The alias in the .bashrc file is just for convenience. The .bashrc file concerned is the one in YOUR private $HOME directory, which should be readable only by yourself. The point of sudo is to give a specified ordinary user limited rights to execute a specific program that requires root access. The rights are set out in the /etc/sudoers file, which should be readable only by root, The rights are NOT in the .bashrc file. sudo normally requires the authorised user to enter his/her personal password before the program is run. So if you keep your personal and root password to yourself, others will not be able to run the ifdown or ifup commands. Hope this helps Basil Fowler

Well that one's easy - set the .bashrc files to be owned by root and ensure they aren't other-writable.

-- "...our desktop is falling behind stability-wise and feature wise to KDE ...when I went to Mexico in December to the facility where we launched gnome, they had all switched to KDE3." - Miguel de Icaza, March 2003

-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anders Johansson wrote: | On Thursday 29 May 2003 04.53, Ed Harrison wrote: | |>In cmos, I have disabled booting from cd and floppy. | | | With physical access to the machine, this isn't a problem. Simply open the box | and remove the CMOS battery for a number of minutes so the motherboard resets | to factory defaults. | physically remove the CD drives and floppy. use hot glue to fill the floppy/ide ports on the board un used, and get a cable for the HD with only one output. not impossible to bypass, but would take more work Joe - -- SuSE Linux 8.1 (i386) Kernal: 2.4.19-4GB / i686 | Posted from: Miverna ~ 6:44pm up 3 days, 1:17, 8 users, load average: 0.03, 0.13, 0.15 nqs@tmcom.com | http://tigger.tmcom.com/~nqs/blogger.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+1rhaoS1S7SxfpzwRApsmAJ9Fpx3/SNYAESxrEWL+U7u6NVB55wCgiuP/ sJu2ZxpqAsZQH/gg4NyOuXc= =yPyN -----END PGP SIGNATURE-----

** Reply to message from Christopher Mahmood on Thu, 29 May 2003 09:51:46 -0700 # What happens when you cycle the power by unplugging the battery # on the motherboard? Well, I am not going to disconnect it. If they do, they die. Actually the box has a lock on the outer case. # # > For the time being I have added sudo /sbin/ifdown eth0 to each # > $HOME/.bashrc per the suggestion from Basil Fowler, but how long will # > it take them to learn enough linux to know they can edit that file # > without root permission? # # You can always chown the .bashrc files to root.root. Of course, # it's probably much easier to just go to a friend's house and use # their computer. Say, you're not a teenager, are you? :-) Ed Harrison, broadcasting on: L I N U X by SuSE (8.2), Kernel 2.4.20, X-server 4.3, PolarBarMailer 1.25a

On Wed, 2003-05-28 at 21:53, Ed Harrison wrote:

** Reply to message from Christopher Mahmood on Wed, 28 May 2003 16:04:54 -0700

# A better solution is to force all traffic to port 80 and 443 through # a proxy that the user has to authenticate to in order to use. Of # course, the kids can always just find an open proxy somewhere that # they can use to bypass this restriction as well. Once they get that # sophisticated they'd probably figure out that they can just boot # with 'init=/bin/sh' in order to change root's passwd (and the # restrictions) or boot from something like the live eval cd.

In cmos, I have disabled booting from cd and floppy.

In grub, the command line is md5 password protected. Default linux is the only choice they have.

Grub is in the mbr and dual-boot to their mom's win98 is also md5 password protected.

Wow. You've done some hard work here. If you trust the lock on the case, you should be alright.

For the time being I have added sudo /sbin/ifdown eth0 to each $HOME/.bashrc per the suggestion from Basil Fowler, but how long will it take them to learn enough linux to know they can edit that file without root permission?

This is the problem with locking down users that are *supposed* to be on the local machine. There are an infinite number of problems here. I've seen a lot of tiresome posts about chmod'ing the executable bits of networkable programs, when the point is that it's very easy to wget a new copy of Mozilla and stuff it in your home directory. I think you're wasting your time here.

I don't know anything about proxies, except I use privoxy on my machine. What kind of proxy are you referring to?

You're on the right track here. I would recommend that you get a second computer and make it a proxying firewall. This other computer can just be an el cheapo P100 castoff or something. (Mine's a 200, and it's great.) The point is that you must combine a proxy with a firewall. I don't see how you could do this on your workstation alone, but I've not thought about it real hard. Plus, if this war of privileges esacalates, and the kids get into it, they could root the workstation. (From what I read, it's not that hard, but the process is _greatly_ facilitated if you have a local login. On a separate firewall, you could keep this advantage out of their hands.) What you need to do on the firewall is to NOT forward packets. In your firewall rules, you only let the proxy get out to the net from the firewall itself. Setup your proxy for authentication, and don't give the kids credentials. Then they just _won't_ get to the internet, for any kind of communication. If you want them to have email, you can open that up for them, or just collect their mail on the firewall (ala fetchmail), and let them pick it up there. By now, it's starting to become clear that this is an exercise, not in technology, but psychology. I'm guessing these kids need some sort of office program? for school? Else -- once you've "cut the cord" -- why bother with a computer these days? It's a Linux computer, so it's _probably_ not for games. The bottom line is that it'd be a whole lot easier to spend $500 on a new Dell, set it in the corner without access, let them have at it, and revoke the rights to the computer that's connected. (Then I guess they could open the box, put in a network card, and take your cable while you're gone. Oh well, back to square one.) As someone else pointed out, there's no lack of opportunity to go to a friend's house and do whatever they want. Shoot, the American Library Association campaigns hard every year to keep the computers at the library completely wide open to every piece of garbage on the net. All the free porn you want at the library! Woohoo! HTH, dk -- David "Dunkirk" Krider, http://www.davidkrider.com Acts 17:28, "For in Him we live, and move, and have our being." Linux: Will you use the power for good... or for AWESOME?