RE: Securing Linux based public access terminals

["M Shirk" <shirkdog_linux () hotmail com>]

Doesn't CTRL+ALT+BACKSPACE also just kill the X-Server so you would get a 
shell in the context of the user who started X?

Hope it is chrooted then, otherwise it presents a support problem. Just in 
case a person restarted X as root just to get it going.

Also, you should be able to disable the extra terminals to prevent 
subverting X.

Shirkdog

-----Original Message-----
From: fougerej () ientry com [mailto:fougerej () ientry com]
Sent: Monday, July 19, 2004 10:02 AM
To: security-basics () securityfocus com
Subject: Re: Securing Linux based public access terminals
Importance: Low


You will also have to disable some keystrokes such as the alt-f1 alt-f2
(to access shells) otherwise all someone would have to do would be to
alt-f1 (switch to the terminal X is running in) and ctrl-z (to suspend
the active X session) and run commands as the logged in user. If that
user is chrooted in an environment with only X and a browser that may
not be a concern. I simply mention this because many don't know about
the ctrl-z to suspend the X session (and that will circumvent any "lock
the desktop" functions you may be using)

Brett Anderson wrote:

> You can achieve this using the ratpoison window manager
> (http://ratpoison.sourceforge.net) and having your application start
> when X does. ratpoison runs apps full screen with no window decorations.
> You can easily modify the source to not allow the key combination that
> allows users to spawn new programs.
>
> Then setup iptables rules to only allow the users access to the gateway
> or web proxy.
>
> You may also want to lock down the virtual terminals by removing the
> getty lines from /etc/inittab to prevent text logins.
>
> If you choose to use RedHat 9 you can get security updates via apt-get
> or yum through the Fedora Legacy Project (http://www.fedoralegacy.org).
>
> Hope this helps.
>
> Brett
>
> On Thu, 2004-07-15 at 07:48, Andrew Shore wrote:
>
>
> > Hi
> >
> > I have a project where I need to give access to the internet to groups
> > of users who do not work for the company running the workstations.
> > Hence, the company do not want the users to access any other part of the
> > network. For reasons too complicated to go into here I can't hive this
> > portion of the network off onto a DMZ or even a secure vlan.
> >
> > What I would like to is run a Linux workstation (RedHat probably 9 even
> > though it's out of support) but when the user logs into the windows
> > session all they get is the browser. No menus no right click on the desk
> > top just a basic single application "dumb terminal". I've seen this done
> > before but it was too well secured for me to see how it was done! Also
> > I'd like to the workstation to log straight in as a local user with out
> > user intervention.
> >
> > Any ideas how I can achieve this or perhaps secure it in another way, I
> > remember with windows 3.x you could change the windows manager settings
> > in win.ini and it did exactly what I want. I just really don't want to
> > use Windows 3.1 ;)
> >
> > TIA
> >
> > Andy
> >
> >
> > ---------------------------------------------------------------------------
> > Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
> > any course! All of our class sizes are guaranteed to be 10 students or 
> > less to facilitate one-on-one interaction with one of our expert 
> > instructors. Attend a course taught by an expert instructor with years of 
> > in-the-field pen testing experience in our state of the art hacking lab. 
> > Master the skills of an Ethical Hacker to better assess the security of 
> > your organization. Visit us at: 
> > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> > ----------------------------------------------------------------------------
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
> any course! All of our class sizes are guaranteed to be 10 students or less 
> to facilitate one-on-one interaction with one of our expert instructors. 
> Attend a course taught by an expert instructor with years of in-the-field 
> pen testing experience in our state of the art hacking lab. Master the 
> skills of an Ethical Hacker to better assess the security of your 
> organization. Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the 
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------