Security Basics mailing list archives
RE: Securing Linux based public access terminals
From: "M Shirk" <shirkdog_linux () hotmail com>
Date: Tue, 20 Jul 2004 12:30:35 -0400
Doesn't CTRL+ALT+BACKSPACE also just kill the X-Server so you would get a shell in the context of the user who started X?
Hope it is chrooted then, otherwise it presents a support problem. Just in case a person restarted X as root just to get it going.
Also, you should be able to disable the extra terminals to prevent subverting X.
Shirkdog -----Original Message----- From: fougerej () ientry com [mailto:fougerej () ientry com] Sent: Monday, July 19, 2004 10:02 AM To: security-basics () securityfocus com Subject: Re: Securing Linux based public access terminals Importance: Low You will also have to disable some keystrokes such as the alt-f1 alt-f2 (to access shells) otherwise all someone would have to do would be to alt-f1 (switch to the terminal X is running in) and ctrl-z (to suspend the active X session) and run commands as the logged in user. If that user is chrooted in an environment with only X and a browser that may not be a concern. I simply mention this because many don't know about the ctrl-z to suspend the X session (and that will circumvent any "lock the desktop" functions you may be using) Brett Anderson wrote:
You can achieve this using the ratpoison window manager (http://ratpoison.sourceforge.net) and having your application start when X does. ratpoison runs apps full screen with no window decorations. You can easily modify the source to not allow the key combination that allows users to spawn new programs. Then setup iptables rules to only allow the users access to the gateway or web proxy. You may also want to lock down the virtual terminals by removing the getty lines from /etc/inittab to prevent text logins. If you choose to use RedHat 9 you can get security updates via apt-get or yum through the Fedora Legacy Project (http://www.fedoralegacy.org). Hope this helps. Brett On Thu, 2004-07-15 at 07:48, Andrew Shore wrote:Hi I have a project where I need to give access to the internet to groups of users who do not work for the company running the workstations. Hence, the company do not want the users to access any other part of the network. For reasons too complicated to go into here I can't hive this portion of the network off onto a DMZ or even a secure vlan. What I would like to is run a Linux workstation (RedHat probably 9 even though it's out of support) but when the user logs into the windows session all they get is the browser. No menus no right click on the desk top just a basic single application "dumb terminal". I've seen this done before but it was too well secured for me to see how it was done! Also I'd like to the workstation to log straight in as a local user with out user intervention. Any ideas how I can achieve this or perhaps secure it in another way, I remember with windows 3.x you could change the windows manager settings in win.ini and it did exactly what I want. I just really don't want to use Windows 3.1 ;) TIA Andy ---------------------------------------------------------------------------Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html-------------------------------------------------------------------------------------------------------------------------------------------------------Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html----------------------------------------------------------------------------
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-fieldpen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- _________________________________________________________________Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
---------------------------------------------------------------------------Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Current thread:
- Re: Securing Linux based public access terminals, (continued)
- Re: Securing Linux based public access terminals Jay Fougere (Jul 22)
- Re: Securing Linux based public access terminals mr.happy (Jul 19)
- Re: Securing Linux based public access terminals Brett Anderson (Jul 20)
- RE: Securing Linux based public access terminals Rocky Heckman (Jul 21)
- RE: Securing Linux based public access terminals Brett Anderson (Jul 21)
- RE: Securing Linux based public access terminals Rocky Heckman (Jul 21)
- Re: Securing Linux based public access terminals Brett Anderson (Jul 20)
- Re: Securing Linux based public access terminals Jordan Cole (stilist) (Jul 19)
- Re: Securing Linux based public access terminals Ansgar -59cobalt- Wiechers (Jul 21)