Niki Kovacs wrote:
> Well, more often than not, I wish I had none. There's that old lady,
> Madame Bancel. She's a retired school teacher, helping out in the public
> library every wednesday morning. After a few hours of right-and-left
> single-and-double-clicking on every conceivable and inconceivable part of
> the screen, my carefully configured XFCE desktop looks like the Hilton
> Suite after a party with Metallica and two dozens of groupies.

there's currently a thread on the xfce general mailing list about setting
up xfce for multiple users, and using kiosk functionality, etc. perhaps
there's something there that you might be able to use to keep your madame
bancel from partying like metallica?

archives to be found here:

<http://foo-projects.org/pipermail/xfce/>

it's a current discussion, subject is "How to customize panel items via
ssh".


--
Joost Kremers joostkremers@yahoo.com
Selbst in die Unterwelt dringt durch Spalten Licht
EN:SiS(9)

On 2007-10-08, Joost Kremers <joostkremers@yahoo.com> wrote:
> Niki Kovacs wrote:
>> Well, more often than not, I wish I had none. There's that old lady,
>> Madame Bancel. She's a retired school teacher, helping out in the public
>> library every wednesday morning. After a few hours of right-and-left
>> single-and-double-clicking on every conceivable and inconceivable part of
>> the screen, my carefully configured XFCE desktop looks like the Hilton
>> Suite after a party with Metallica and two dozens of groupies.
>
> there's currently a thread on the xfce general mailing list about setting
> up xfce for multiple users, and using kiosk functionality, etc. perhaps
> there's something there that you might be able to use to keep your madame
> bancel from partying like metallica?
>
> archives to be found here:
>
><http://foo-projects.org/pipermail/xfce/>
>
> it's a current discussion, subject is "How to customize panel items via
> ssh".

Hehe - I was just about to refer Niki to that thread :-)

RW

Kees Theunissen <theuniss@rijnh.nl> wrote:
> Joseph H. Rosevear wrote:

[snip]

> I see three *big* security issues with this.

Thanks, Kees, I hadn't thought much about security. Let me reply to
you objections.

> First you run the user owned script ~/prep with root privilege. A
> user can simply put any command (s)he likes to run as root in that
> script.

Niki's users probably wouldn't need access to prep, so make it
root:root 700.

> Second using this scripts you'll run the user's $HOME/.bashrc
> with root privilege. So a user can also put any command (s)he likes
> in .bashrc and run that command as root.

Again, the users probably wouldn't need access. Make .bashrc
root:root 644.

> Third you trust the command line supplied by the user. This is yet
> an other way for the user to specify any command to be run as root.
> A user could call the k_burnit script for instance as:
> sudo k_burnit 'blah;/bin/bash'
> to get a root shell as k_burnit will run in this case:
> ~/prep burnit blah;/bin/bash

See my second version (already posted) called k_burnit2.

It went like this:

k_burnit2:

#!/bin/sh
~/prep burnit2 $*

But burnit2 uses no arguments so I should have written it like this:

k_burnit2:

#!/bin/sh
~/prep burnit2

> Regards,

> Kees.

Thanks for your help, Kees.

-Joe

Niki Kovacs <mickey@mouse.com> wrote:
> Le Mon, 08 Oct 2007 02:47:54 +0000, Joseph Rosevear a ?crit?:
>
>> Wow. Sounds like you have an honorable task before you. I often wish I
>> had users.
>
> Well, more often than not, I wish I had none. There's that old lady,
> Madame Bancel. She's a retired school teacher, helping out in the public
> library every wednesday morning. After a few hours of right-and-left
> single-and-double-clicking on every conceivable and inconceivable part of
> the screen, my carefully configured XFCE desktop looks like the Hilton
> Suite after a party with Metallica and two dozens of groupies.
>
> cheers,
>
> Niki

Niki,

I appreciate your humor. What I do at work is somewhat the same. And
I just realized that I do have users. I'm ashamed that I discounted
them.

I work in a special education classroom. The children in our classroom
are aged 7-11 but are operating a level lower than that. They too
click on everything. They use a Mac and a Linux box in our room. The
Mac is gradually getting trashed. I'm expecting that some day I won't
be able to put it back to right. The Linux box runs twm and has been
configured to be mostly fiddle proof.

Thanks for your (brief) story about Madame Bancel. I enjoyed it.

How did you wind up doing what you do? I'm especially wondering where
Windows went? How fabulous!

-Joe

Kees Theunissen <theuniss@rijnh.nl> wrote:
> Joseph H. Rosevear wrote:
>
[snip]
>
> I see three *big* security issues with this.

[snip]

> Regards,
>
> Kees.
>

Kees,

How about you? Do you have users? Sounds like you have some
experience in keeping the users out of root.

-Joe

Joseph H. Rosevear wrote:
> Kees Theunissen <theuniss@rijnh.nl> wrote:
>> Joseph H. Rosevear wrote:
>
> [snip]
>
>> I see three *big* security issues with this.
>
> Thanks, Kees, I hadn't thought much about security. Let me reply to
> you objections.
>
>> First you run the user owned script ~/prep with root privilege. A
>> user can simply put any command (s)he likes to run as root in that
>> script.
>
> Niki's users probably wouldn't need access to prep, so make it
> root:root 700.

That won't protect you.
If a file is in a user's home directory then the user can delete or
rename the file and create its own version with the original name.
You don't need write access to a file to delete or rename it.
Write access to the directory containing the file is sufficient
regardless of the file's permission.

>
>> Second using this scripts you'll run the user's $HOME/.bashrc
>> with root privilege. So a user can also put any command (s)he likes
>> in .bashrc and run that command as root.
>
> Again, the users probably wouldn't need access. Make .bashrc
> root:root 644.

Again, the user can still delete and replace .bashrc.

>
>> Third you trust the command line supplied by the user. This is yet
>> an other way for the user to specify any command to be run as root.
>> A user could call the k_burnit script for instance as:
>> sudo k_burnit 'blah;/bin/bash'
>> to get a root shell as k_burnit will run in this case:
>> ~/prep burnit blah;/bin/bash
>
> See my second version (already posted) called k_burnit2.
>
> It went like this:
>
> k_burnit2:
>
> #!/bin/sh
> ~/prep burnit2 $*
>
> But burnit2 uses no arguments so I should have written it like this:
>
> k_burnit2:
>
> #!/bin/sh
> ~/prep burnit2

There are still other attack vectors in your scripts.
I checked sudo on a Slack 11.0 system. Lots of environment variables
are cleared by sudo, but the user's $PATH is kept. What does this
mean? In your scripts you used several commands without specifying
the full path. In ~/prep you used: chmod and bash (export and echo
are internal bash functions), in burnit2: rm, mkisofs and cdrecord.
So a user can put some user writable directory early in the search
path and replace any of these commands with his/her own executable.

There are probably more attack vectors.
It's difficult to write really safe scripts and there is a reason
that suid/sgid scripts are not supported in linux.

As a general rule, if you need to let users run a program with
root privileges, you should run as few code with elevated privilege
as possible. Why run a rather complicated script with root rights,
creating and running other scripts on the fly, if you could have
used "sudo /usr/bin/cdrecord ....." in a script running with the
user's own rights?

Regards,

Kees.

--
Kees Theunissen.

Joseph Rosevear wrote:

> Kees,
>
> How about you? Do you have users? Sounds like you have some
> experience in keeping the users out of root.

With a few others I'm running the computer and network
infrastructure of a physics lab. About 100 users in a
mixed windows/unix/linux environment.

Regards,

Kees.

--
Kees Theunissen.

Le Tue, 09 Oct 2007 06:02:20 +0000, Joseph Rosevear a écritÂ*:
>
> I appreciate your humor. What I do at work is somewhat the same. And I
> just realized that I do have users. I'm ashamed that I discounted them.
>
> I work in a special education classroom. The children in our classroom
> are aged 7-11 but are operating a level lower than that. They too click
> on everything. They use a Mac and a Linux box in our room. The Mac is
> gradually getting trashed. I'm expecting that some day I won't be able
> to put it back to right. The Linux box runs twm and has been configured
> to be mostly fiddle proof.
>
> Thanks for your (brief) story about Madame Bancel. I enjoyed it.
>
> How did you wind up doing what you do? I'm especially wondering where
> Windows went? How fabulous!

Our "Communauté de Communes" here is a group of sixteen small towns,
ranging from 500 to 5.000 inhabitants. I had heard that the local
politicians planned to install new computer equipment in eleven of them.
So I sent them a 30-pages-paper where I detailed them the benefits of
Open Source software: security, stability, ethics, and last but not
least: cost. I suggested they move completely to open source software,
and with the money they spare, they pay a sysadmin ( = me) to do the job.
To my utter bewilderment, they accepted. Result: for the last year (since
August 2006), my job consisted of nuking existing Windows installs and
replace them by Linux. And then, install Linux on all the new hardware.
The most difficult task consisted of installing a central database server
and networking eleven public libraries together, but the system is
running just fine now. Plus, there's a *lot* to learn when people already
provide the hardware (without checking compatibility first). What people
liked most is when I told them that they didn't have to throw away their
old PIII's, that they could keep them for the schools, and we can still
run a modern OS on them.

So right now, I'm busy configuring a brand-new slim and newbie-friendly
XFCE-based desktop... and getting paid for this (not much, alas / ).
Here's what it looks like:

http://slackware.kikinovak.ath.cx/de...re-desktop.png

cheers,

Niki

On Tue, 09 Oct 2007 14:32:29 +0000, Niki Kovacs wrote:

> for the last year (since
> August 2006), my job consisted of nuking existing Windows installs and
> replace them by Linux.

The perfect job!

Niki Kovacs <mickey@mouse.com> wrote:
>
> least: cost. I suggested they move completely to open source software,
> and with the money they spare, they pay a sysadmin ( = me) to do the job.
> To my utter bewilderment, they accepted. Result: for the last year (since

That is excellent. You get to do an interesting job, and promote the
use of a damn good OS.

- Kurt