Linux and Public Access Computing?

An Anonymous Coward asks: "The Seattle Community Technology Alliance is a non profit, federally funded, public/private project that supports community technology centers in the Seattle area. We are interested in moving our public workstations from Win 2000 to Linux. In order to do this, we need good multi-lingual options and the abiltiy to create 'guest accounts' that prevent users from changing settings (to provide a consistent environment for users). What are the best tools for multi-user Linux labs? Should we use KDE? Gnome? How do we keep users from changing settings? We are eager to start experimenting, but would appreciate expert advice on starting points!"

My advice?

[viper21]

1. Downlode Gnome. Download KDE.

2. RTFM.

3. Rinse, Repeat.

-S

Re:My advice?

[CrosseyedPainless]

And to think, people dare to say Linux users aren't helpful and friendly!

Re:My advice?

[sys$manager]

4. Profit!

Re:My advice?

Troll. Take your hand off your stick and be nice, ok?

Re:My advice?

Yeah, right. That WAS my point. Obviously it was way over the head of my moderating breathren.

Re:My advice?

Open Source doesn't come with profit. It comes with a low fat, low compensation alternative, Karma!

Re:My advice?

[Louis_Wu]

And I just used up my mod points!!

But, where are the underpants. We must have underpants.

Re:My advice?

[aao-brad]

People wonder why Linux is looked upon as more of a geek OS rather than a user-friendly OS. This is reason number one... people such as yourself being asinine when others interested in Linux ask for help.

Re:My advice?

NO. Get it right. It's:

4. ???
5. Profit!

Re:My advice?

shuddup fool! RTFM!

Re:My advice?

[Falconpro10k]

Well, id say do something even better, run half with gnome, half with KDE... this way you have the best of both worlds.. Linux is alot easier to administrate whan windows, it is also alot more secure

Re:My advice?

Then, I'll point it easier, since I find the question is a valid one. I'm a linux advocate if anyone is, still I have not a valid answer to this question.
Then, I'll rewrite:
I think the "poledit way" to control final user environment is quite a productive one. For those of you that know the "poledit way" and are Linux knowledgeable admins, is there a way to acomplish what the "poledit way" does?
1/ Fool-proof freeze the user environment to a known one
2/ Centralized configuration procedures
3/ Fine-grained control about what can be done and what can't (both at the level app and about personalizing the environment)
4/ Group-based policies for all of the above

Please notize I'm not trying to tell Microsoft is good at those points (nor that they are bad at it. It simply *is not* the point: I'm talking about Linux). I'm simply asking for how *detailled, please* can I get those points effectively acomplished on a Linux environment (command line and window/desktop manager levels if possible).

LINUX

I LOVE THE IDEA. My library should do this tooo!

No

[SpanishInquisition]

Anybody can reboot in single user mode and get root access so I guess Linux is out of the question for that kind of application.

Re:No

[dmp123]

I hope that's 'funny'. You don't HAVE to make it possible to boot into single user mode, you know! Set a bios password and disable booting from floppy/cdrom, and set a grub password to stop people passing kernel params ie init=/bin/bash. Done! David

Re:No

[dacarr]

Not necessarily. Any time I do init 1, unless I'm root to begin with, my machine prompts me for a password. (Running Mandrake 8.2; YMMV.)

Re:No

[bonez_net11]

That's not true. You can compile kernels that don't allow the booting of single user mode, and there are many other ways to lock down *NIX OSes.

Re:No

er, no.
#1 - Read the lilo docs.
#2 - Being a Library, I'm sure they already know how to disable floppy boots.
#3 - ....
#4 - Profit!
Ciao.

Er

Re:No

Yes, BUT . . .

You can lock down single-user mode with LILO or GRUB by requiring a password. Some BIOSes let you lock down the floppy drive too, and you can tell the boot sequence to ignore the CD-ROM and the floppy drive. That will lock the workstation down pretty effectively.

Re:No

[13Echo]

Here are some hints...

Securing your box.

Now, secure your box... And please stop trolling.

Re:No

[mpe]

Some BIOSes let you lock down the floppy drive too,

Even if they don't reconnect the FDD as /dev/fd1 and it cannot be booted from at all.

Re:No

[ModernGeek]

Most public access machines are locked where you can't get to the CPU, and control alt backspace, etc are normally disabled.

Changing settings?

[Hayzeus]

Its a unix security model -- just don't put the user accounts into groups that might be able to do anything unpleasant or unwanted. This is pretty standard stuff, no?

Here's a question:

[fudgefactor7]

Why do you feel you need to change from Win2000 to Linux? If W2K works then why go through the hassle? If it isn't working, chances are you don't have the systems locked down enough--do some research and you can lock them down really tight. So, the question remains, for what reasons are you doing this, or are you just a glutton for punishment?

Re:Here's a question:

[Alethes]

Do you not read the myriad horror stories posted on here about Microsoft extorting schools and other public organizations for expensive license fees?

Is the troll well fed, now?

Re:Here's a question:

Perhaps there's $$$ involved. Duh.

There's a slew of free quality software available for Linux. There's a slew of PAY-OR-GET-SUED software available for Microsoft. I know which way I'd rather have it.

Re:Here's a question:

[fudgefactor7]

Yup, I read those. And you know what? MS does that behavior to everyone, it's not just the schools or other public organizations, it's how they do business. It is, after all, their product(s) and they can license them under whatever terms they want (even if those terms suck donkey). The problem I have is that I have seen and read stories of how some organization left Windows beacuse of the predatory nature of MS, went to Linux-land, and then had to go back to Windows because their stuff just wouldn't work unless it was Windows; I've also seen where the same happens because some tech-happy IT guy (or gal) decided to roll-out Linux (to either save money or to "stick it to the man") then to have the CEO/CIO slap their wrists and force Windows back, creating double the work for no freaking reason.

To go to Linux is fine, but it has to be a GOOD REASON, and you have to understand who will be using those machines. Is it an IT person? A student? A grandmother in her mid eighties? The level of knowledge and comfort is key here, especially with a public organization like a library. Go too far off in one direction and you can and do lose the core market.

Like I asked: reasoning.

Oh, and calling me a troll only makes you look like a dork. Grow up.

Re:Here's a question:

[NineNine]

Last I checked, W2K can be bought with a one time licensing fee. IF this group has already paid for the copies, then why throw all of that away? Too much free time? For the hell of it? On the other hand, maybe they don't own the licenses...

Re:Here's a question:

[fudgefactor7]

The $$$ is not the only cost of software, there is such a thing as "intangibles" in the TCO, and in certain circumstances that makes Windows, even with its pricing the way it is, more of a cost savings than to roll-out a "free" OS.

"Pay-pr-get-sued" software? You mean the standard retail go-buy-and-use rather than the pirate-and-go-to-jail line? Free is good, but often you get what you pay for.

Re:Here's a question:

[fudgefactor7]

Yup. Piracy *could* be a real good reason to switch (also known as "go legal")... I sure hope that's not the situation. If they have those Win2K licenses just sitting around then they lose money on those unless they sell them.... and MS' EULA has interesting things/requirements for that.

Re:Here's a question:

[Bat_Masterson]

Think cost/benefit. If the cost of the licensing fee for W2K outweighs the costs of switching to Linux, then there is a benefit in switching. Often, that choice is made by the bean counters.

Re:Here's a question:

[Marx_Mrvelous]

It's easy to spot a trolling post, especially when they have a whole tirade explaining why a group wouldn't want Windows machines, and then suggests that they aren't moving to Linux for a good reason :)

A non-trolling post would have actually tried to answer the question of the post, what's a good environment, not posed an off-topic, inflammatory comment.

Re:Here's a question:

[sqlrob]

You're a little behind.

Ballmer already admitted the TCO of linux is less than the TCO of Win

Re:Here's a question:

[N3WBI3]

Yes but if they need to set up any servers (terminal/domain) anything that required win2k advanced, thats not a one time license, and neith is it a one time for the clients to be allowed to use it.

Re:Here's a question:

[Marx_Mrvelous]

Quick FYI, studies (and lots of practical experience) point that TCO of Linux is significantly lower than Windows, especially in this situation where man-hours cost very little compared to software and hardware costs.

Re:Here's a question:

[Alethes]

I will apologize for the name calling, however, it's difficult for me to see how any knowledgable person can encourage a group to stay with a company that has been _convicted_ of monopolizing the software industry, lies to schools about the legality of changing the OS on their donated computers, and treats security as an afterthought -- all of which would be detrimental to a group providing a public service.

Another point I'd like to add, is that public comfort is hardly the priority in such a service. I would think comfort would take a backseat to economics, or more importantly education. I can't think of a better place to implement Linux on a large scale than as a public service where the data is not mission critical to the users, and where the users are less likely to be trained Windows users.

Re:Here's a question:

[fudgefactor7]

"I would think comfort would take a backseat to economics," one could make that argument, but with a public endeavor, like a library or some such, the public is the targeted market. Alienate them and lose everything. Windows is prevalent, it's how it is in the marketplace, and the end user is the marketplace and the money goes to wherever the people are and where they're at. Comfort, for them, is paramount.

Re:Here's a question:

Why do you feel the need to know when someone wants to change to linux? That was not the question. The question was about security and not license.

Re:Here's a question:

[teeth]

"To go to Linux is fine, but it has to be a GOOD REASON, and you have to understand who will be using those machines. Is it an IT person? A student? A grandmother in her mid eighties? The level of knowledge and comfort is key here, especially with a public organization like a library. Go too far off in one direction and you can and do lose the core market."

OK, good reason: Galeon with tabs.

Set galeon as the controlling proc. on the X session and have it start with a default set of tabs - not a home page, a home session - the top one is a custom welcome/help page which points you at the tabs preloaded with hotmail, yahoo, google and the like. Galeon dies, so does the session and with a login shell of /bin/false nothing else will fly...

Trusted users (like the ones you give the expensive paper books to) can apply for accounts with more privilege, perhaps conditional on taking a corse/test.

Re:Here's a question:

Indeed you do. Look at all the free stuff you get from MS:

WMP
IE
regedit ....

Re:Here's a question:

[sqlrob]

Flamebait?

MS admitting that Linux is cheaper in the long run (and yes, it's on their site. It was also a /. article) is flamebait?

Did Gates become a moderator or something? Possible with all the VS.NET ads I'm seeing plastered here.

Re:Here's a question:

[Beige]

Presumably they have already paid for the W2K licenses, so W2K will effectively be free for them to use from now on (unless theirs is a per-seat licensing or licensed over time, but this is covered below). If they were to switch to Linux they still won't have to pay any more money for the OS, since it is free. The money they have paid for W2K is gone no matter which path they choose. The decision hinges on how much they pay to move to linux. If they stay with MS, they will have to continue paying for a potentially limitless number of newer versions of Windows in future (and any per-seat fees etc.). Assuming general maintenance and development costs are the same for both OSes (quite an assumption I know, but opinion is very much divided on the subject and it is hard to say for sure which is likely to be cheaper) then the question is 'will the cost of all future Windows licensing fees be greater than the cost of changing over to linux now?' I say 'now' because presumably their system will be become larger and more complex over time, and the more it will cost to change it to linux in future. If the answer to the question is 'yes, the windows fees will cost more' then they should switch over now.

Funding ...

[rizzo]

How does one go about getting federally funded for something like this. I _dream_ of doing something like this for my sleepy town.

Don't make me give money to Matthew "The Riddler" Lesko.

Re:Funding ...

[mrgrey]

Funding? Linux is free!

Re:Funding ...

[forkboy]

And yet hardware and time are not.

Re:Funding ...

Im your solution, just hire med and think no more about this. You will recieve a highly customized, secured linux , with warranty.

gshire@reactor-core.org

Re:Funding ...

[rizzo]

Give your poor punctuation and spelling, I find it hard to resist your commands.

Re:Funding ...

[stephanruby]

How does one go about getting federally funded for something like this. I _dream_ of doing something like this for my sleepy town.

First off, don't just limit yourself to Federal funds. There are thousands of foundations out there, go after all of them. There are also thousands of companies who allocate a certain portion of their inventories for product giveaways, so go after all the companies that could provide you something of value.

BSD

[bsDaemon]

Use FreeBSD. Run the guest sessions in a jail. And don't give them ownership of their own home dir, either. that'll fix them right good. and use windowmaker.

Re:BSD

FreeBSD is dead it has no future.
FreeBSD is sloooooowwwwww..it has no speed
FreeBSD is 2d it has not 3d
FreeBSD is dead

Re:BSD

No. I won't touch it. It's dead.

Re:BSD

Having used FBSD + WindowMaker for over 1 year now, I found it to be a very intuitive and productive work environment. The whole windowmaker interface is simply genious. A welcome change from the boring taskbar.

And when I need to install something, or upgrade, the ports collection gives me a hassle free way of keeping the system up to date. cvsup also helps alot, by keeping the ports up to date.

I also have a lot of comfort that FreeBSD is a very organized and coordinated OS. Take a look at the new version of the fbsd hanbook (http://www.freebsd.org/handbook). It has saved me lots of time when it came to finding out how to use the system, and also how to keep it up to date over time.

Personally, I'm looking forward to the 5.0 release of FreeBSD in November.

Please don't misrepresent things you know nothing about.

You're gonna get a flood of answers

[FreeLinux]

But these are EASY questions.

Choose any of the larger distributions you wish. Red Hat, Suse, whatever.

Use KDE. Windows users freeze the second they see Gnome.

Guest accounts and multiuser environments are what Linux is all about.

As far as locking down the desktop, Linux and KDE are infinitely configurable so this won't be a problem. Alternatively, if you are just using guest accounts, let them change what they want then have the logout script clean out their home directory. That way every time a new guest logs in, It's a brand new desktop.

Re:You're gonna get a flood of answers

[Jucius+Maximus]

Also, for multi-language support, see a previous ask-slashdot for a (chinese-language-centred) answer: http://ask.slashdot.org/article.pl?sid=02/07/06/18 50205&mode=flat&tid=106

Re:You're gonna get a flood of answers

[ywwg]

"Windows users freeze the second they see Gnome"

Good thing there's no partisanship here! KDE and GNOME are both fine interfaces. kde has always been slightly ahead of GNOME, and has a more consistant user interface. I use GNOME because I always have, and the range of apps seems larger. It's really a judgement call.

Gnome at least has language selection in its logon screen, kde might have something similar.

Re:You're gonna get a flood of answers

[GigsVT]

What does the range of apps have to do with anything? It's not like you can't run the apps without the desktop they were written for running.

Re:You're gonna get a flood of answers

[peter_gzowski]

Use KDE. Windows users freeze the second they see Gnome.

I think you mean that Gnome freezes when it sees Windows users.

As far as locking down the desktop, Linux and KDE are infinitely configurable so this won't be a problem.

Hmmm... I would say that Linux and KDE are infinitely configurable, so this IS a problem, as far as locking down a desktop. Setting it up to clean out their home directory would be an option, as long as it would only clean out appropriate files, but I would say that somehow preventing a user from changing the desktop would be a better option. I haven't used KDE or Gnome a lot (I prefer FVWM, now THAT's infinitely configurable), but I'm assuming that all the control-panel-like things they have are just frontends to some .kderc file or something, right? Can't you just lock down that file?

Re:You're gonna get a flood of answers

[JWW]

Heck, I use Gnome apps (most notably Nautilus) under KDE. Its a real bear to get the themes looking the same, but the ones I'm using are pretty close.

It really comes down to what apps you want to run and how you want to present them. With a very locked down end user environment I might lean more towards using Gnome, as it is my perception that locking down the configuration would be easier. However, that's only my perception I haven't tried it yet.

Re:You're gonna get a flood of answers

[dasunt]

About the logout script. Just make sure you can read the SKEL files. Then make that logout script owned by someone other then the guest user, and make it read only by others.

I've always thought, if I was going to setup computers in a public area (such as a library), I'd easily go Linux over Windows. With windows, you either have to grab the most PITA programs to lock down a desktop (and break half the other things running), or you find the worst junk installed on it. Speaking of which, find an open source AIM/ICQ/MSN/whatever client. Under linux, you should be able to throw together a pretty TK/perl script to setup accounts. I've noticed many users love their IM. And, since the accounts are supposed to be wiped at each logout, everything is good.

Just my $.02

Re:You're gonna get a flood of answers

[Sunnan]

I'd suggest using one of the bare-bones windowmanagers like blackbox. Take apps from kde, gnome or both (configure them to look the same, there are some themes that are available for both, like the next-clones and notif/motif.).

Re:You're gonna get a flood of answers

yeah just don't allow them to modify thier local one and they will always get the default

Re:You're gonna get a flood of answers

[N3WBI3]

The AIM idea is a good one, that would make many users fell 'at home'...

Re:You're gonna get a flood of answers

I use GNOME because I always have, and the range of apps seems larger.

well, you're not the one that'll be using this lab so no one really gives a crap *what* window manager you prefer. It boils down to what's best for the average user, and the answer to that is KDE.

Re:You're gonna get a flood of answers

[uchian]

KDE has, or at least is gaining a Kiosk-mode, which allows you to lock down the ability, for example, to change the wallpaper background, or the icons on the panel, control panel and other "dangerous" areas when putting a computer in a public place.

I haven't checked on it's progress but that is probably the kind of area that you are looking for.

Re:You're gonna get a flood of answers

... and if a windows user said "I use Windows because I always have, and the range of apps seems larger", I wonder what your response would have been :P

Re:You're gonna get a flood of answers

[7-Vodka]

I do not think the word slightly means what you think it means.

Re:You're gonna get a flood of answers

[cos(0)]

Yes, the Kiosk mode is slated to become available in KDE 3.1.

Still on the TODO list:
- Create framework to effectivly "disable" certain features. Think kiosk-mode, think "don't allow user to select custom wallpapers in public places", Waldo Bastian

Re:You're gonna get a flood of answers

Heck, I use Gnome apps (most notably Nautilus) under KDE. Its a real bear to get the themes looking the same, but the ones I'm using are pretty close.

Jesus fucking Christ. You do realise that by running Nautilus you are using GNOME almost completely - all the libs and bonobo components. YOU ARE NOT A KDE USER.

Besides, I'm getting pretty sick of the "KDE is a bit ahead meme"... KDE is light years behind in the basics... it's just that the KDE developers spent a lot of time on trivial pleb-pleasing shit like alpha blended menus - while the GNOMERs built i18n, accessiblity, global configuration and a proper component system.

easy answer

[wirzcat]

Linux Terminal Server Project. A fresh and standard config on any client is only a reboot away.

Re:easy answer

Yuck. Then you have to reboot each time a guest user logs out. Nah, just set up a script to scrub down the home directory and copy in defaults each time a guest user logs in.

Re:easy answer

Run those same scripts with LTSP.
Its awesome.
I love the new totally quiet clients. NO FANS.
NO moving parts.

Re:easy answer

I agree, we have an office full of NT workstations, and a linux firewall, fileserver/webserver(intranet), all problems we have with computers seem to be related to windows. Use LTSP with netraverse server to provide windows applications.

check the howto

[SkipFrizzell]

http://www.linux.org/docs/ldp/howto/Kiosk-HOWTO. html

I would start here.

-=Skip

Re:check the howto

[sdmartin101]

Oops. There's a space between the 'dot' and the 'html' in the URL here which browsers will encode as %20. Here it is again, w/o the space: http://www.linux.org/docs/ldp/howto/Kiosk-HOWTO.ht ml.

Re:check the howto

[LedZeplin]

I've setup the Linux Kiosk Project.

Granted it's limited to web browsing, but it's a start

It uses a modified TWM as the window manager and XUL modified Mozilla as the browser.

Can I ask why?

[GoatPigSheep]

Why would you switch from windows2000. Windows2000 is a pretty recent OS and obviously you already have your licencing costs paid for. What would be the point in changing over a system that is already relatively up to date. If you were using win 3.1 or even win95 I could understand but I don't see why you would switch from a recent and generally (despite what linux zealots say) solid OS.

Personally I could say that switching a bunch of computers that are already up to date as a SERIOUS waste of taxpayers money. Switch those systems in 4 or 5 years when you really need to. Then you can think about using linux.

Re:Can I ask why?

[dacarr]

Think of it though, GPS. They're in Seattle. It's an interesting way for the government to effectively snub Microsoft.

You're right in that switching at this point is a waste of resource, at any rate, but what a way to give them the finger! =)

Re:Can I ask why?

They're all a bunch of Slashbots. It's the only explanation.

Re:Can I ask why?

[GoatPigSheep]

I agree, and I have no problems with linux.. but I don't see the point in upgrading software when it's already up to date... These people didn't snuff microsoft anyway since they already use their software (and I doubt they would have upgraded from win2k to winXP or whatever any time soon anyway)

Hell, just to make a point, at my school, the public access computers use WIN98! The workstations use win2k. There are also a few linux boxes in the comp sci department as well as macs for those who need them.

Re:Can I ask why?

[metoc]

Someone should also do a proper analysis of the problem at hand. So far the statement has been made that they want to switch from Windows 2000 to Linux, and need multilingual support, and the ability to to keep guest users from changing settings? So far haven't seen anything about needing to browse the web, printing, using spreadsheets? Anyway the answer is black.

Re:Can I ask why?

[pjt48108]

Ummm.. Perhaps they need to expand their services without adding to their operating costs, such as through licen$ing or increased administration costs.

Just a couple thoughts. String 'em together and maybe they're worth somethin.

Re:Can I ask why?

[TheConfusedOne]

I think the first issue is the cost of keeping those machines up to date.

The second is what the machines are supposed to be doing. If it's just surfing the web, emails, and basic word processing then you should be able to do this much cheaper than paying the annual MS tax.

A terminal server like setup would allow you to use cheaper boxes at the front. (Maybe you could put out 10 more boxes with the savings in hardware and software.)

Finally, it'll discourage the script kiddies. When Joe Jr. goes to logon and use his floppy disk with the latest priviledge elevating holes in Windows they'll be stuck at step one.

The best approach would be to figure out how to set up the new boxes and use them whenever you replace/rebuild a system. (You could probably create a pretty nice computer center with a server grade box and 10-20 PII class machines acting as terminals.)

Re:Can I ask why?

well I see nothing wrong with bringing up the issue that the whole switch over seems to be a pointless endeaver anyway... Windows2000 is just fine for public access computers. Switching to linux would simply halt productivity for a while as people are confused that the computer environment changed.... (not just an OS changeover, but a browser one. Most people are used to using IE, switching to linux would also force them to switch browsers, slowing down productivity for a while.

Re:Can I ask why?

[hazem]

Maybe they want to get switched over to Linux before Win2k is no longer supported and they end up forced to make the next upgrade. If they move to Linux, they can still make the next upgrade, but it will cost them very little.

It would be great to find that they're switching to Linux due to long-term thinking!

Re:Can I ask why?

yes they paid for the licenses, for this year. how about next year, the year after, etc.

and maybe they dont want to pay that new licensing scheme?

Re:Can I ask why?

[Osty]

I think the first issue is the cost of keeping those machines up to date.

Did you not read what the original poster said? It wasn't "Why switch?", but "Why switch now?" If the library is already running Win2K, then they have

• Paid-for licenses, and
• Beefy enough hardware for it.

Given that, switching now is a waste of money (even if the switch costs $0, they've still wasted money on Win2K licenses). It serves no purpose but to promote a zealot agenda, and as a Seattle taxpayer, I would prefer my money be spent on better things.

The second is what the machines are supposed to be doing. If it's just surfing the web, emails, and basic word processing then you should be able to do this much cheaper than paying the annual MS tax.

I don't know where you work, but unless you're paying for a yearly service contract, you're not paying yearly for your license (some LORGs may have special licensing deals with MSFT that require yearly payments, but most businesses aren't LORGs), and especially not with Win2K (whether or not this will change in the future will have no effect on already-purchased licenses, of course). So, unless you're doing funky accounting (amortizing the cost of Windows 2000 licenses across the expected lifetime of the OS, for example), you don't have a yearly "MS tax" to pay. The licenses are already purchased, nothing more needs to be paid.

A terminal server like setup would allow you to use cheaper boxes at the front. (Maybe you could put out 10 more boxes with the savings in hardware and software.)

Well, the hardware's already purchased it seems. However, if they wanted to go with thin clients, you can do that just as well with Windows, so since they already have the licenses ...

Finally, it'll discourage the script kiddies. When Joe Jr. goes to logon and use his floppy disk with the latest priviledge elevating holes in Windows they'll be stuck at step one.

Why even bother providing a floppy drive? Okay, so you change that to "When Joe Jr. goes to logon and use his CD-R with the latest priviledge elevating holes ..." Still, it doesn't matter. It's apparent that you're not a Windows sysadmin (not a dig, just the truth -- unix admins don't always make good nt admins, especially when they have preconceptions about how "terrible" windows is), or you would realize that the reason most people get into trouble with nt4/win2k/winxp is because they run as administrator 24/7. You wouldn't do that with root in unix, so why do it in Windows? Anyway, you can very effectively lock down Win2k, and as long as you stay on top of security patches, you'll be just as secure as linux (where the same applies -- lock down your users and stay on top of security patches).

Re:Can I ask why?

give me local access and unfettered access to the internet on a windows box, it will be rooted inside the minuite.

give me local access and unfettered access to the internet on a locked down *bsd box, it will require a custom hack from me to root it most likley.

Re:Can I ask why?

[Coward+the+Anonymous]

Why would they par for the licenses next year? You don't have to buy a new license for Win2K every year.

Re:Can I ask why?

[mpe]

Windows2000 is just fine for public access computers.

One of the requirements was that the system be multi-lingual. With Linux you can select language at login, even customise gdm/kdm to make this selection easy. AFAIK you can't do this with W2K, people would have to login and then change the language.

Re:Can I ask why?

[zennix]

Maybe they are tired of supporting Win2K? Who knows the reason for the switch, they did not provide much in the way of background. I think they are also barking up the wrong tree if they are asking this question on slashdot. Other things to consider would be removing setuid binaries (games especially fall into this category), mounting temp as noexec, and having a solid plan for security updates. Assuming they have their reasons, more power to them but the lack of a general idea as to where they will start with linux does not bode well in my mind.

Re:Can I ask why?

[SoSueMe]

How about security? Fewer Viruses? No Upgrade "Service" lisences (as of July 2002)?
Being "forced" to change from IE is a good thing, 'cept Hotmail might be a problem.
This is a Public Access site, productivity is not an issue.

Re:Can I ask why?

[indiigo]

W2K has multi-lungual capability:
http://www.cet.middlebury.edu/CETwebD ocs/resources /win2000Lang/win2000langInstall.html

We use it here for Korean, Spanish, and Japanese and it works great.

Re:Can I ask why?

[GreyPoopon]

We use it here for Korean, Spanish, and Japanese and it works great.

But does it let you change at login time? Or do you have to login first and then change?

Re:Can I ask why?

[N3WBI3]

the reason most people get into trouble with nt4/win2k/winxp is because they run as administrator 24/7. You wouldn't do that with root in unix, so why do it in Windows?

The most unix sysadmins would leave a box running as admin in windonws is because they are used to being able to install applications, reconfigure system properties, chage user info, run any application without logging out and back in.

Its only recently that you can do some of this on windows. I was a windows andmin whoswitched over to UNIX, and I love being able to work on any users box without having to log them out and than log myself in.

Re:Can I ask why?

[Fujisawa+Sensei]

Why would you switch from windows2000.

1. Maintence costs--man/hours.
2. No need to account for licenses--BSA Audits.
3. Security.
4. Anti-Virus software costs money.
5. Ever changing Microsoft Licenses.
6. TUX makes a great wallpaper

BSD would be even better than linux for the following reasons:

1. Maintence costs.
2. No need to account for licenses--BSA Audits.
3. Security.
4. Anti-Virus software costs money.
5. Ever changing Microsoft Licenses.
6. The Daemon makes an even better Wallpaper than TUX

Re:Can I ask why?

in windows, you can change your language at ANY time from an icon in the system tray, you don't even need to log off and on again

Re:Can I ask why?

[GreyPoopon]

in windows, you can change your language at ANY time from an icon in the system tray, you don't even need to log off and on again

That doesn't answer my question. You don't have a system tray at login time. It's much more convenient to be able to choose language as part of the login process. I'm also guessing that a properly locked down workstation in Windows won't let you change the language once you've logged in, as you shouldn't have the privilege to do that.

Re:Can I ask why?

[TheConfusedOne]

Actually I've been an admin for a large array of different boxes from WfWG 3.11 (fun with upper memory config) to most flavors of Unix.

My point on the ongoing costs is in line with your "as long as you stay on top of security patches." Keeping Windows boxes patched is getting more and more difficult. (I support the Windows boxes in our department. We're developers so we do really horrible evil nasty things to them.)

The fact is that Windows is a single-user platform. This means that administration is either done by walking to each box or by purchasing expensive remote access tools. Unix (and Linux) are multi-user, network aware OS's by nature. You can effect all kinds of changes either remotely or through scripts without having to purchase additional software.

I'm not advocating a wholesale "rip and replace". I think the better approach would be to create the new image and start transition the boxes as they die/go wonky.

For basic Internet tasks for the public you can create a much nicer (and cheaper) system using Linux.

Re:Can I ask why?

[Osty]

Its only recently that you can do some of this on windows. I was a windows andmin whoswitched over to UNIX, and I love being able to work on any users box without having to log them out and than log myself in.

Depends on what you mean by "some of this", because you've always (? NT4 is the oldest I've used, but I'm sure this was a core design principle for NT since the beginning) been able to setup non-admin users, and when running as a normal user you can use runas to run something as administrator (say, an installer), similar to su. With Terminal Server, you can have multiple sessions on a machine (only one active at the console, though). The point is, there are methods available to do these things in Windows, and they have been available in one form or another since at least NT4. They don't always map one-to-one with unix, but if you know where to look you can generally figure out how to do things you need.

Re:Can I ask why?

[N3WBI3]

With Terminal Server

Exactly youre talking about a 1000$ licence plus a huge fee per PC to connect...

Re:Can I ask why?

[Osty]

The fact is that Windows is a single-user platform.

No, no it's not. Let's be clear here -- we're discussing Windows 2000. You'd be correct if this discussion was about the Win9x line, but it's not and never was.

This means that administration is either done by walking to each box or by purchasing expensive remote access tools.

Wrong again. Microsoft Terminal Services comes with NT4 (server versions), Win2K (all versions), and Windows XP (all versions, though XP isn't a server OS). It will also be available in the upcoming Windows.NET. And it's free (well, there are some licensing issues you may need to work out, but you really only need to worry about that if you're trying to run thin clients. if you just need to remotely admin some machines, you should be fine without buying any special licenses). As well, WMI allows you to write scripts that can run on one machine and do work on another, so you don't even have to bother with a terminal server session.

Unix (and Linux) are multi-user, network aware OS's by nature.

As are Windows 2000 and Windows XP and the upcoming Windows.NET. (NT4 was network-aware as well, but not TCP/IP natively, so that's fine. However, it was still multi-user.)

You can effect all kinds of changes either remotely or through scripts without having to purchase additional software.

What additional software would this be? Because I can effect pretty much any changes I want with a bit of wscript code (vbscript, jscript, or perlscript, you choose) utilizing WMI and other COM interfaces. This is where most Unix admins get screwed up in Windows -- the automation model is different. In Unix, you typically either pipe commands together via shell script, or write some perl to munge things. In Windows, you have command script which is not quite as powerful as bash but suffices for many things, and you have the Windows Scripting Host. You can write code in vbscript, jscript, or perlscript (or if you want to get fancy, you can write your own dlls to support any language you wish). Rather than running small apps and messing with their stdout, you instead instantiate COM objects and work with those (You can do anything from accessing the filesystem to parsing XML to modifying user information and so on, given the proper privilege levels). In otherwords, Windows is just as scriptable as Unix, if not moreso, just in a completely different and alien way.

For basic Internet tasks for the public you can create a much nicer (and cheaper) system using Linux.

Perhaps, but I'm not arguing that, just as the original poster didn't. I'm arguing that they've already made the investment in Windows, they may as well get their money out of it for the next 3-4 years or so, at which point they might consider switching to Linux.

Re:Can I ask why?

[Osty]

Exactly youre talking about a 1000$ licence plus a huge fee per PC to connect...

You're confusing the old NT 4 Terminal Server edition with the product Terminal Server. Terminal Server (the product) is distributed with all versions of Windows 2000 and Windows XP, and unless you're making multiple connections to the machine (or making more connections than you have licenses for your server version), you don't need to worry about licensing issues. If you're doing thin-client computing, then sure, that's something you need to worry about. For remote administration, I think you'll find that the functionality provided by Terminal Services without any extra licenses is "good enough".

Re:Can I ask why?

[justsomebody]

They probably don't have server versions. And only remote administration is free, Client license not.

Renew your license costs before you lecture others.
That theme has been discused too many times on /.

Re:Can I ask why?

[Osty]

They probably don't have server versions. And only remote administration is free, Client license not.

As of Win2K, TS has been provided in all versions of NT, not just the server versions. And how am I wrong when you say yourself that "only remote administration is free"? With Pro, you're allowed at least one (probably no more than one, either) remote connection, which is "good enough" to remotely administer the box. With the server versions, you generally get some number of licenses (5, 10, 15, check your license) by default. So, like I said, unless you're doing thin-client computing, you generally don't need to worry about licensing costs.

Re:Can I ask why?

[swv3752]

Win2k may be multiuser, but the multiuser model in windows is not as fine grained as *nix. And for practical purposes, it is more like almost multiuser. Most apps are still written expecting to be Admin, and most preinstalls are setup this way. Multiuser on the NT series is a poor imitation of what is on *nix.

Terminal services is not that great. I deal with this every day. It sucks. And the legal hassels...

Scripting can be powerful on Windows, but it is not easy. On Linux, it is easy and powerful. Especially for someone who comes from being a non programmer.

And lastly there is one great reason to migrate now. It is easier to migrate today than it will be tomorrow. And today, if you update to the latest service pack, you are granting Microsoft admin rights to your computer. Where is Microsoft taking you tomorrow?

Re:Can I ask why?

[Ironica]

"Anyway, you can very effectively lock down Win2k..."

You can lock down Win2k. "Effectively" is a subjective term, however; in my (admittedly somewhat shallow) experience, in order to lock truly useful stuff, you end up crippling the user in unforseen ways. (For example, to prevent folks from installing software, it turned out we also prevented them from installing fonts. There didn't appear to be any way to give them permission to load fonts without opening up the system more.)

At any rate, the question at hand is not "Why?" but "How?" The poster didn't ask *if* they should do this, but how to go about it. There may be many reasons, not the least of which is, especially if you work in the public sector, starting the process for upgrading *now* is a good thing to do, even if you aren't planning on actually doing it for two or three or four more years. (Side note: given that MS officially dropped support for Win98 in 2001, and that WinXP can be substituted for most Win2k functions, I don't think it's a safe bet to count on Win2k support for more than another year or so.) Also, it's possible that they got Win2k relatively recently, but that their hardware is outdated... and the costs of upgrading the hardware to run it "properly" made them look at other options.

Re:Can I ask why?

[GammaStorm]

Actually with server you get 2 with the server install of W2K. Additional licenses come in at a minimum of 5 @ about $70 a pop for regular buyers but they're dirt cheap for academic institutions.

But you are correct, fine sir, with W2K you get remote admin through terminal services for the initial cost. One other point is that W2K Terminal Server as a product is not accurate, its actually the licensing mode on a regular or advanced server that designates it as either remote administration or application server.

Re:Can I ask why?

[sphealey]

If you were using win 3.1 or even win95 I could understand but I don't see why you would switch from a recent and generally (despite what linux zealots say) solid OS.

Because Microsoft has already EOL'd (End of Life) Windows 2000. And under Licensing 6.0, there is no longer an upgrade path for Open License (less than 250 workstations) sites. So to maintain support and patches (including those somewhat important security patches) you will be forced to upgrade to XP fairly soon (I would guess 12 months after XP Server {whatever it is being called this week} is finally released). Under the new licensing terms that will put a real squeeze on the wallet.

sPh

Re:Can I ask why?

give me access to your mom, and she'll be smoking my cock within 23 seconds. Guaranteed.

You're SO 3l33t!

Re:Can I ask why?

[mithras+the+prophet]

Does that Windows tray menu change the actual language used by the system, or just the keyboard map / text entry system? Incidentally, here in Mac OS X-land, you can select any of 14 languages, not just for the keyboard, but for the user interface. All Apple-supplied applications, and many 3rd-party applications, will subsequently launch in your preferred language. Admittedly, you have to relaunch an application (or log out) before it will use your language. But it's still pretty nifty. And I also confess that you have to open System Preferences and drag your language to the top of a list to enable it. (The keyboard layout is switchable from a menu item, like the Windows item you describe.)

Re:Can I ask why?

[Osty]

Win2k may be multiuser, but the multiuser model in windows is not as fine grained as *nix.

Can you define what you mean here? For example, Win2K (and all NT-based Windows) have a very fine-grained ACL system that allows you to provide different levels of access to different users and groups of users. While this is changing in Linux with new filesystems like XFS, ext2fs (and I would assume by extension ext3, though I've not used it and I don't know what ACL system has been bodged on) has no real ACL system. You're left with just the standard unix permission system (user, group, other), which is anything but fine-grained. If you're talking about concurrent users, then you have more of a point, though XP has changed this by allowing more than one user to be logged on at the console (research Fast User Switching), and with the use of Terminal Services you can have as many sessions as you're willing to pay for (Microsoft is a business, so don't complain when they try to make money. Complain about other things, because I'm sure you can find a lot).

Most apps are still written expecting to be Admin, and most preinstalls are setup this way.

In this you are correct, though all Microsoft apps work properly these days, and to get certified for the XP logo, third-party apps have to support Fast User Switching (ie, be able to allow multiple users running the app at the same time). Sure, you may still need to be administrator to install software, but how is that any different than unix? (okay, sure, you can install software under $HOME, but in general most people will just become root and install software that way.) Yes, this is something that needs work, but it's being worked on. It's not a shortcoming of Windows so much as it's a shortcoming of having to support 15 years of legacy apps.

Scripting can be powerful on Windows, but it is not easy. On Linux, it is easy and powerful. Especially for someone who comes from being a non programmer.

"Easy" is relative. What may be easy to you, because you're a unix user, may not seem easy to someone else, and vice versa. A good test is to ask a unix admin to script some commonly-used task (say, resetting a bunch of user passwords) on a Windows system, and ask a windows admin to do the same on a unix system. Your Unix admin will be stumped because he doesn't know that he needs to use a certain COM object in some vbscript or jscript code, and your Windows admin will be stumped because he doesn't think to just script up passwd or write a tiny bit of perl or whatever. As far as being a non programmer, well, many so-called "non programmers" have actually written javascript for a website, and if they know javascript, then they can pick up WSH jscript. For a true "non programmer", both approaches are non-intuitive and will take work to learn, but c'est la vie.

And lastly there is one great reason to migrate now. It is easier to migrate today than it will be tomorrow.

I disagree. As long as people are interested in migrating, the distro developers will continue to work on migration stories so that it will actually be easier to migrate tomorrow rather than today. I'd venture to guess that you're talking about people getting locked into Windows software, but I'd be willing to bet that these people already are in the sense that they know how to use Windows, Office, etc. Therefore, switching today or tomorrow doesn't really matter, because you're still going to have to retrain. Switching tomorrow allows you to get another day out of the licenses you've already paid for, so you may as well do that. When you next need to upgrade, then consider the options. (you're not going to trade up the car you got last month because fuel cells just became efficient, reliable, and robust (making up an example) and cars using them have all the features of a combustible engined car. you're going to wait a couple years to get the most utility out of the car you just purchased, and then think about getting that alternatively fueled car when you're ready for a new one. <gratuitous>unless you're a hippy, of course.</gratuitous>).

And today, if you update to the latest service pack, you are granting Microsoft admin rights to your computer.

FUD, and not worth a response.

Re:Can I ask why?

[Osty]

One other point is that W2K Terminal Server as a product is not accurate

I never said it was. I said there was such a product for NT4 back in the day. Win2K has Pro, Server, Advanced Server, and Data Center (big iron). Most people will be using Pro or Server. Both have Terminal Services.

Re:Can I ask why?

[TheConfusedOne]

First off, have you worked with Windows Terminal Server? It's a hack on top of a kludge. MS doesn't even officially certify Office to run on top of it.

While NT, 2K, and XP support multiple users they don't support multiple users logged in at the same time. This is the crucial difference. The new XP remote desktop feature only allows you to take control of the system as it is currently logged in. If you need to make a change requiring higher permissions then things start to get sticky.

With Unix boxes you can Telnet into them even open GUI elements on remote systems and display them on your box. You can do all of this at whatever user permission you wish to log in as. This simplifies the maintenance tasks.

Re:Can I ask why?

[M$+slasbot]

Resistance is futile.
Believe us.

Re:Can I ask why?

[Osty]

First off, have you worked with Windows Terminal Server? It's a hack on top of a kludge. MS doesn't even officially certify Office to run on top of it.

My friends working in the Terminal Server group would be pretty surprised to hear that. And I really can't see Microsoft using a "hack on top of a kludge" as a core piece of their current OS. (when you log into XP, even at the console, guess what? You're using terminal server.)

While NT, 2K, and XP support multiple users they don't support multiple users logged in at the same time.

For NT4 and 2K, you need to specifically add "at the console", because you can have as many people logged in remotely as you have licenses. For XP you're correct, but all I can say here is ... so? XP isn't a server. It obviously has multi-user support, since you can have multiple console sessions going (though only one can be directly active, the others can and will do things in the background). You're limited on your remote access capabilities, but that's obviously because it's a workstation and not a server. Microsoft doesn't want you to try using XP as the hub for a thin-client system just yet (use NT4, 2K, or wait for .NET).

Re:Can I ask why?

[mpe]

in windows, you can change your language at ANY time from an icon in the system tray, you don't even need to log off and on again.

Definitly untrue since you don't have a "system tray" all the time. Can you alter the login box in Win2K to be able to select which language here. AFAIK you cannot. With gdm or kdm you can select the launguage before logging in. You could even change the interface to a set of buttons with flags on, which is rather more intuitive than having a little blue box with 2 letters, which may or may not match an ISO country code, somewhere around the bottom right.

Re:Can I ask why?

[TheConfusedOne]

How could you be using terminal server when you log into XP when it isn't a server? XP is a desktop only version.

Have you worked with Windows Terminal Server? We've had some terrible fights with the thing to get it to work. The problems are the games it plays with the registry and user directories. Additionally, if you have anything that is using ports for communication they can get hopelessly confused. (Run a service on the Terminal Server yet try to make it available to the Terminal Server sessions, it's quite a pain.)

Terminal Server was originally written by Citrix. MS choose to license the software and has done some additional development but it certainly wasn't core MS code.

Think about it, you're trying to take a NT Server and run multiple users on it *AT THE SAME TIME*. NT simply wasn't designed to do that.

Re:Can I ask why?

[Osty]

How could you be using terminal server when you log into XP when it isn't a server? XP is a desktop only version.

You're obviously living in the past. You're discussing Terminal Server circa NT4 (or older!), while I'm discussing what's been happening recently with TS. It's a well-known and documented fact that, for Fast User Switching in Windows XP, it's essentially implemented by having each login at the console spawn a TS session. You don't really notice it when you only have one session going at a time, but load up a couple users on your system, then login with one, switch out, login with another, switch out, do it again, switch out, and notice that all of those previous logins are still there, keeping their state, running their background processes, etc. Don't be confused by Windows XP calling it "Remote Desktop". It's still Terminal Server. (Caveat: Fast User Switching doesn't work if you're connected to a Domain, rather than a Workgroup or a stand-alone machine)

Have you worked with Windows Terminal Server? We've had some terrible fights with the thing to get it to work. The problems are the games it plays with the registry and user directories. Additionally, if you have anything that is using ports for communication they can get hopelessly confused. (Run a service on the Terminal Server yet try to make it available to the Terminal Server sessions, it's quite a pain.)

I've not worked with it extensively, but nearly all of my testing and debugging work is done via Terminal Server (especially when I have to go in and debug production or pre-production machines), so yes, I've worked with it. Some things could be better (it sucks when you get a popup on session 0 (the console), and can't see it with a different session, but I'm under the impression that's being fixed). Terminal Server circa Windows 2000 was much better than in NT4, and XP's version is much better than Windows 2000's (XP adds lots of fancy stuff, like 16bpp color, sounds over the wire, and more-granular options to reduce bandwidth usage, but there are other enhancements "under the covers" as well). Think on it this way -- if we were discussing the linux kernel, and you were referring to the very latest 2.4.x version while I kept going back and complaining about 2.0.x, you'd have problems, right? Same thing here -- as with all software, Terminal Server has evolved over time.

Terminal Server was originally written by Citrix. MS choose to license the software and has done some additional development but it certainly wasn't core MS code.

And SQL Server was based on code not written by Microsoft (based on Sybase or something like that, I'm to lazy to go look it up right now), but while SQL Server 6 was similar to the original product, SQL Server 2000 is a completely different animal. Internet Explorer was based on Mosaic way back in the day, and version 1 and 2 weren't very much different from Mosaic. However, you surely can't claim IE6 (or hell, even IE3!) is in any way similar to Mosaic, regardless of its origins. In other words -- red herring. When Microsoft buys software, they don't just let it stagnate (well, unless, after purchasing it, they determine that there's no point in continuing with the software). They continue to improve and enhance the software.

Think about it, you're trying to take a NT Server and run multiple users on it *AT THE SAME TIME*. NT simply wasn't designed to do that.

No, Windows 9x wasn't designed to do that. Perhaps NT 3.x wasn't designed to do that. NT4 at least had the capacity to do so, though it may not have been very mature. Windows 2000 supports it quite well. XP does, too. Windows .NET will be even better. And so it goes, as software evolves.

Re:Can I ask why?

[axxackall]

B/c Win2K is not much more stable then Win(3-98) - the today's practical experience shows that you should schedule for rebooting your win-based kiosks every night (or be prepared for daily surpises) against every several months in case of Linux. There are several reasons, one of themis IE is integrated to GUI, which is integrated to OS, and that drammatically increases the chance that the whole system should be reboot in order to clean the problem up. In Linux you may restart Mozilla or X11 keeping the kernel and other services up and running.

Besides, remote login (SSH, with X11 or without) is much more convinient, secure and economical way for remote troubleshooting, comparing to M$ Terminal Server or any other VNC.

No need to mention that having available source you can customize Linux system from top to bottom, from boot to monitoring. That's a real flexibility and customization. And no need to mention that you will not pay a fee for MSDN and other devlopement tools.

Speaking about money - why would taxpayers want to pay Microsoft for licenses when Microsoft keeps screwing users' right up, while there is the easy, reliable, secure and flexible choice?

Ugly, but should work

[Auckerman]

Change the ownership of thier home directory to some dummy acount and then chmod 755 it. That should prevent them from changing their settings across the board, but it may have undesired effects on some applications that insist on writing to disk on launch, et al. You could be more picky like chown + chmod only the .cshrc .profile, or whatever on a individual basis.

Run from CD-ROM?

[JoeShmoe]

How about that Knoppix distro or similar that run completely from CD (or loads from it anyway).

After user is done, reboot and next one gets a fresh clean install. Plus, no data kept, so nothing for "The Man" to subpoena, no privacy to invade/violate.

- JoeShmoe

.

Re:Run from CD-ROM?

[Amazing+Quantum+Man]

Plus, no data kept, so nothing for "The Man" to subpoena, no privacy to invade/violate.

This may be a major point.

Re:Run from CD-ROM?

Yes you are right, but the point is how to limit actions to the user, you just want them to navigate, not to use your machine as a hacking box :)

Re:Run from CD-ROM?

OMG this distro rules. I just downloaded it for fun. Everything works perfectly!

Re:Run from CD-ROM?

[jred]

I've downloaded Knoppix three times so far, and every time the md5sum is different. Different machines, different networks, and different mirrors. Once I burned it anyway, but that didn't work :) Plus, with the recent trojan (?) in a popular app's download has me concerned about the md5sum not checking out.

Too bad, this sounds really cool.

i'd start by researching the K-12 projects.

[millia]

trust me, if there's one group that can savage a machine, it's teachers and students. A fair number of these efforts have already been discussed on /. before, so i won't bother with linkage.
for a tight, basic machine, though, i think that'd be your best starting point.
now, if only one of those projects ran debian. sigh.

Why not let them change anything they want

[pete-classic]

except for .bashrc and a script that puts everything back in order on login? (Hint: put the "guest" ~ on a ramdisk so this doesn't cause slow login.)

Might be nice to have a policy "You can't 'check out' until you log out." so no one gets stuck with someone elses freakish preferences.

Or you could just give away (restricted) accounts with ~ on NFS, a small quota, and automate removal after 30 days of inactivity or something.

-Peter

Re:You must read this:

[Frobean]

Somebody get this guy some prozac...

And it continues?!?!?!

What are the best tools for multi-user Linux labs? Should we use KDE? Gnome?

Ok, review of Vim, best browser article, a study that just brings up all kinds of major flamewars, now an askslashdot that does it all over again!!

good for seattle

[d0ggi3]

thats great to see my home town moving aware from the evil m$. i'd love to shine a light on what tools to use, but i wouldn't be of help.

Re:good for seattle

You better look out your window. There's a black helicopter
hovering over your 'van eck phreaking' everything
right off of your computer.
Don't mess around with BILL.

Re:good for seattle

Yes. The almighty BILL is stronger than any communist beliefs you may have. Viva la capitalism. rofl.

Re:You must read this:

[fudgefactor7]

You're statements are rambling and retarded. The only reason I read them is because I was bored. Here's an idea: die a painful death. Don't like that one? Here's another: STFU. No? Ok, how about this: get a clue. You want to know why that letter wasn't printed by the paper it was submitted to? It sucked, had no relevency, and was painfully stupid. So are you. Go away.

First of all.

[TibbonZero]

Well, it seems that first of all you should really research Linux in general. I know that you are eager to get off of Win2K, but you should really make sure that everyone is well trained. Users too need to be trained, so that they aren't confused. You should read up on the permissions structure (and alternatives like Novell's E-Directory), and fully understand Linux before you go slapping it on everyone's boxes.
The reason I bring up this, is because from your question, it seems that you are new to Linux- in the fact that you don't know how to deny permissions, the differences between KDE and GNOME, guest accounts, etc.
So go get Linux, format your box, test it out!. Experienment, and try different Distros. I would sugest one without too much bloating, but that's my personaly opinion. You don't want people in the public to get a bad opinion of Linux because of messed up public Linux boxes.

Re:First of all.

[justsomebody]

Well, in my opinion he's risen out the right question.

There should be some HOWTO for that kind of thing, at least if you wanna see some more desktops joining in. I remember when everybody was eager to help schools to move to linux. /. month or so ago.

HOWTO
-----
Process should be divided to some various points.

1. Securing machine.
Securing bios, lockaway of power and reset button
2. Securing boot loader to disable user commands to kernel. You can even compile kernel to make some improvments to that point
3. Securing interactive service boot mode, make a change in rc scripts just to comment the lines waiting for input key to start interactive mode.
4. Securing X by disabling accessing terminals with Ctrl + Alt + F?
5. Disabling reboot without password and disabling reboot with Ctrl + Alt + Del (otherwise in some various points Ctrl + Alt + BckSpc and Ctrl + Alt + Del might enable user to reboot)
6. Disabling any kind of autologin

7. Next thing is securing desktop manager

It could be done in some various ways but best in my opinion is forst one.
Personally I don't think that idea with guest accounts would be good. Much better choice is LDAP users and LDAP login. With this you can have as many centralised users as you want. But every new user gets new preferences and every user is able to choose desktop (Still you can install only one and disable that choice if you want equal desktops). Just protect icons on desktop for softwares you want (chmod 555).
Extend that option with NFS share for storing their home folders. You just got your self moving profiles accessible from any computer in network.

Second idea is far easyer to achieve. after session, delete home folder, recreate new one from templated one with rsync and here is the point where user modifications to desktop are reset

Re:First of all.

[TibbonZero]

Great idea. I think it would really help people get to use Linux out in public.
The only thing is that we have to make the Howto a little redundant over others, because we shouldn't assume that they know what they are doing.. .

Re:First of all.

[justsomebody]

Base idea and solution could arrise if one thread would be improwed with other comments. HOWTO would come out from himself out of this or some other better thread

Re:First of all.

[justsomebody]

If only people would forget (KDE and GNOME) (Linux and FreeBSD) (One distro and other distro) disputes and concentrate on the problems instead.

Re:First of all.

[karlm]

Great ideas. The first topic in the HOWTO should be keeping the software up to date, though. For a public Kiosk, I'd suggest Debian with "apt-get update; apt-get dist-upgrade -y" as a daily cron job.

IMHO, the best way to prevent problems is run all of the machines diskless and network boot them. A friend of mine found a motherboard that supports dual CPUs and 4 IDE channels with hrdware raid. This means you can pull all of the hard drives out of the machines and put 8 hard drives on the one motherboard for some serious file storage. YOu probably want one standby fileserver. Why keep N coppies of the OS arround when you can keep one copy and send it to the N machines over the network? I'd prefer Kerberized OpenAFS over NFS for home directories (encryption is your friend). In any case, it's a good idea to allow home accounts. If you make all of the machines diskless, you're going to have a fair ammount of storage for the fileserver from collecting the hard drives.

With a headless setup, if you disconnect the floppy drives' and CD drives' cables from the motherboards, you're reasonably assured that they can't boot the machine into a Trojaned OS. You probably want a couple of machines with functional floppy and CD drives, but put them close to the supervisor's desk.

Diskless clients are so much easier to maintain. All you need is a reboot to sync a computer's software with the rest of the machines. The hard drive is one less thing to fail. If you're running RAID 5 on the fileserver, one of your hard disks can fail without any loss of data.

Please please please educate users on using strong passwords.

check out the DNA lounge source code

Check out http://www.dnalounge.com/backstage/src/kiosk/ for information about how they set up their Kiosks. It might give you some ideas for starting points, the have similar goals and an extremely "hostile" environment.

Re:check out the DNA lounge source code

Here is the link to the DNA Lounge page. And yes, it's useful information--although I'd rather use a BSD box as a platform.

This is Editor Trolling Day, isn't it?

[Otter]

Should we use KDE? Gnome?

What, the vim book review, "fastest browser" and "developers prefer Debian, vi and GNOME and are mostly married or living with someone" study weren't enough?

By way of an answer, I'd give an edge to KDE only because of wider Unicode support. You say you want multi-language support, and in Seattle, you'd be especially concerned about Asian languages, particularly Chinese, right? Until GNOME apps are widely ported to GNOME 2 (and then have gone through an upgrade cycle or two), KDE is probably a better choice.

Like someone else said, the best thing to do is probably to have the logout script clean out and replace the guest account each time it runs.

Re:This is Editor Trolling Day, isn't it?

[axxackall]

You forgot about "Emacs" :)

That's the keyword to fire a new round of war with vim zealots :)

Coming back to the subject, I would compare also Linux vs BSD:

Linux Kiosk project may exist only as GPL and any kiosk provider cannot make any money on licensing it.

BSD Kiosk is better to make some fee-based profits, but there might be some lack of modern hardware device support (USB, FireWire, Bluetooth etc).

Short-term solution: it's not difficult to make a "userland" level of the KIOSK commercial (Mozilla, some other X11 applications, some monitoring tools), keeping the "system" level (Linux, boot sequence, most of system services) still GPLed. When Apple/MacOS/X will finally contribute to FreeBSD with such new hardware support, then the whole system might close the sources.

That's the reason, why BSD license still exists, right?

Re:fr1zt pozt

haha, you no preview before posting! now I not go to link! you get the worm again!

Mike Cho

Don't leave out user accounts...

[Uttles]

This is a nice idea for a community but I suggest having user accounts in addition to one main guest account. If someone is going to come and use the machine enough, give them a restricted account so that they can personalize their desktop. KDE and Gnome both have good user management tools, so don't restrict yourself or your users if you don't need to.

Wish I had your e-mail address

[Allnighterking]

If I did I'd tell you to contact another Gov funded project called SLAC (Stanford Linear Accelerator Center) They have without a doubt the best linux setup for lab work you will ever see. The tools etc of course are available to you, free of charge, and the people who work there are more than just helpful. the URL is http://www.slac.stanford.edu/ to start checking them out. They run 2000 server clusters and are fast approaching 1 petabyte of data. So they do know there stuff. AND it's a Linux house to boot. Sometimes Gov funded orgs do it right and these are some people who prove this is true.

Re:Wish I had your e-mail address

Thanks for your comments -- I'll take a look at your reference!

Best,

Robert Valiant
Seattle Community Technology Alliance

Depends on the needs of your users

[BigJimSlade]

What are they doing on these general purpose machines? Are they essentially a kiosk to get online with? If so, maybe you should consider OEOne. This was previously mentioned on Slashdot a few days ago. It sits on top of Red Hat and looks like it gives the users the basic internet capabilities they need. I'm not sure how well it will lock down, however. I just thought I'd mention it since I'm thinking about setting up a box running this for my parents.

Re:You must read this:

Oh C'mon, it could be worse, eh?

We could have been born Canadian.

I have no desire to start a flame war...but

[mhore]

Use KDE. Windows users freeze the second they see Gnome.

But with the "CoolClean" theme for GNOME, I think it is just as viable an option, no?

Mike.

Re:You must read this:

[JohnnyCannuk]

WTF?

Not any Canadian I know.....

W.R. McDougall, seek some serious mental help.

I agree and have one more add-on

[iamwoodyjones]

If you are going to allow them to have access to CD-ROM or diskette, you could either set the sys up to look for these for default pref files in those spots first before resorting to the default setup.

That way frequent vistors with their own personal stuff and preferences that are burnt on a CD or on a diskette (if they can fit it all on that) can use these mediums when they visit.

Or

It'd be cooler if when they choose their desktop background, they automatically can save their config file that points to it on a diskette along with other prefs for instance.

If any of that is possible.

Re:I agree and have one more add-on

[nelsonal]

This seems like a good application for a room full of SunRay terminals and an E250/E450 or one of the newer 480s if you have money coming out the wazoo. They come with a really cool card that stores access to all their personal preferences so when they log on, their terminal is already configured for their use. Last time someone did a study it was nearly the same upfront costs as the same number of windows running desktops and a workgroup server.
If you get the server cheap on ebay, a free license of Solaris 8, and buy the SunRays from either sun or someone else, I would guess it might be close in cost to PCs and Linux. It also makes your life easier, since there is less administration on the single server.

damn...

[jcw2112]

...what is this? editor troll day? one piece of flamebait after another...

what's next? ask slashdot: who has a bigger crank? bill gates or linus? discuss...

Check out jwz's solution.

[immanis]

Jamie Zawinski of mozilla and xscreensaver fame owns a nightclub in San Francisco called DNA Lounge.

He installed IRC, telnet, ssh and web enabled diskless linux kiosks for just this purpose. His code is available, as well as instructions on how he did it. It may give you a good place to start.

Re:Check out jwz's solution.

[Schrodinger's+Mouse]

Mod parent up, please. It's a great solution - thin clients which boot from NFS directly into guest mode - and it's very well-documented. My .org is considering establishing community labs, and this is the approach I'll be pushing.

Re:Check out jwz's solution.

Yes indeed. Thin is in.
Just have to add though that Jamie doesn't have a complete
understanding of LTSP.
With LTSP, you have a server that is a full blown
install of your favorite distro, and on top of that
you install LTSP binaries that make a few changes
to allow terminals to run apps locally or directly from
the server. The user can run any app that the admin
has given users the rights to run.
It kicks butt.

Guest accounts versus individual accounts

A pointer here - if a user signs on as guest, that forbids them from doing pretty much anything. I would suggest count on regular users coming in to use the machines, and be prepared to provide accounts for them. This doesn't really take much space, and one can always quota the machine.

A word of advice, though, please please PLEASE! be absolutely sure you know what you're doing before diving into Linux. If your purpose is snubbing Micro$oft and that's it, you're asking for a world of hurt. If you're purpose is to give a better operating system and you can get volunteers to go in on this, yeah, go for it, but again, know what you're doing. If your purpose is to provide a well-supported alternative to Windows, that's what FreeBSD is for.

Re:You must read this:

[jepsr]

You obviously need to re-hash your freshman level history and economics and toss that greenpeace/commie rag you've been quoting. Things ain't that bad down here 'cept fer the skeeters!!!

Linux as a public access machine...

[cnelzie]

The desktops should be put together in a kiosk fashion. Whatever desktop you end up using should be absolutely simple.

The best thing would be for a featureless desktop with the few handful of applications that are allowed to be used as clickable icons on the desktop. A taskbar is not needed, in fact it shouldn't even be welcome.

Having a taskbar, with a number of applications available through a Windows-Start-Menu-Like system can provide far more functionality then is needed. Sure, you can edit the taskbar "Start-Menu" to include only a few applications, but then what is the point to having a "Start-Menu"?

All that is needed is a basic web browser that supports currently used web elements. Not just standards, but things that are used across most web-sites. That means Flash Support, Java Support and a host of other web technologies.

The important thing is to have that all setup properly with all the correct plug-ins in place. If those are missing, then you will see the users gravitating away from those systems.

Probably the best thing to do, would be to setup a specially tweaked Windows machine and one of these specially tweaked Linux Machines. Both can have the same basic applications available that the public-access users will be wanting to use...

Here is one thing that might hold you up...

IRC, Yahoo! Messenger, Aol Instant Messenger and MSN Messenger. These are all used on public access machines. To confirm this, check out the public access machines at Kinko's, also check out public access machines at college campuses. All of those are installed onto those machines.

Setup a Windows machine with only IE and those messenging services Icons on the destktop. This can be done using Group Policies.

Setup a Linux desktop with just a Mozilla or other web browser link on the desktop. Then one of those "Easy to use" multi-client chat programs as a link on the desktop.

Run both of those machines side by side. Track how many people use both machines. You might be surprised to find that more people will end up using the Windows machine, simply because of those messenger clients.

You can even remove the messenger clients and you might find that more people will still end up using the Windows machine, due to the better font handling and other things that they are used to.

Do this experiment before you take a leap and radically alter your configurations.

-.-

Re:Linux as a public access machine...

Yahoo provides a Linux version of Messenger that works in reasonably the same fashion as the Windows side version. I'm not sure about AOL Instant Msgr...I'm guessing not.

Re:Linux as a public access machine...

[Liquor]

Here is one thing that might hold you up...
IRC, Yahoo! Messenger, Aol Instant Messenger and MSN Messenger. These are all used on public access machines.

Since clients for IRC, Yahoo! mess!, AIM and ICQ are all available under Linux, these clients are a non-issue. I doubt that the absence of MSN Messenger will be a breaking point (at least, not beyond not being an MS box).

Re:Linux as a public access machine...

I've seen third-party software with MSN support. For example, I use Miranda ICQ with an msn plug-in. Hooray for anti-bloat.

Re:Linux as a public access machine...

[lithron]

Gaim has MSN support. I'm able to chat just fine between myself and a friend (running Windows XP).

Gaim on SourceForge

Re:Linux as a public access machine...

[N3WBI3]

IRC, Yahoo! Messenger, Aol Instant Messenger and MSN Messenger. These are all used on public access machines. To confirm this, check out the public access machines at Kinko's, also check out public access machines at college campuses. All of those are installed onto those machines.

I just set these up on my friends PC last night (linux PC)

http://amsn.sourceforge.net/
http://www.aim.com/get_aim/linux/latest_linux.ad p
http://messenger.yahoo.com/messenger/download/un ix.html
http://www.xchat.org/

So this would be a total non issue..

Re:Linux as a public access machine...

[Ironica]

"IRC, Yahoo! Messenger, Aol Instant Messenger and MSN Messenger. These are all used on public access machines. To confirm this, check out the public access machines at Kinko's, also check out public access machines at college campuses. All of those are installed onto those machines."

Ah, Kinko's...

I worked there for several years, most of them running the Computer Services department in one store or another. There's a few things you might not realize about their machines. First of all, at least when I was there, the installation CDs did NOT have all the IM apps on them. I think only MSN Messenger was on there, because of some bribe^H^H^H^H^H promotion from Microsoft. Oh, yeah, and AIM installs with Netscape; can't escape that. But then Yahoo! Messenger and ICQ would mysteriously show up. It was Windows 98se, and while we managed to prevent users from being able to ctrl alt del or shut down the computer, we couldn't seem to prevent them from installing many software applications.

And the pitfall of running Windows in such an environment: if the application froze, there was no recovery. This happened fairly often, because MS Word would choke after a while if you edited a file straight off the A: drive. At that point, we couldn't do Ctrl Alt Del, or even use keyboard shortcuts to get to the regular shutdown... it was all completely locked out. All we could do was hit the power button, sympathize, and advise them to (1) work off the hard drive and (2) save more often than every couple hours.

I remember the first time my ex-husband saw our setup. He instantly started telling me how much easier and more efficient it would be if it ran off of a Linux server (it remained a peer to peer network with an AppleTalk clone on the PCs until at least last year). Unfortunately we never could convince HQ.

Gconf

[gouldtj]

If you use GNOME... you can lock down most of the settings (in GNOME 2 atleast) by just changing your GConf settings. Basically it allows you to make all of the settings read only. The file that you'd be interested in modifying is: /etc/gconf/2/path You should be able to lock down most settings nice and tight.

KDE Kiosk Howto

[UnixFerEver]

http://www.brigadoon.de/peter/kde/t1.html

This may be a little out of date by now, but I think they have a mailing list as well.

Re:KDE Kiosk Howto

They have, it's at lists.kde.org . And KDE Kiosk is very good.

Re:KDE Kiosk Howto

[MtHuurne]

On kdeleague.org I found this link to the up-to-date README for KDE kiosk mode. The kiosk feature is included in the standard KDE distribution since KDE3. This README describes how to activate the restricted permissions features.

Re:KDE Kiosk Howto

[axxackall]

Any screenshots?

Re:You must read this:

[daddy_cool]

Remove head from ass. THEN go about life.

Thanks.

Re:fr1zt pozt

Is that IE only compatible code? It doesn't seem to display right in my html 4.0 compliant browser...

Firewall all traffic OUT (For starters.)

[supabeast!]

A few security suggestions:

If you are creating public access Linux boxes, do the rest of the internet a favor and strictly restrict all internet access out as well as in. This protects everyone else in case a local user roots a box.

Don't put floppy drives in the systems, and disable the CD drives. This will help prevent a user from walking in with a disc of exploits and root kits, forcing anyone who wants to use local hacks to go download the hacks, which you can track in firewall logs.

Aesthetic suggestions:

Consider renaming all the KDE/Gnome apps withing the config files. Many Linux apps have lame, undecipherable names (Stick a G in front of the name of a python actor type crap.), and if you make the purpose of an app obvious, a newbie will learn the real name of the app over time.

Do your users a huge favor and avoid Gnome. KDE is a much easier transition for Mac/Windows users.

Re:Firewall all traffic OUT (For starters.)

[E-Rock-23]

Since I'm all outta moderation points, I'll have to reply. I do like this suggestion. Finding yourself an experienced Linux administrator or three who are willing to sit and monitor the network would be another option. That way, when someone tries something fishy, he/she can root his way in and stop it. That admin might also find working in a volunteer capacity for a non-profit outfit looks rather good on a resumè, scoring them brownie points with prospective employers.

I also agree with the use of KDE in this situation. Using GNOME, Blackbox or another "geek friendly" DE is asking a little too much of the casual user, who is most likely not familiar with a *NIX environment.

Also, doing this in the Seattle area is pretty bold, seeing as how it's more or less Microsoft's home turf. I have no doubt that they'll try and shower you with funding, presentations on the benefits(?) of Windows, and other junk aimed at preventing your switch to Linux. You're going to have to tell them where to get off the bus, which can be rather tricky when the beast is tempting you with spoils. I wish you all the best of luck ^-^

Re:Firewall all traffic OUT (For starters.)

Restrict all acess out fro ma public terminal. Are you insane? Isn't id daily that we get libraries and schools trying to do that and getting endless shit for it from all sides?

Agree with you about Gnome though. What a fucking pile. Though I don't think KDE can be locked down very well so I doubt it would work here. Would probably be better off with a minimal window manager that can easily be locked down. No suggestion for that though...

Re:Firewall all traffic OUT (For starters.)

[rossz]

can be rather tricky when the beast is tempting you with spoils.

Hell, take the spoils (make sure there are no strings attached), then implement the Linux solution anyway. Have a raffle at a dollar a ticket with the prizes being the Microsoft junk.

Re:Firewall all traffic OUT (For starters.)

[whereiswaldo]

C'mon, give the Gnome people some credit. I'm actually using it right now because KDE (RH7.3) has locked up twice in two weeks. It's not as nice, but so far so good reliability wise.

Re:Firewall all traffic OUT (For starters.)

[supabeast!]

"Restrict all acess out fro ma public terminal. Are you insane?"

Restrict, not block. Everyone will need port 80, nobody will need port 31337.

The best tool is...

[TibbonZero]

"What are the best tools for multi-user Linux labs?"

bash, vi, and gcc, what else does one need?

DNA Lounge kiosks

[rebus_ks]

This seems to have been done quite well at JWZ's DNA Lounge.

http://www.dnalounge.com/backstage/src/kiosk/

Re:You must read this:

I agree with this post.

Motives, considering that MS is a SCTA partner...

[Real+World+Stuff]

As evidenced here , MS has already placed a significant stake with the SCTA. With this understanding, and their advocacy of .NET, is this another Junis Post? I mean, I would definately anticipate the editors have researched this submission. Click through their site (SCTA) and consider the question from this point of view:What is the biggest threat to MS. Who do you ask, and who will most likely define the weaknesses.

Please analyze the facts before you mod.

Re:easy answer - K12LTSP

[danyoung]

I'll do you one better:

Try the K12LTSP distro, a modified LTSP setup ready-to-install. It has Mozilla, OpenOffice, etc., and will likely be updated to GNOME2 goodness once the latest 7.4/8.0 limbo/null/whatever betas are done.

The diskless terminals boot from a floppy or NIC bootrom, with the K12LTSP server doing all of the heavy lifting. I've used Pentium 90s and worse for the terminals.

k12ltsp.org

Guest accounts.

[mrsam]

Implementing guest accounts is real easy, but requires just a little bit of custom programming. The trick is to have a separate guest account for each terminal in the lab, and a custom login script that logs in to the guest account that's assigned to the login tty port.

After logging out, the script wipes out the account's home directory, and restores the default home directory contents from a skeleton model, somewhere. After logging in they can mess things up as much as they want. After logging out the account gets wiped out, and restored to a default state.

Re:You must read this:

Does it hurt when the top of your head flip-flops around when you talk? "Asses of Fire" was the best thing to come out of Canada in a long time btw.

Diskless Linux Kiosks

[Great_Jehovah]

http://www.dnalounge.com/backstage/src/kiosk/

Re:You must read this:

Well... we have slashdot, dont we? I think that makes it all worthwhile.

zip drives

[dollargonzo]

one of the best ways i've seen things done is on a zip drive. basically, everyone who wants anything custom has to buy a zip disk ($5-$10) and then their home directory is mounted on the disk. saw at a local university: worked great

Re:zip drives

[N3WBI3]

BSD is for people who love UNIX. Linux is for those who hate Microsoft.

(from a linux box): Youre point being... ;)

Re:zip drives

[dollargonzo]

it's a sig. for some reason, people seem to comment more on my sig than my comments. perhaps my comments are stupid, or my sig is just THAT interesting

Gnome all the way, baby!

[Badanov]

Let that footprint do all the talking!

use a linux terminal server / client setup

K12LTSP 2.1.0 project is an example, http://www.riverdale.k12.or.us/linux/

this software (free I believe) installed on a server, which provides everything that the client machine will need over a network. the client machine needs only a supported network card (and it does not need a hard disk :-)!)

this allows all settings to be done on a central machine which is tucked away from the publics view, and users on the client machine have no easy way of changing settings on the host!

Let the flamefest begin... ;)

[powerlinekid]

Here I'll sum up what you'll have to do, based on other posters:
1)Install RedHat, Mandrake, Debian and slackware. Yeah all 4. And then put a difficulty ranking for each one on the computers, like from 1-4 (1 being easiest) assign them all a 1 because everyone is going to tell you that slackware is just as easy as mandrake.
2)Install kde, gnome, windowmaker, blackbox, enlightenment, every other windowmanager that at least 1 person uses. Then install every single theme for them. We all know users want choice, so give them plenty of it. *already laughing*
3)You'll need the Gnome office stuff (gnumeric, abiword,etc), Kdeoffice, openoffice and off course emacs (but if you install emacs, you'll also need vi).
3)Put up posters in the room with penguins biting bill gates, or put "bill doesn't live here anymore" stickers on the machines. This will add to the feel of the room.
4) Make sure there are no windows in the room.
5) Don't forget to have one *BSD machine in the corner that nobody touches, just so the bsd people start complaining that "bsd is so much more 1337 then linux". Don't worry about keeping it up to date, noone will use it.

That should be pretty much the answers you get out of the slashdot community. Personally I'd get Mandrake 8.2 with Kde 3 and Open Office. Entirely free and hell you could probably just boot them all off the same network image if the hardware is the same.

Re:Let the flamefest begin... ;)

[mystran]

even if there are minor differences in the hardware, you could still have only one image. Just have support of anything in room in the kernel and use some scripts to select config files based on MAC address (or IP which you can get from DHCP with MAC address)..

Re:Let the flamefest begin... ;)

5) Don't forget to have one *BSD machine in the corner that nobody touches, just so the bsd people start complaining that "bsd is so much more 1337 then linux". Don't worry about keeping it up to date, noone will use it.

The average user isn't going to know what they're running on anyway. So they'll see that unoccupied machine in the corner and use it. And begin to figure out that it's more stable than those popular machines near the front.

KDE Kiosk Mode

[scriptkiddie]

I'm a former student of Robert G. Valiant, whom I believe works/worked for CTA a while back. Say hi to him for me.

As other posters have said, use KDE 3. You'll need to write some scripts to set up the accounts properly, since you really can't set up multiple accounts in KDE by copying the .kde directory (lots of programs need a directory to store data in, they get it from a .kde config file, but the config file says /home/username/data rather than ~/data, so copying .kde directories leads to weird hard-to-reproduce errors).

KDE3 has a nifty kiosk mode, which I don't think anyone has mentioned. It allows you to restrict access to programs on the application menu only - people don't get a terminal, and they don't get any filesystem access through the file manager. It's great for Web browsing and e-mail, though it can lead to trouble when you want to, say, rename a file.

Use KDE, NIS, and NFS so home dirs are shared across the system, of course. That's easy to set up. Using rdist for the KDE distribution itself is a good plan too.

If you spend the time to set up Linux properly, it's a very competitive alternative to Win2K for public labs.

Re:KDE kiosk mode

[7-Vodka]

very nice! I was wondering about this myself. I'd like to have a kiosk mode for the guest account on my box so my friends couldn't mess around with it too much. Everytime certain friends log in they leave pr0n wallpapers and shit. A nasty surprise when you tell your dad to go ahead and just use the guest login.

Re:KDE Kiosk Mode

This company claims to have a pre-packaged kiosk solution for Linux that might be worth a look.

use Knoppix

[gosand]

Have you looked into Knoppix? You could run all of the machines off of a ramdisk, have them use floppies to save their configurations if they want. You could even remove the hard drives from the machines. I have found that less than 128MB may cause you some issues, but it will still work.

Your only problem would be people swiping the discs, but you could also offer them for sale.

Re:You must read this:

He's right guys! Quick lets start a revolution, and elect him the new ruler of America v2.0! God, how come none of us could figure this out? This guy must be a super genius. Well I for one would like to thank Mr. Anonymous-Canadian-whom-I-secretly-susespect-is-Am erican for sharing your brilliant insight with us. Seriously man, what's the point?

Your problems are just one line of shell script

rm -rf ~/

at logout

Here's a salve for the flaming...

[pjt48108]

I am considering, in the FAR future, moving things from Windows to Linux, here in the public library for which I work. One argument I get when I float certain elements of the plan is, "But everyone already knows Windows." (the library's computer classes teach to Windows, not to basic computer literacy.

This made me think... What is more important for the end-user, from the standpoint of computer literacy? Knowing the operating system, or understanding basic functions that are universal across applications?

As patrons shouldn't even be THINKING of accessing the OS, I lean towards emphasizing application functions, such as print, save, etc. Those are the functions the majority of users will be needing anyhow.

That said, I think Linux should work fine, despite the naysayers, so long as the desktop/interface is simple and straightforward enough so that the user doesn't feel the need to plum the depths of the OS (in order to type up their recipe, email their grandson, etc.). In fact, the flexibility of Linux, I believe, enables you to BETTER serve your constituency in this manner.

Plus, Microsoft is pure evil.

Re:Here's a salve for the flaming...

[Christianfreak]

"But everyone already knows Windows."

There's a simple way to deal with that, especially if you aren't ready to make the switch yet. Just create a machine with all the latest and greatest bells and whistles for KDE, super-simplify it and then set it up at your library and let the librarians have a go at it. I think that will turn them around rather quickly, unless they do use the hidden obscure features of windoze.

Re:Here's a salve for the flaming...

[aero6dof]

If you're interested in Linux in libraries look at
http://www.oss4lib.org/

Most computer access in libraries is via a browser now anyway.

Drop me a line if you have questions...

Re:Here's a salve for the flaming...

[Evil+Pete]

In my home town of Brisbane, Australia. The city council uses a web interface to their catalog. Its easy and apart from the browser being IE with some apparent functionality locked out, including closing / minimising the browser, its fine. In fact you can access the catalog remotely by browser. The other PCs in each library just run IE to interface to the web. Soooo ... if you had something like Konqueror or *insert name of favourite browser* then why run Winders at all ?

So my suggestion is, yep a linux box but it only runs a browser and that is the only interface the user sees.

LTSP

[Roadmaster]

the Linux Terminal Server Project provides superb tools and software to set up a remote display server, you run all apps on the server and do the display on terminals. It works awesomely well, will ease and centralize your administration, and will work with old systems as terminals. If you have a competent admin, setting up guest accounts should be a breeze with this. You also need a competent admin because the server is a single point of failure and has to be kept well-fed and in working order.

Re:LTSP

[bmwm3nut]

mix this with openmosix and you have a real winner. i'm in the middle of doing this at home and so far it's working out great!

Re:Motives, considering that MS is a SCTA partner.

Here is their plan

KDE? Gnome?

[DongeyKong]

I found that KDE runs better on AMD chips. It seems more stable and more windows-like than Gnome.

Interesting, but....

[FreeLinux]

After looking over their site it looks like they are in the same boat as many other large institutions, most especially large universities. That is, they have and support just about everything. There did not appear to be a preference for any particular platform.

I did find the policy banning XP until further notice rather interesting/ammusing, but this was only until they had a chance to evaluate it and any effect it may or may not have on their network. It rather reminds me of Netware administrators banning Windows 95 when it was first released.

Re:Interesting, but....

XP has a new network stack
95 had a new network stack

whats so wrong about them making sure it cant DoS them to hell and back?

Re:Interesting, but....

[Allnighterking]

Support is actually done in divisions the largest being the Unix Division. They do support Linux as well as Solaris. HPux and AIX are pretty well gone and they also have picture celebrating the demise of the last vacs. *grin*

Re: then don't use Mandrake

[clnelson]

That's why you don't use mandrake. Those are settings. Good for a home user, bad for a public lab. Use a different distro or customize your Mandrake to lock it down.

Remote Installs During Nights

[merger]

In addition to setting certain restrictions on user rights is the possibility of remote installs overnight. I remember reading that the Apple Stores which allow anyone to play on their computers push the entire disk image to the computers every night. This way it ensures they are all the same afterwards and everyone has the same experience. I am not familiar with the open source options available here but I believe google uses something similar to maintain their machines. Some searching should give some options and maybe someone with more knowledge can point in the right direction if this is a feasible solution.

Re:Remote Installs During Nights

[mpe]

I remember reading that the Apple Stores which allow anyone to play on their computers push the entire disk image to the computers every night. This way it ensures they are all the same afterwards and everyone has the same experience.

This sounds a sledgehammer to crack a nut. It should only be necessary if there are no effective access controls to prevent end users trampling on system areas.

Re:Remote Installs During Nights

[niessen]

In an enterprise I would definetly use Symantec Ghost. This is mainly used to deploying Windows workstations, but also supports ext2 file system natively and has some post configure options.

The main advantage is that by using multicast you can install up to 100 PCs within 20 minutes with ALL aps!!!

Of course you could also do it manually using linux tools (definetly possible), but I am not aware of a toll that is optimised for speed like ghost, and can multicast. If it exists I would be highly interested.

There are a flood of resources out there...

[ainsoph]

The biggest one I can think of is the "linux Terminal Server Project",

ltsp

Which has been adapted to public schools in the form of:

k12ltsp

The linux in education folks have tons of info on doing stuff like this and are very wise about digital divide issues.

Here are some links:

open source schools

School Forge

k12os

SEUL/Edu

Some case studies:

seul dat

There is also Simple End User Linux (SEUL)

SEUL

RedHats "Open Source Now" initiative has listings of people in the area who can help out. They also have a bunch of "why's" and "hows" on their site.

Open Source Now

I should be listed there in the Army of Friends, but have not gotten around to putting myself up. Feel free to contact me at cschwan4@attbi.com, as I am in the Seattle area.

Doing this kind of thing is a great interest of mine, and I work in education to help make these transistions.

Hope this helps.

Knoppix is fantastic.

[FreeLinux]

Nuff said.

Re:Knoppix is fantastic.

Knoppix may be fantastic - but whenever i let it
run Konqueror for a day it locks up - and falls off
the network.
Starts up real nice - gets configured by DHCP and
ends up locking up within a day of no interactive use.?

KDE all the way

[cshields2]

'nuff said.

My public access terminals

[ozonator]

I've set up a few machines now, each running Debian (Testing, even), that are now in use as public terminals in a university library. They have a minimum of software installed, but Mozilla and Opera for browsing, Acrobat reader and AbiWord for documents, as well as lynx, telnet, ssh, and scp available in xterms (each launched via xterm's '-e' option, so that the xterm quits when the program running in them quits). For ssh and scp, I wrote a couple of simple scripts, using 'dialog' to get input for hostname, username, etc. I'm using IceWM (no Gnome or KDE), with extremely minimal menus and no logout command; it's very fast, and has a Windows-like theme so that it looks familiar to most people. KDM handles auto-login very nicely. Automount handles floppy disks (so users can copy files to and from remote machines without having local hard disk access). Finally, since the machines have identical hardware, I built a custom kernel package for them.

For a 'guest' account, I set up a user in a unique group, and chown'ed all the files in that user's home directory to root, leaving them read-only for the guest. Problem: some programs expect to be able to write to disk, e.g., Mozilla expects to be able to make changes in $HOME/.mozilla -- so I wrote a simple script for each such program that, if the program isn't already running, will restore .mozilla (or whatever directory/file is appropriate) from a master, root-owned, read-only copy. Beyond that, to increase security on the machines, I turned off the various virtual terminals on the console, tightened up /etc/fstab (noexec in /tmp, for example), configured grub appropriately, set up ssh for remote admin (actually the only way I can get a command line on the machine), and set up some simple firewalling rules.

So far, these machines have been completely stable, and our users have been pleased, even those using it mainly to check Hotmail, Yahoo, etc. It's reasonably easy to duplicate across various machines, too -- for only a few machines, this works fine: dpkg -[get|set]-selections to save and set which packages are installed, plus save settings from /etc, scripts from /usr/local/bin, and preferences from /home/pubacc, all of which are backed up and ready for a reinstall. But, if you've got lots of machines to duplicate, there are likely more efficient methods -- like running a terminal server; see, e.g., the Linux Terminal Server Project or the K12 Linux Project.

My recommendation: it's definitely worth a try setting up Linux machines as public access terminals, especially if the programs the users need are few in number (e.g, web browser, telnet, ssh, and pdf viewer, which is all just about everyone in our library wants on a regular basis). Just be prepared to do a little fiddling or simple script-writing to handle programs that expect read-write access to the guest account's home directory, and/or provide an interface for programs that normally are run from the command line.

Don't forget the Business Software Alliance

I really think that a BSA audit should be built into
every TCO estimate done on every microsoft shop.
With this setup, you just tell them to piss off.

No that won't work either

Sorry, but just adding an account but not giving them write access or the ability to change doesn't fly either. UNIX is still and open OS if you have an account. Windows or a flavor of it is still the better option. Such as the Windows CR terminal's or just windows terminals.

You can sorda do it with Solaris and SUN ray's, and limited with the X-Terminal project under linux ( not well supported ) but Windows is your best option.

Windows plus zen works perhaps

Re:No that won't work either

[N3WBI3]

What are you talking about?? Ill be the first to say that win2k has great easy ways to lock down specific files (im not an anti ms troll) But UNIX does too

*NIX is a better solution for this because of the OS security. Every time a virus is found that takes advantage of IIS or Active Directory you can lean back in your chair and not worry.

If you really want to make lab users conforatble configure XDM to allow them to log into fvwm95.

Re:No that won't work either

[GreyPoopon]

Sorry, but just adding an account but not giving them write access or the ability to change doesn't fly either.

Agreed. Instead, provide the group with no write access for system files (obviously), and provide read-only access to settings files within their login directory. The trick here is making sure ALL of the settings files for ALL of the applications are locked down in this manner. Other than that, provide the ability to create new files within the login directory, and schedule a periodic job to clean things up every once in a while.

UNIX is still and open OS if you have an account. Windows or a flavor of it is still the better option.

Would you care to explain yourself? I have yet to find a version of "locked down" Windows that allows reasonable productivity that I can't easily circumvent. Although I admit that it's gotten harder with each new OS release. With UNIX, on the other hand, you really can do a pretty good job of locking things down -- you just have to know what you're doing. Are you just trolling here?

Re:No that won't work either

[frodo+from+middle+ea]

u can't lock files in unix unless u lock the directory containing those files. remember u don't need write permission on a file to delete it. all it takes is write permission on the directory containing the file. so a user can very well delete the file and put a new one with his pref. removing write permissions on the home directory would prevent some applications from running.

Re:No that won't work either

Well couldn't you just put all of the user specific configuration files
in a subdirectory of the user (something that begins with a '.') and just not give
them write access to that entire directory.
Also what kinds of things would it make sense to lock
down and what kinds of things should they be allowed
to change.

At my job one of the biggest frustrations I run
accross is everything in the world being locked into
a frozen state even when it would be good to change. I mean
how important is it to force me to have a particular
home page when I open IE?!

I'm guessing that they should be allowed to setup
their own profiles. At least at a minimum...

Re:No that won't work either

[zorander]

first of all saying "u" brings bias against yourself.

First of all, remember that you have the sticky bit to work wthin directory perms (look at how /tmp behaves and you'll see what i mean).

Actually, setting the guest user's homedir to /tmp or even just giving them enough write permissions to deal with temp files for KDE/GNOME and the web browser (i.e. let root own guests directory with global read then parts of ~guest/.kde are global write). For this type of system, that's fine.

if you want to disallow write access to a file then just change the owner and make the file globally readable...

And please don't make wide and unfounded generaliztions about unix if you're going to be wrong.

Brian

Re:No that won't work either

[frodo+from+middle+ea]

well the whole point of the first post was to control access to a file, without controlling the
directory and thats what i am saying is not possible.
unless the root owns the guests home directory, (as u pointed out) controlling individual files
won't help.
Also giving certain dirs write persmissions could not work under circumstances.
e.g mozilla , one may want to give write perm to the guest so that mozilla can store temp. files.
but one may not want the user to install mozilla ad-ons like skins, plug-ins etc.
since mozilla stores all under .mozilla , u have a problem.

I would much rather have a HP/UX like ACL functionality on top of normal unix permissions.
if my first post gave the impression that i was favouring windoze a thousand appologies

Re:No that won't work either

[zorander]

Uh still wrong.

You *can* give root ownership of said file and remove global write access.

You can do this recursively.

You can do this for directories.

root doesn't need to own guest directory just files within. Try it

man chown
man chmod

and see what I mean. Believe me. What you think is a problem is *completely* dealt with by anything with a POSIX set of utilities (chmod,chown)

as to Mozilla, there's a plugins directory. There's a skins directory. Disallow write permissions to them, but leave cache open. Or even better, disallow read and write to everything (including mozilla) except for cache that way all they can get to is cache and only if they specifically request it.

Again, this is a non-issue.

Brian

chmod the config files.

While, i'm not an expert (at all). Most of the time the user config files are stored in a directory named . in the users directory. You could try going in there and doing a chmod a-w to prevent changes to the files. I'm not sure if this would work, but it should be easy to test.
-James

Re:chmod the config files.

[zorander]

It wouldn't work. pretty much, the user could just do a chmod a+w again because they own the files and therefore have the rights tio change their rwx perms. You'd really want to go in, do a chmod a-w, then do a chown to make them not own it (give it to root or even better, another user account that dissalows terminal login). Then they can't change the permissions back to rw anymore and can't write the files...It doesn't matter what they do, all you need to do is rm -rf $HOME at the end and those files will stay because they can't be removed.

Brian

Vserver as possible solutions - again....

[WetCat]

http://www.solucorp.qc.ca
Virtual linux servers, that can share space with main linux...
You can allow people to be root there...

Hm.. and in Seattle...

[gabec]

Isn't that considered occupied territory to Linux buffs? ;)

(just so i'm not being overly vague: "because it's only 15 miles from Redmond...")

Re:Hm.. and in Seattle...

[geekoid]

When looking to convert sinners, go to where the sinners are.

Re:Hm.. and in Seattle...

Linux Journal's published here .. and there is a body of water between us and Redmond.

Multi user kiosk

[chabotc]

You didn't quite specify in your question if the users of the system should be able to store files or not ... the design of such a system would kinda depend on this factor.

But lets pretend they do not have write permission, or save their files on a common shared (nfs) directory. Then one would take a basic redhat system, set up the 'guest' users envirioment /desktop/menus (keep his dir as small as posible, remeber to disable mozilla's cache). then tar this up.. Change your init scripts to set up a ram disk (8 megs or so should do), and mount that on the users home dir. The modify your inittab to start your kiosk-session script, which in turn starts your kiosk-dm.sh script ..

The kiosk-dm script would untar the guest's home dir to the correct spot, and start's X using your custom xinit script:
while 1; do
cd /
rm -rf /home/guest/* /home/guest/.*
tar xvfz /usr/share/guest.tar.gz /usr/X11R6/bin/xinit kiosk-session.sh
done

this kiosk-session.sh script would do something like:
exec su --login --command /home/guest/.xinitrc guest

This way, the user can 'log out' of xwindows, the home dir gets cleaned & restored, and a brand new x-session (restored from original config) is displayed.. Since eveything is on a ram drive, nothing that can break! (the guest user has no write perm on the rest of the file system, so can only fuck up his own home dir, which is cleaned every session)

Now if you want a user to be able to log in, keep his files, etc.. that be a whole other situation.. nfs mounted home dirs, authorisation via kerebos, and all that..

Now you also asked for multi-language support.. I would sugest getting your hands on the null beta (gonna be redhat 8.0), it has better UTF-8 support then i've seen before in any linux distro.. as a browser, use mozilla for decent internationalisation support.

As a added bonus, start up redhat-config-language first in your guest's .xinitrc file.. this way they can select a language before any apps are started, and everything should work automagicly (as long as you installed all the locales).. it is included in the redhat 8.0 beta (null)

Re:Multi user kiosk

[chabotc]

ps, slashdot bit my formatting again:
tar xvfz /usr/share/guest.tar.gz /usr/X11R6/bin/xinit kiosk-session.sh

should be:
tar xvfz /usr/share/guest.tar.gz /usr/X11R6/bin/xinit kiosk-session.sh

Sorry 'bout that

Re:Multi user kiosk

[devlogic]

Of course, you realize that the glob in "rm -rf /home/guest/.*" will match "/home/guest/..", right?

While this may not really be an issue since (1) there shouldn't be any other users on the system anyway, and (2) that tar file almost certainly has full paths in it, it's something to look out for, should you decide to use this script for other purposes.

Example: Someone I was working with a few years ago noticed that the dot-files in his home directory weren't owned by him. So he did a "chown -R username:group .*" from his home directory. He didn't notice that he was logged in as root, though. Made quite a mess for him to clean up over the next few days.

--
It may not be on-topic to the article, but it's probably on-topic to the parent.

No Changes available.

[ebooher]

Well, I'm not exactly sure what your specific purpose here is, but I know that the Indianapolis / Marion County Public Library Has set up little Linux kiosks that talk to their main server for doing things such as performing book searchs by title, author, etc and then taking those searches and adding them to your request database.

If this is all for non-profit type of work you might drop them a line and see if they can get you in touch with how helped them set it all up.

I know that the terminals are relatively dumb, and may even be using some form of LTSP (Linux Terminal Server Project) because when they reboot they drop directly back to a bare desktop with only icons for the software to do their catalog search. So in essence they are all guest accounts.

LTSP

[DrakeX]

GO LTSP. . . it will give you the option of trimming down the workstations and keeping a central control at the server end

delete the configuration applications!

KDE kiosk mode

[LMCBoy]

KDE has a kiosk mode. I'm not that familiar with it, but you can find the README file here:
README.kiosk

This is for KDE 3.0.

good luck!

poor misguided soul

Did they ever come to the wrong place for advice.

Re:You must read this:

Surely this is the voice of reason! If only everyone could hit the proverbial nail on the head this hard Let us be thankful our northern neighboring nation harbours such objective thinkers such as this current subject. Otherwise, we will be up shit creek in Iraq with young military personal lined up for anthrax vaccination shots.

Ask the seattle Linux Users group

[Raleel]

http://gslug.org/
http://www.seaslug.org/

Re:Motives, considering that MS is a SCTA partner.

MS has already placed a significant stake with the SCTA.

In what way? Microsoft's contribution is the retail price of the software they donated. It cost them maybe 1% of that "$200K software donation" to produce it. So I see their contribution as being about $2000. That's not a real significant stake in my book.

Federal funding? Good luck...

[Marc2k]

While I don't know where your "sleepy little town" is located, I do have a lot of contacts in the Seattle area, which gives me a little insight as to the atmosphere of the area. This is all my own wild speculation, but I'd venture to guess that there is little if any federal government involvement. Seattle is a rather large city, with a lot of revenue coming from the tech sector; the cost of living is moderately high, and most people are tech-friendly (compared to where I come from). The local government also seems to be very active and progressive, which is why it wouldn't surprise me if they were most, if not all, of the public backing. Thus, I'd say that's were most of the funding is coming from. Secondly, as a small-towner myself (and I mean no offense when I say this), I personally don't *want* my federal tax dollars going to fund your sleepy-town-Internet-cafes. There's no reason why Elmyra, NY needs more funding for Public Access Computing than Schnecksville, PA does. At that rate, as a registered voter and taxpayer, I'm simply not going to pay for a PAC center in every small town.

In my eyes, the only feasible way to set up something like this is on a not-for-profit Internet Cafe scheme, or perhaps have it funded by the locals.

Re:Federal funding? Good luck...

[llimllib]

I actually work in Schwenksville, PA (seriously, zip code 19473). Let me tell you, the town needs anything it can get for computer facilities.

Re:Federal funding? Good luck...

[Marc2k]

I actually live in Schnecksville (zip code 18078, population much lower), and mine does too (I can only get slow one-way cable)..but I'm still not sure what it would help or why people in Alaska should help pay for it. If the people of Schnecksville want computer facilities, they should band together with surrounding communities and set one up, IMO.

Re:You must read this:

"Asses of Fire" was the best thing to come out of Canada in a long time btw.

It would have been, had it really come from Canada. The movie characters were Canadian. The movie writers were not.

Re:Motives, considering that MS is a SCTA partner.

So is VALinux (VASoftware now)

MS sponsored ?

[Jonny+Ringo]

Kind of interesting that they are going after Linux when one of their sponsers in Microsoft.

http://cityofseattle.net/tech/scta/corporate.htm l

It says "Microsoft will contribute more than $200,000 in software".

Re:MS sponsored ?

[ainsoph]

MS sponsers everything in this town. We are as they say, in the belly of the beast.

Makes it a bitch to be a linux advocate.

Re:MS sponsored ?

[buss_error]

It says "Microsoft will contribute more than $200,000 in software".

I wonder if it was Windows 2000 they contributed....

Re:MS sponsored ?

Hmmm... so which $200,000 worth of software are they porting over to Linux?

If anyone asks, you'd like DirectX to run in Linux.

ThinkNic?

[Matey-O]

Diskless customisable thin client with Netscape, VNC, Telnet, broadband, etc, and audio. $200 per unit plus some kind of monitor.

They're cheap, run linux and hard to hack. (Also largely valueless from a theft standpoint.)

Qustion is: Do they have enough horsepower for your needs?

*cough*

Who the hell cares what you like?

Certainly not Joe PACUser. I may like MINIX on my personal computers, but that doesn't mean that it would make sense to implement it in a public-access setting. Chances are very slim that the average user of a public access center needs to open a file in AbiWord format on the quick, so the applications available for GNOME is negligible. The only thing that matters here is that they use a Linux desktop that is friendly to everyone.

VNC?

[Satanboy]

I remember a long time ago setting an environment up at home with VNC so I could surf to any web site at work through my web browser.

anyways, it became a hit at work and I ended up with 50 people using my box.

you just have to set the permissions correctly for the directories by using groups

and you can configure kde and gnome to work the way you want

it is a big step to read all the materials, but the manuals really help out.

Re:VNC?

[hol]

The problem with this is that you still need a functioning computer (complete with functioning desktop environment) to connect with, and the network traffic VNC (or X, or Terminal Server) generate is rather hefty.

Also, 2 people connecting to the same VNC session compete with each other over screen control if the VNC host were a windows box.

On a Linux/UN*X box, user still need individual sessions to run on that, in addition to the client. I.e. now you have two environments per user to manage. Not so ideal I think ;-)

What are people used to though?

[cnelzie]

The people using those machines may already know all the features and functions of those popular message clients and would be lost when faced with something called GAIM or Jabber or whatever-else-there-is.

How would they know which client to use with which service? (GAIM is a giveaway to you or me, but not to your average AIM user, Jabber would leave those people lost as well.)

How would they know how to configure that client for their account? (While easy for technically inclined people, most people are simply not technically inclined.)

Making public access Linux machines to replace existing Windows Public Access machines is a noble idea, I just see it as being a bit unfeasible at this time. I would love to say otherwise, I am just unable to.

Until there exists standard applications that are THE SAME on both platforms. Then there will be a possibility of setting up systems running Linux. Until then, putting those types of systems together will be tough to do.

-.-

Re:What are people used to though?

[Liquor]

Until there exists standard applications that are THE SAME on both platforms. Then there will be a possibility of setting up systems running Linux. Until then, putting those types of systems together will be tough to do.

This indeed is the reason that I included Yahoo and AIM as being available on Linux - while not necessarily exact matches, they are sufficiently close that a Windows user could navigate them - starting with recognizing the program icons. While MSN functionality is available in other applications, unless the MSN messenger can run under WINE (which Microsoft both fails to authorize and actively modifies code to prevent) there is no look-and-function-alike client.

In the meanwhile, running Mozilla on the Windows boxes should help pave the way for the users :)

DON'T USE LINUX

What it seems like you are trying to accomplish is to teach them the computer skills needed to get a job. If this is the case then I say AVOID LINUX.

I know that we all want linux on the desktop, and all corporations to dump windows, but it they haven't done it yet. So in the meantime you need to train these people on systems they are most likely to encounter in the real world, i.e. Windows. Otherwise you are giving them skills which are not applicable to corporate america, and therefore are not giving them the experience and training they need.

I know a lot of you are going to tell me it's not the system that is important, but the learning of the "language" and "logic" of computers. I agree if we are talking about a 4 year college plan that you can build upon. This however seems like more of a one off class, in which case, I feel you need to teach them as much of the "language" as you can, but focus on the sepcifics of the o.s.

Re:DON'T USE LINUX

[Billly+Gates]

"What it seems like you are trying to accomplish is to teach them the computer skills needed to get a job. If this is the case then I say AVOID LINUX."

Not necessarly. They do not need to edit .bash_profile files are create symbolic links and learn etc/rc.d/* runlevel configurations. Just setup KDE and StarOffice and take out alot of the extra kde apps besides the basics and your done. All they need to do is point and click. However I see Linux's shortcommings right now under this perspective. First off Microsoft has made some nice utitilies and features into windows. Having a profile downloaded automatically upon login and having shares automatically reconnect when the computer boots up and active directory services make life so easy. I admit Windows is full of horrible bugs which brings support costs up but its easier to administrate a large group of Windows desktops then Linux ones. Linux is best for administering servers while Windows is best for administering multiple desktops. I am aware you can create a custom shell script to login via nfs and autodownload some .profile files and you can create a custom bootdisk to setup Linux to do this upon bootup but boy is it a big pain in the ass. With Windows you can use ghost image and create a custom image for each employee department. Everything is all setup. I do not believe its supported on Linux.

ALso how do you do a gradual upgrade? Employees who have not upgraded yet will still send .doc and .xls files that staroffice is not fully compatable with. Staroffice is not there yet. What about printer support? No true type fonts when printing? What about the jerk who demands Microsoft outlook? How are you going to sync up employees palm pilots(jpilot was still beta last time I looked). What about employees who complain about seeing a webpage that was designed for IE only? I hate to say it but webmasters only look at Microsoft's specs and never the w3c standard. Its sad but true. Just a primptive lpd using a pipe? Can lpd even work with network printers that are not connected to a server? I have never used cups but I hope its as good as printing on Windows or the Mac. Its these and many other questions is why Windows is a safe but expensive bet for standardization. Linux is made as a personal workstation and server os and not a client one. MacOSX is the only unix that I can think of that even begins to address some of these important issues.

You know MacOSX might be a better desktop option if the cost of Windows is too high. Employee's can have their palm pilots, Microsoft office if needed(shudder) is there, better nds and active directory support, very easy to use, IE support, true printing, etc all with the benefits of lower tco of unix. It is a much better desktop and still is a unix. The reason I am not a macosx user is because a mac system is too expensive and slow for video games. Cocoa looks awesome and if I get better at programming I may switch totally.

Screw KDE and Gome

Make 'em use Enlightenment or OpenStep. That'll show the world what Linux is all about.

You forgot Joe

[owlmeat]

For diehard Wordstar users.

Re:You forgot Joe

[powerlinekid]

The funny thing is I actually learned joe before anything else.

NT doesn't work well in a public lab environment

[dunham]

NT is extremely difficult to configure for use in a public lab environment. You have to lock down the machine well enough that one user can't make the machine unusable for others, without breaking all of the software running on it.

A lot of apps want to write in system directories or write in random places in the registry (which, out of the box, is wide open to the current logged in user). Add to this users downloading random software from the web and trying to install it and a web browser that does the same (active X controls).

I'm guessing these people have locked down as best as they can, but end up with a bunch of machines being unusable at any given time, and a lot of "taxpayers money" being spent on reinstalling the broken machines.

Also, I believe installing security patches and service packs is still a manual, go-to-every-machine process on Win2k. (Unless you want to reimage the machine for every patch - either way a lot of manpower and hence money wasted.)

Re:You must read this:

this guy has a point, you know.....

"what should we use..."

[MobyTurbo]

What are the best tools for multi-user Linux labs? Should we use KDE? Gnome? How do we keep users from changing settings?

Use fvwm, the lab's users will *never* figure out how to change it's settings. ;-)

Re:"what should we use..."

[N3WBI3]

fvwm is not that bad, fvwm2 on the other hand... cringe...

Re:"what should we use..."

[N3WBI3]

Atcually FVWM I think would be a good choice. You can give them a clank desktop with only a clock and I cons for Mozilla/Netscape, AIM/MSN/IRC/YahooMess, Office, whatever.

Click the icon and you get the app, make it easy to use. If you go with gnome or kde you can intimidate the computer illerate.

Re:"what should we use..."

[MobyTurbo]

Atcually FVWM I think would be a good choice. You can give them a clank desktop with only a clock and I cons for Mozilla/Netscape, AIM/MSN/IRC/YahooMess, Office, whatever.

Click the icon and you get the app, make it easy to use. If you go with gnome or kde you can intimidate the computer illerate.

My comment was essentially a joke (though I used to use fvwm!) though as you point out there is an element of truth to it. It would make things less likely to be tampered with in a kind of security through obscurity sense and would be simple for the users to use at the expense of some eye candy. (Though I actually found fvwm configured as a motif clone reasonably attractive.)

The only problem I see with this ...

[graphicartist82]

is that it seems (from the HOWTO) that if you reboot the machine, you get to a lilo prompt and you can easily do something like "linux 1 initrd=/bin/bash" and boot directly into a prompt where you could change the root password without any trouble at all..

what other boot loaders are out there than have the functionality to "lock it down" to where the boot options can't be changed?

Re:The only problem I see with this ...

[spencerogden]

Can't you password protect lilo and/or have it not display a prompt?

Re:The only problem I see with this ...

yes and yes

Re:The only problem I see with this ...

[pete-classic]

GRUB has a boot-loader level password, and seems to be taking over as the gold standard Linux boot-loader anyway. AFAIR LILO has that functionality too.

But then windows boxes in a lab are even easier to own with a floppy disk . . .

I think the bottom line in a lab that is "public" to any degree is image early, image often.

Snort could help here too by identifying funny network traffic coming from any of the boxes in the lab.

-Peter

Re:The only problem I see with this ...

[squidinkcalligraphy]

enable the BIOS password, and disable booting from a floppy. Then the only way to own the box would be to physically open it and clear the BIOS with a jumper. Which could be solved by locking the box (most recent cases have a little hole u can put a padlock in). If all of this is done, the only way to own the box is to get busy with a drill/hacksaw/boltcutters/[insert name of heavy duty hardware here]. In which case ur prolly stuffed anyway...

Re:fr1zt pozt

Are you a linux user?

it's linux is for bitches

Services! Services!

[Neumann]

I dont want to rain on your parade here, but it sounds like you know very little about Linux in general. No offense to the /. crowd , but i dont think this is the best place to get the type of information that you are looking for. And after reading a little bit about your goals I would say that if you tried to do that based on what you read here is capital K Krazy.

If this were me, I would hit a Linux User Group meeting in Seattle (Greater Seattle User Group is the first one that appears on google) and get to know some of the local geeks so that you could get one of the local companies to give you a hand answering the questions you have.

Oh boy, you asked the naughty question

[praedor]

THAT'S gonna hurt. You asked which is better to use, KDE or Gnome. You are now certain to get a slew of messages from the Gnome fanatics and KDE fanatics telling how the other guy SUCKS. You didn't know, I'm sure. For future reference, try to inquire about both by using as neutral a tone as absolutely possible. The question itself, how it is specifically written matters and in this case it implies a winner and a LOSER! with a big "L" on its forehead.

I'll fix you right up though, save you the need to read rants and raves. Use KDE, it's the best, most mature, and integrated solution...NO WAIT! Use Gnome, IT is the cleanest, purest, most politically correct, mature, and...ah f*ck it. Toss a frickin coin.

Re:solution: Windows XP!

HOWTO secure windows XP

There is only one way known to humanity how to secure windows.
1. Pull the power cord out.
2. Use hammer to destroy HDD
3. Throw all that polution in the trashcan
4. Do not use the nearest trashcan
5. Run away and fell secure

read-only

if you really want no one to change anything, try booting it off of read-only media

Along similar lines, how about wmaker / blackbox?

[timothy]

People have different aesthetics of course, but I really like the look of windowmaker / blackbox / fluxbox -- esp. when set up with nice big labeled icons, I think it would be a great way to set up an internet cafe / public access station.

Clean, simple, resource-friendly ...

timothy

A secure approach with NIS and a boot sript ...

[Random+BedHead+Ed]

Set up one system as an NIS (sometimes called YP, for "yellow pages") server. This shares out all configuration files, such as the /etc/passwd file that contains user account information. Then configure all desktops to be NIS clients. This way you can log in anywhere with the same generic "guest" account.

If you want to configure this a generic account so no one can change its look-and-feel, I recommend setting up a script on each machine that during the boot process deletes the guest account's home directory and replaces it with a root-owned master copy you created elsewhere, such as on a NFS shared filesystem.

So you'd have a central copy of the generic account's directory as you'd like it stored somewhere like /root/guest on the NFS server. The students can log in and deface a client system all they'd like, but this will only affect settings stored in /home/guest on each local machine. On boot their settings will be overwritten by the "master" home directory that is copied by the script.

The script would basically delete the local /home/guest directory, mount the NFS volume, copy the root-owned guest folder into /home, unmount the NFS share, and finally give the new /home/guest directory the correct ownership with "chown -R guest.guest /home/guest".

You'll just have to explain to students that anything they download will be deleted on each reboot, so they'll have to use floppies/CDs.

One alert commenter pointed out that students will be able to boot into single user mode and log on as root without a password; this can be curcumvented by using the GRUB boot loader instead of LILO. GRUB, which comes with the most recent RedHat distro and may also be supported by others, allows you to set security so you would need a boot password to use the single user hack.

-Ed
ed-holden@lycos.com

Re:A secure approach with NIS and a boot sript ...

[kasperd]

The script would basically delete the local /home/guest directory, mount the NFS volume, copy the root-owned guest folder into /home, unmount the NFS share, and finally give the new /home/guest directory the correct ownership with "chown -R guest.guest /home/guest".

Why only do this at boot? I'd rather do it before every login. When the user press CTRL+ALT+BACKSPACE, the following should happen:

1. The Xserver is restarted.
2. A new session is started.
3. All his processes gets killed.
4. All his files are deleted.
5. The user is deleted with userdel.
6. The user is recreated with useradd.
7. KDE is now started as the new user.

This also takes care of the recreation of the users home, it will make a copy of /etc/skel.

LTSP

[sjwillis]

after having setup a public library to use linux on the desktop (twice), i'd really encourage you to check out LTSP.
My first go-round with the library, i did what you're looking at (a full blown distro on each machine). it worked very well. i created an install disk that created a nice, locked down desktop, etc. But then we started changing things like printer IPs and proxy server addresses and wanted uniform bookmarks, etc. And changing little things started to be time consuming.
With LTSP you change things in one place, reboot the clients and they're all pointed at the new proxy or whatever. Besides, booting off the network and using ram disks made me feel a lot better when patrons kept just turning the machines off without shutdown now -r. no more fsck, ect.
one more thing. using netscape i was able to edit the preferences.js file to disable all sorts of menus, settings on the web browser. i haven't tried doing the same with mozilla, but you'll probably want to make sure you use a browser with a lockable config file so kids can't change the homepage to playboy.com or whatnot.
jim

What about the applications?

[hatless]

You didn't say what the machines are going to do or what you server situation is. Linux with KDE and a browser-only version of Mozilla (no mail or news) would make for a very good web terminal, complete with Flash support. And if you have a couple of good file servers sitting behind it, you can network-boot them so that machines are interchangeable and don't necessarily need any software installed on them. Then you're just in the business of maintaining file servers, but they don't need to be big ones as they'd have to be if you were deploying, say, X terminals.

But what else do people do at these terminals? Do they get to use Word and Excel? Any custom Windows-based reference tools that aren't available over the web? Educational titles?

StarOffice/OpenOffice is okay, but it can be a little confusing for the kiosk user. It's one thing for a consumer or office worker to spend a couple of hours getting the hang of it if they're replacing MS Office with it. It's quite another to expect people to be productive in it on a casual, walk-in basis. You'll probably also want to customize it to replace the load/save buttons on the OpenOffice toolbars with buttons hooked to macros that load and save in MS Office formats by default. A kiosk user probably isn't going to want to save things in native StarOffice formats.

By all means ignore others' advice to remove floppy drives if you want. If you're comfortable with letting people use floppies to load and save their work under Win2000, you can do it just fine with Linux.

One nice potential savings with Linux is that you can present a customized, locked-down desktop environment like those that Windows system-management tools let you create--without any additional software or fees necessary. Take KDE and modify the guest "start" menus and desktop to include only the things you want to offer: the browser, maybe some desktop shortcuts to popular webmail services and instant-messaging tools, the word processor, a floppy formatter, and a logout button, for instance.

I'm still not convinced there are good reasons to switch over; you certainly don't want to make the systems less useful to the people who use them. I'm assuming you're facing mandatory upgrades from Microsoft and will soon have to choose between paying $300 per machine in Software Assurance with more of the same in two years, or biting the bullet and getting rid of the commercial software.

Depending on your needs, it certainly can work, and can work well. Linux (and Unix in general) is a great way to deploy rock solid centrally-managed, locked-down systems at a low cost. Just make sure you can give people the applications they need and present them in an easy-to-use, zero-training way.

mod parent up

[splorf]

LTSP is a good suggestion.

local lugs

[gomadtroll]

Here is a link to a list of Seattle are Linux Users Groups. Sometimes a little onsite hand-holding helps :)

http://www.sluge.org/links.html

A few thoughts...

[1155]

I actually had to do this, and we went with suse in the end. It had the most gui components pre installed, and worked pretty well with existing hardware as compared to flavors like debian, redhat, and slack. Also, running the librarian (in her late 50's) through the install, and then running her through a windows install on the same machine, she liked suse. Redhat had more options which she was confused on, etc. This was a "just in case" thing that allowed her to fix things when they became too complicated.

The benefits of using linux in a library environment are superior over microsoft in this case because:

a: No viruses(ok, like 3, but those are worms and you have to su to get them) is the more obvious one. As we all know, win32 is where the viruses are now, and you do not have to worry about someone downloading software with a trojan in it.

b: Licensing. This is an "of course" and I will not repeat what we all already know.

c: Third party software. A lot of third party software (i.e. aol, compuserve, games, etc) will not run in linux, and hence not allow for people to install it.

d: greater control. Linux also allows for finer control of users, i.e. the guest user that this person is desiring. Basically, you want to only give root rights to things such as gcc, rpm, make, dev tools, etc. Or you could compile it all on one machine and then push it to the others if need be. All depending.

e: Drives: actually, you need these to work inside of a certain context, ie, little bobbies home work is in word. When we did this, star office, open office, and one other were available. You may be able to get star office 6 for free, with the licensing they have for that. Contact sun.com on that.

Can't think of much else at the moment. linuxdoc.org would be a good place to start if you are unfamiliar, and you can go with openldap or nis (not as secur) for a centralized logon service if nothing else, although I doubt that this is needed.

Two things:

[Verizon+Guy]

1) Why would lab workstations be running IIS?

2) Do you even know what Active Directory is?

KDE or Gnome?

[Harkonen]

Being a Community Technology Center and these being public systems I would choose KDE.

The user interface will be much easier for public users than Gnome. I liked Gnome for years and then tried KDE3. Haven't gone back since.

I find KDE3 as a whole deffinitely has an edge to Gnome.

You can always install BOTH KDE and GNOME, run KDE as the desktop interface and still have the ability to run Gnome apps. Nothing lost in this scenario. Disk space has never been cheaper.

GNU/Linux is so wonderful it's disgusting.

No.

"Also, I believe installing security patches and service packs is still a manual, go-to-every-machine process on Win2k."

No, it's not. Google "Microsoft system administration tools" and you'll find all the (free) resources to make it not be. I'm too exhausted to provide the links and relevant info.

Nice HOWTO

Too bad it's severely ancient...

$200K fits out 1.5 PCs or half a server?

[wadiwood]

It seems obvious that 200K is not going to cover the annual M$ subscription cost let alone fitting out the whole organisation or even the public access.

Then again our 200K only buys half of what your 200K does in Microsoft products. Oddly, companies like Starbucks seem to charge the same numbers for coffee here as they do there eg $2.50, making ours half price in international $.

Or is that $5 USA and $2.50 Oz making our coffee 75% off?

if only I had a clue what I was talking about.

Just adding to the list of ideas and comments...

[dazedyugo]

I haven't really used KDE, but you can do what you want with either KDE or Gnome. It's really a matter of your own preference, and what you think users will be more familiar with. Some Windows users like KDE better. But Gnome can be configured to resemble windows as well, so it's really up to you.

It sounds like you want a single guest account per machine, which is why you don't want settings changed. Because if you didn't care about managing multiple accounts, then you wouldn't care about changed settings. In which case, you probably wouldn't want users worrying about logging in as "guest", since that's just another "instruction" page that you have to print out and post to every machine.

I know that GDM, the "Gnome display manager" which makes graphical login to gnome easy, has an option to allow for automatic login. You could set up GDM to automatically log in the guest account. If you were an administrator, you could just switch the tty, kill gdm and startx as yourself if you ever needed to get into X under the administrator account.

Next, you said that you didn't want settings modified by this guest account. Two ideas:

Idea #1:
Create this new account and configure settings the way you want them. Then log out and chown all the gnome desktop config files (in ~/.gnome*, I assume) to another user on the system. You could have the group 'guest' and have two accounts that are in that group, for example. You could have the 'guest' account, which is the one used by the people, and a 'phonyguest' account, which would own the desktop config files in 'guest''s home directory. Make it so that the 'guest' account can read the files owned by 'phonyguest', but not write to them.

You don't want to block the entire /home/guest directory from being written to by 'guest', however. If a user needs to browse the web or write a document or something, it wouldn't be pretty. This is where a logout script comes in to place - have it clean out anything that's not a designated config file. In fact, since it'll be executed by the 'guest' guest, it won't be able to wipe out stuff that's owned by 'phonyguest'.

So if this works out right, you should get the desired affect: User sits down at computer, and it's clean. User can use programs, but not modify desktop settings. User is done using computer, and logs out. Data created by user is erased. Computer automatically logs back in. New user can use it, without any old stuff cluttering his space.

Idea #2:
Another option (with much less work involved) would just be to allow the 'guest' user to do anything that s/he likes. The logout script would wipe out the entire /home/guest directory and then copy over files in the skel directory and any extra desktop configuration files that you added to make things look right. This is more user-friendly also, since it allows users to do whatever they feel like. And it's worry-free for any new person that logs on. And you don't have to worry about having an extra user on your system that does almost absolutely nothing ('phonyguest').

Hope this helps

the target audience is poor people

[wadiwood]

The target audience is probably computer phobic as well. But the whole idea is to provide services that the rest of us take for granted. I'm guessing: internet surfing, email, word processing (for that nice job application), maybe spreadsheets but that applies less to people who don't have any money to count, or perhaps more for those who have to make every cent count. And to keep the youth interested and learning, games would be good too.

Ideally you'd pick a system they'd only have to learn once, or once every five years (not 18 months) and something that they might be able to afford to set up at home on a second hand computer, that actually will run.

That rules M$ out on every score. You'd have to go to free/open source software for people who haven't got any money. And I think they'd be prepared to pay the price of extra time and effort to get access. Not that the windows interface is "easy" or "user friendly" anyway.

I would imagine that the skills one could pick up this way would also be useful for business that were running on a shoestring too.

Or we could just ditch the Linux idea and go with that simputer.org system.

cool start, but limited

[Erris]

Why not use the power of GNU/Linux to give users real accounts? You know, so they can save their work and eventualy retrieve it? Keep user accounts hidden from other users and make a little script that can be run by guest guest to create a real non privalidged account. Have the log outs kill all user applications and have an inactivity kill. Further steps might be needed to keep people from doing nasty things but they are SO much easier with a system that was set up multiuser from the very begining with compilers and everything else available.

The sooner people realize how easy this stuff is, the sooner they will use it and discover how easy it is.

Re:cool start, but limited

[axxackall]

Why not use the power of GNU/Linux to give users real accounts? You know, so they can save their work and eventualy retrieve it?

That is actually a good idea. It will require a more advanced GDM, but that is not a big problem to to redesign it, adding some self-registration forms.

If some installations will require Smart Card, there should not be a problem to integrate GDM with a card reader as well.

The only problem I see is in potential overflow of the user base. But I think that some database-beckended LDAP (OpenLDAP with PostgreSQL) will solve the issue.

Locking Down Windows

[Loopsnut]

If for some reason you'd like to keep the windows and lock it down instead, I challenge anyone to find a way around this solution: www.deepfreezeusa.com. It lets the user change whatever they want, even format the hard drive and a simple reboot magically restores it to the way it was found.

The simple answer

[Wolfrider]

I started out using KDE, then found out Gnome loads faster and uses less resources. So I switched.

At any rate, TRY EVERYTHING - Icewm, Blackbox, Sawfish, Wmaker, and then USE WHAT YOU LIKE.

I even use different WMs for different applications. If I'm just running Vmware, I don't need KDE or Gnome, I just ' xinit /opt/whatever/sawfish ', start rxvt, then run vmware from there. Minimal resources.
.

K12OS.org

[charlie763]

Go to K12OS.org. They have a modified Redhat distro that allows one to boot terminals (discless workstations) from a main server. This is a cheap solution and easier to impliment than you think. I have actually done it myself!

Also, install GNOME and KDE. The user can figure out for themselves what they like best.

Re:K12OS.org

[charlie763]

http://k12ltsp.org/contents.html is probably a better link. Sorry about that. Don't mod me down for being stupid. If we all moded people down for being stupid..uh...well, I guess we would all be equal.

XF86 shortcomings to be aware of....

[Nomad128]

One really annoying fault of Linux/XF86 that they may want to look into beforehand, since they have multilingual capabilities as a concern, is the inability to conveniently enter any character from any keyboard mapping. For example, I can type "é" in Windows by typing ALT-130. X can do this w/ sticky-keys, but that's annoying and only found on some keyboard mappings. What happens when one needs to type in "©"? ""? Character Map is one of Windows' greatest strengths as far as multilingual support, and it's really silly, IMHO, that XF86 doesn't include a utility for this. Even the desktop environments, though, which do have character maps (made by 3rd parties), don't make this simple-but-effective feature happen. Anyone who thinks this is a minor feature probably doesn't know the joy of typing a single recital program that uses Italian, German, French, and Spanish....

Re:XF86 shortcomings to be aware of....

[kasperd]

I can type "é" in Windows by typing ALT-130.

This feature might be older than Windows. The feature actually exist in the BIOS on my over 10 year old 286. Windows just has a reimplementation of this feature, and for good reason, it is a nice feature. This is something XFree86 should also have, it cannot be hard to implement.

Re:XF86 shortcomings to be aware of....

before you knew alt+130 gives you é you have opened the charmap under windows.
With linux, gcharmap is you friend.
And on a french keyboard, under linux, try AltGr + a, z e, q, s, etc. it 'll gave you æ, , , @, ß, etc.

yep :)

The Minority Report

[Arandir]

Here's my minority report from off the deep end. It sounds like to me that you will have someone maintain the boxes, and that all the user will ever see is the desktop. Fine. Then try FreeBSD.

FreeBSD is very easy to administer and has all the software Linux has. Stability and security is your prime concern in a public environment like this, and FreeBSD holds its own here. Only a few Linux distros can compare in this area (and the for-the-masses distros aren't them).

ICEWM!!!

Icewm can be configured by modifying the main menu, toolbar and preferences files. I created about 300 workstations for a corporation using icewm, and the users can't modify it because they don't know vi. It's solid, fast, reliable and works as expected.

Re: problem with economics

[fferreres]

Law should require that donations be valued at marginal cost AND NOT the price they charged some other guy or even the price they'd like to have charged.

It's very easy why, but in the land of Economics (USA) nobody can see something as easy as that :(

Companies are really abusing the economy and the citizens. But people will figure it at some point, if not already doing it (i have doubts though)

Try this?

[oasab]

Schoolnet.na is a non-profit org in Namibia, where with an aim to connect all public schools in the country (particularly in areas neglected under the old apartheid government) to the internet over the next few years.

We are using Linux/KDE to set up labs that we can move out to remote areas and connect by various means (wireless, leased line, telephone, satellite, etc.) to the internet.

Basically, we do the following:

- 1 Linux server
- minimum of 5 thin client workstations depending on the power source available. (solar panels = +/- 5 workstations, national grid = lots more.)
- we control the configuration, etc. using ssh from our main hub at the Polytechnic of Namibia

Using thin clients allows us to use older computers (486's, pentium I's etc.) as work stations, this saves money in the end as we can cannibalize old computers local businesses, etc. are throwing away. We just have to make certain that the server has some oomph :-)

If you want more infomraiton, contact our exective director, Joris Komen at joris@schoolnet.na, visit the website www.schoolnet.na, or you can contact me as I am a member of the board, ben@fuller.na

Best

Ben Fuller

the good reason for banning 95 on Netware

[thegoldenear]

"It rather reminds me of Netware administrators banning Windows 95 when it was first released."

if I remember correctly, we banned Windows 95 on Netware 3.12 when 95 was initially released because all you had to do was name your 95 workstation with the same name as the Netware server and everyone's network traffic went to the workstation instead of the server

Secure setup for Kiosk/Public station?

[lonegd]

Kiosk's and public workstations will normally come in for some abuse from script kiddies etc. So for security/privacy reasons, I would consider a diskless ( floppy and CDROM ) workstation that boots from a DHCP server with a network provided OS image. This would ensure a secure baseline OS for each user. This would also reduce OS update/patch problems to a single image.

By tailoring the OS ( through permission's ) you could ensure that users could only save to their home directory which could be stored on an NFS mount. This enables users to have their data each time they login without the worry of someone else tampering/reading it.

Network security would also need to be addressed with the use of switches, firewalls and an IDS. Ensure the switches are intelligent enough to accept filters or firewall rules :)

Depending on the application's available to the users, a good general rule of thumb is limit network access to the bare minimum. So filter outgoing aswell as incoming.

Hope that all makes sense.

NFS

Don't trust the users' local machine, it can be compromised:
mount -t nfs ro otherServer:/homes /home

Not so hard...

[hol]

One thing I thought about, it's not so hard. Most Internet Cafes I see these days make their machines reboot after you log off. Some of the better ones running windows just wipe the registry and everything associated with that guest account.

In the case of Linux, all you need to do at the base level is configure a desktop, and then save those settings somewhere. There are a couple of places to hook in a logout script that would wipe the users home directory, and re-apply the original settings. The win here is that you give your users what is essentially a fully functional system, and just wipe their changes later. No problem. If they really mess it up, Crtl-alt-backspace logs them out and restarts X. Done.

Login accounting (if you bill for time) can also be handled this way - somewhere in PAM you hook in and measure login and logout times, and send the results on logout. Just block the power buttons ;-)

I saw some other people mentioning the Gnome vs. KDE religion, and saying stuff about using cheaper machines here or there. That's not so important, firstly, as long as you can make the system look reasonably welcoming. Heck, let the users themselves choose language and user interface at login time. Secondly, both the latest KDE and Gnome are approaching the memory footprint of Windows 2K and relatives, so running everything in 64 megs is not likely to provide anyone with an experience they will want to pay for.

Yeah, that'll do.

Re:Not so hard...

[PigleT]

"Login accounting [] can also be handled this way - somewhere in PAM"

Why bother when you've got process accounting?

As for front-end, you don't need anything spectacular at all; I've seen very useable terminals in Brighton hospital here in the UK, where the WM was basically fvwm(2/95) but with galeon running full-screen, access only to a proxy that required login to let you out on the 'net for real. See http://www.pienetworks.com/products/index.htm for more :)

Re:fr1zt pozt

[hAkron]

I wouldn't worry about creating guest accounts for your users. Linux is far to difficult for your users to use competently, let alone change settings on. Your users will be so overwhelemed with "how awful looking is on this computer" that they won't have time do change your precious settings

Think outside the box!!

[sportiva]

Have you though about implementing macOS X? It has a robust unix core, great mulit-user facilities and very strong multi-lingual support.

On top of that you get a strong support base and a system that looks and feels 1000% better than win2K.

Remote Boot

[niessen]

A thing that kept me from causing to mage damage during my University days, was the network boot. You can intialise all workstatons over the network, if the NIC has a bootrom. You then have the option of mounting only a small swap partition locally, or taking out the hdd completely.

To restore the user profiles I am sure many of the other comments here are useful.

Multilingual Linux

[niessen]

There are a variety of input methods for Japanese, Chinese and other characters. Alas, most documentation is in Japanese (I live here). The input method on linux is a lot different from the one in Windows. I am sure that Mr. Sato from next door will have trouble coping.

For the interface, you should make one user per language. Each user account profile should be set to the language in question, and then you just have to secure it so that it gets written back when people log out.

Don't forget to put html help and explanation as links on the desktop!

I'd use OpenBSD.

[Brett+Glass]

Much more secure than Linux and therefore better for a public environment. As for desktops: Maybe something simple like FVWM. KDE has too many bells and whistles and therefore will be tough to secure against abuse.

I would use neither KDE nor Gnome

For such workstations, there is no need to build a complex Desktop Environment which is difficult to protect against changes by the user himself.

Instead, I would use a traditional Windowmanager - perhaps icewm, fvwm95 or something like this - which is configured by a single rc file. Just write-protect the windowmanager rc-file, and the user cannot change its settings. Attention: watch your directory permissions that the user cannot write-enable the file himself.

Different Languages can be set via kdm or another XDMCP application at login time. You have just to install the corresponding locales, fonts and resources for all needed languages.

As well, you need to keep your installed Software up-to-date to prevent local exploits. Thus, you need a Distribution which makes updating easy - perhaps Debian oder Gentoo - and you need to reduce the number of installed packages to a reasonable number of carefully selected applications.

Danger: All this is not an easy work to set up for Linux Beginners. Look for some experienced Linux Administrator supporting the first-time setup.

Re:Changing settings? Basic model difference

[Stephen+Samuel]

Windows is, at it's heart a single user operating system. It'd been kludged to handle multiple user profiles. The kludges are getting better as time goes on, but they're still kludges.

Unix, on the other hand, was designed -- from the start -- as a multi-user operating system. Running it as a desktop operating system is simply the degenerate case of N==1.

Unless users find a local root exploit, they pretty much can't mess up each others' settings. There are the system-wide settings which are generally controlled by the system's administrator and then there are the user settings which can usually override the system settings -- but only for that user.

All user settings (with the exception of the password information) are stored in the user's home directory. In a normal setting, users have full control over the contents of their home directory.

Under normal conditions, If I (as a regular user) install an application, other users wouldn't have access to them unless (1) I allowed them permission to access them, and (2) they explicitly referenced my installation.

[

• About the only time you'll see two users' preferences getting in the way of each other would be if you were running two separate X servers in different virtual consoles. It allows for rapid switching between users, but runs into the problem of fighting over things like the sound hardware (I guess you could install two sound cards, but that's getting into woo-woo land for me.
• 
  I've tested such an installation and it works, but it's not an any default setup that I know of. It's just fun to experiment with. All you have to do is add an entry to the xdm/Xservers file to start a second server on display :1 . For RedHat, it'll start the extra login screen in console 8.

]

Redhat?

I'd go for gnome 2 for the desktop environment - it really is good(professional, easy to use etc) - However i'd pick a good distribution that has set it up for you (mostly) so i'd evaluate the latest redhat and mandrake beta's (both of which have good gnome setups - personally i prefer redhat), but (obviousely) don't deploy it until the distribution that you choose does a stable release.
Yes KDE tends to be more like windows, but it is slower (try them both and you'll see) and there are more really good gnome/gtk apps out there (Think Evolution)

Re:Along similar lines, how about wmaker / blackbo

[MobyTurbo]

People have different aesthetics of course, but I really like the look of windowmaker / blackbox / fluxbox -- esp. when set up with nice big labeled icons, I think it would be a great way to set up an internet cafe / public access station.

Clean, simple, resource-friendly ...

I love the way Windowmaker looks as well, I use it. However, unfortunately the general public is used to Windows and probably would be very puzzled by the requirement to right-click on a desktop as opposed to a start button (aka K menu / Foot menu). Of course, if you plan to use old hardware for the workstations you might want to choose Windowmaker or *box at any event because of their lower resource requirements.

Dual boot, netboot, clone, cross-platform

[stevewri]

I work in this world as well, in San Francisco where I work with 17 community technology centers. So, here is what I think would be the perfect world application. A linux server that served cloned images of Macs (X), windowz and Linux (maybe k12ltsp). So, when a user logged on they could choose the operating system they wanted and whether or not they wanted to update their image (or maybe netboot?) (Clearly throwing macs in the mix makes it more difficult. I know that some people have netboot working for macs.)

The major issue in uptime in our labs is around problemsolving indivdual problems on each machine. And before you say just lock down the desktop, the purpose of a community tech center is to give people unfettered access. Breaking (and fixing) is part of learning.

Is any part of this possible?

Linux based Public Access Company

Check out Userful. These folks have built a pretty amazing public access technology using OpenOffice, etc..

Check out LabStatus to manage the labs

[polansky]

While you're at it, you should check out a piece of software called LabStatus to manage your groups of labs. It's written just for managing this sort of thing.

http://labstatus.com

--Jonathan