Slashdot Mirror
Linux and Public Access Computing?
An Anonymous Coward asks: "The Seattle Community Technology Alliance is a non profit, federally funded, public/private project that supports community technology centers in the Seattle area. We are interested in moving our public workstations from Win 2000 to Linux. In order to do this, we need good multi-lingual options and the abiltiy to create 'guest accounts' that prevent users from changing settings (to provide a consistent environment for users). What are the best tools for multi-user Linux labs? Should we use KDE? Gnome? How do we keep users from changing settings? We are eager to start experimenting, but would appreciate expert advice on starting points!"
But these are EASY questions.
Choose any of the larger distributions you wish. Red Hat, Suse, whatever.
Use KDE. Windows users freeze the second they see Gnome.
Guest accounts and multiuser environments are what Linux is all about.
As far as locking down the desktop, Linux and KDE are infinitely configurable so this won't be a problem. Alternatively, if you are just using guest accounts, let them change what they want then have the logout script clean out their home directory. That way every time a new guest logs in, It's a brand new desktop.
http://www.linux.org/docs/ldp/howto/Kiosk-HOWTO. html
I would start here.
-=Skip
Check out http://www.dnalounge.com/backstage/src/kiosk/ for information about how they set up their Kiosks. It might give you some ideas for starting points, the have similar goals and an extremely "hostile" environment.
The desktops should be put together in a kiosk fashion. Whatever desktop you end up using should be absolutely simple.
The best thing would be for a featureless desktop with the few handful of applications that are allowed to be used as clickable icons on the desktop. A taskbar is not needed, in fact it shouldn't even be welcome.
Having a taskbar, with a number of applications available through a Windows-Start-Menu-Like system can provide far more functionality then is needed. Sure, you can edit the taskbar "Start-Menu" to include only a few applications, but then what is the point to having a "Start-Menu"?
All that is needed is a basic web browser that supports currently used web elements. Not just standards, but things that are used across most web-sites. That means Flash Support, Java Support and a host of other web technologies.
The important thing is to have that all setup properly with all the correct plug-ins in place. If those are missing, then you will see the users gravitating away from those systems.
Probably the best thing to do, would be to setup a specially tweaked Windows machine and one of these specially tweaked Linux Machines. Both can have the same basic applications available that the public-access users will be wanting to use...
Here is one thing that might hold you up...
IRC, Yahoo! Messenger, Aol Instant Messenger and MSN Messenger. These are all used on public access machines. To confirm this, check out the public access machines at Kinko's, also check out public access machines at college campuses. All of those are installed onto those machines.
Setup a Windows machine with only IE and those messenging services Icons on the destktop. This can be done using Group Policies.
Setup a Linux desktop with just a Mozilla or other web browser link on the desktop. Then one of those "Easy to use" multi-client chat programs as a link on the desktop.
Run both of those machines side by side. Track how many people use both machines. You might be surprised to find that more people will end up using the Windows machine, simply because of those messenger clients.
You can even remove the messenger clients and you might find that more people will still end up using the Windows machine, due to the better font handling and other things that they are used to.
Do this experiment before you take a leap and radically alter your configurations.
-.-
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
If you use GNOME... you can lock down most of the settings (in GNOME 2 atleast) by just changing your GConf settings. Basically it allows you to make all of the settings read only. The file that you'd be interested in modifying is: /etc/gconf/2/path You should be able to lock down most settings nice and tight.
http://www.brigadoon.de/peter/kde/t1.html
This may be a little out of date by now, but I think they have a mailing list as well.
Try the K12LTSP distro, a modified LTSP setup ready-to-install. It has Mozilla, OpenOffice, etc., and will likely be updated to GNOME2 goodness once the latest 7.4/8.0 limbo/null/whatever betas are done.
The diskless terminals boot from a floppy or NIC bootrom, with the K12LTSP server doing all of the heavy lifting. I've used Pentium 90s and worse for the terminals.
k12ltsp.org
I'm a former student of Robert G. Valiant, whom I believe works/worked for CTA a while back. Say hi to him for me.
.kde directory (lots of programs need a directory to store data in, they get it from a .kde config file, but the config file says /home/username/data rather than ~/data, so copying .kde directories leads to weird hard-to-reproduce errors).
As other posters have said, use KDE 3. You'll need to write some scripts to set up the accounts properly, since you really can't set up multiple accounts in KDE by copying the
KDE3 has a nifty kiosk mode, which I don't think anyone has mentioned. It allows you to restrict access to programs on the application menu only - people don't get a terminal, and they don't get any filesystem access through the file manager. It's great for Web browsing and e-mail, though it can lead to trouble when you want to, say, rename a file.
Use KDE, NIS, and NFS so home dirs are shared across the system, of course. That's easy to set up. Using rdist for the KDE distribution itself is a good plan too.
If you spend the time to set up Linux properly, it's a very competitive alternative to Win2K for public labs.
The biggest one I can think of is the "linux Terminal Server Project",
ltsp
Which has been adapted to public schools in the form of:
k12ltsp
The linux in education folks have tons of info on doing stuff like this and are very wise about digital divide issues.
Here are some links:
open source schools
School Forge
k12os
SEUL/Edu
Some case studies:
seul dat
There is also Simple End User Linux (SEUL)
SEUL
RedHats "Open Source Now" initiative has listings of people in the area who can help out. They also have a bunch of "why's" and "hows" on their site.
Open Source Now
I should be listed there in the Army of Friends, but have not gotten around to putting myself up. Feel free to contact me at cschwan4@attbi.com, as I am in the Seattle area.
Doing this kind of thing is a great interest of mine, and I work in education to help make these transistions.
Hope this helps.
Did you not read what the original poster said? It wasn't "Why switch?", but "Why switch now?" If the library is already running Win2K, then they have
Given that, switching now is a waste of money (even if the switch costs $0, they've still wasted money on Win2K licenses). It serves no purpose but to promote a zealot agenda, and as a Seattle taxpayer, I would prefer my money be spent on better things.
I don't know where you work, but unless you're paying for a yearly service contract, you're not paying yearly for your license (some LORGs may have special licensing deals with MSFT that require yearly payments, but most businesses aren't LORGs), and especially not with Win2K (whether or not this will change in the future will have no effect on already-purchased licenses, of course). So, unless you're doing funky accounting (amortizing the cost of Windows 2000 licenses across the expected lifetime of the OS, for example), you don't have a yearly "MS tax" to pay. The licenses are already purchased, nothing more needs to be paid.
Well, the hardware's already purchased it seems. However, if they wanted to go with thin clients, you can do that just as well with Windows, so since they already have the licenses ...
Why even bother providing a floppy drive? Okay, so you change that to "When Joe Jr. goes to logon and use his CD-R with the latest priviledge elevating holes ..." Still, it doesn't matter. It's apparent that you're not a Windows sysadmin (not a dig, just the truth -- unix admins don't always make good nt admins, especially when they have preconceptions about how "terrible" windows is), or you would realize that the reason most people get into trouble with nt4/win2k/winxp is because they run as administrator 24/7. You wouldn't do that with root in unix, so why do it in Windows? Anyway, you can very effectively lock down Win2k, and as long as you stay on top of security patches, you'll be just as secure as linux (where the same applies -- lock down your users and stay on top of security patches).
Since I'm all outta moderation points, I'll have to reply. I do like this suggestion. Finding yourself an experienced Linux administrator or three who are willing to sit and monitor the network would be another option. That way, when someone tries something fishy, he/she can root his way in and stop it. That admin might also find working in a volunteer capacity for a non-profit outfit looks rather good on a resumè, scoring them brownie points with prospective employers.
I also agree with the use of KDE in this situation. Using GNOME, Blackbox or another "geek friendly" DE is asking a little too much of the casual user, who is most likely not familiar with a *NIX environment.
Also, doing this in the Seattle area is pretty bold, seeing as how it's more or less Microsoft's home turf. I have no doubt that they'll try and shower you with funding, presentations on the benefits(?) of Windows, and other junk aimed at preventing your switch to Linux. You're going to have to tell them where to get off the bus, which can be rather tricky when the beast is tempting you with spoils. I wish you all the best of luck ^-^
Blog Prophyts - Right On, Man
You didn't quite specify in your question if the users of the system should be able to store files or not ... the design of such a system would kinda depend on this factor.
/desktop/menus (keep his dir as small as posible, remeber to disable mozilla's cache). then tar this up.. Change your init scripts to set up a ram disk (8 megs or so should do), and mount that on the users home dir. The modify your inittab to start your kiosk-session script, which in turn starts your kiosk-dm.sh script ..
/ /home/guest/* /home/guest/.* /usr/share/guest.tar.gz /usr/X11R6/bin/xinit kiosk-session.sh
/home/guest/.xinitrc guest
.xinitrc file.. this way they can select a language before any apps are started, and everything should work automagicly (as long as you installed all the locales).. it is included in the redhat 8.0 beta (null)
But lets pretend they do not have write permission, or save their files on a common shared (nfs) directory. Then one would take a basic redhat system, set up the 'guest' users envirioment
The kiosk-dm script would untar the guest's home dir to the correct spot, and start's X using your custom xinit script:
while 1; do
cd
rm -rf
tar xvfz
done
this kiosk-session.sh script would do something like:
exec su --login --command
This way, the user can 'log out' of xwindows, the home dir gets cleaned & restored, and a brand new x-session (restored from original config) is displayed.. Since eveything is on a ram drive, nothing that can break! (the guest user has no write perm on the rest of the file system, so can only fuck up his own home dir, which is cleaned every session)
Now if you want a user to be able to log in, keep his files, etc.. that be a whole other situation.. nfs mounted home dirs, authorisation via kerebos, and all that..
Now you also asked for multi-language support.. I would sugest getting your hands on the null beta (gonna be redhat 8.0), it has better UTF-8 support then i've seen before in any linux distro.. as a browser, use mozilla for decent internationalisation support.
As a added bonus, start up redhat-config-language first in your guest's
Well, I'm not exactly sure what your specific purpose here is, but I know that the Indianapolis / Marion County Public Library Has set up little Linux kiosks that talk to their main server for doing things such as performing book searchs by title, author, etc and then taking those searches and adding them to your request database.
If this is all for non-profit type of work you might drop them a line and see if they can get you in touch with how helped them set it all up.
I know that the terminals are relatively dumb, and may even be using some form of LTSP (Linux Terminal Server Project) because when they reboot they drop directly back to a bare desktop with only icons for the software to do their catalog search. So in essence they are all guest accounts.
"Genius may shine aloof and alone, like a star, but goodness is social, and it takes two men and God to make a Brother."
KDE has a kiosk mode. I'm not that familiar with it, but you can find the README file here:
README.kiosk
This is for KDE 3.0.
good luck!
Liberal (adj.): Free from bigotry; open to progress; tolerant of others.
Well, in my opinion he's risen out the right question.
/. month or so ago.
There should be some HOWTO for that kind of thing, at least if you wanna see some more desktops joining in. I remember when everybody was eager to help schools to move to linux.
HOWTO
-----
Process should be divided to some various points.
1. Securing machine.
Securing bios, lockaway of power and reset button
2. Securing boot loader to disable user commands to kernel. You can even compile kernel to make some improvments to that point
3. Securing interactive service boot mode, make a change in rc scripts just to comment the lines waiting for input key to start interactive mode.
4. Securing X by disabling accessing terminals with Ctrl + Alt + F?
5. Disabling reboot without password and disabling reboot with Ctrl + Alt + Del (otherwise in some various points Ctrl + Alt + BckSpc and Ctrl + Alt + Del might enable user to reboot)
6. Disabling any kind of autologin
7. Next thing is securing desktop manager
It could be done in some various ways but best in my opinion is forst one.
Personally I don't think that idea with guest accounts would be good. Much better choice is LDAP users and LDAP login. With this you can have as many centralised users as you want. But every new user gets new preferences and every user is able to choose desktop (Still you can install only one and disable that choice if you want equal desktops). Just protect icons on desktop for softwares you want (chmod 555).
Extend that option with NFS share for storing their home folders. You just got your self moving profiles accessible from any computer in network.
Second idea is far easyer to achieve. after session, delete home folder, recreate new one from templated one with rsync and here is the point where user modifications to desktop are reset
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
after having setup a public library to use linux on the desktop (twice), i'd really encourage you to check out LTSP.
My first go-round with the library, i did what you're looking at (a full blown distro on each machine). it worked very well. i created an install disk that created a nice, locked down desktop, etc. But then we started changing things like printer IPs and proxy server addresses and wanted uniform bookmarks, etc. And changing little things started to be time consuming.
With LTSP you change things in one place, reboot the clients and they're all pointed at the new proxy or whatever. Besides, booting off the network and using ram disks made me feel a lot better when patrons kept just turning the machines off without shutdown now -r. no more fsck, ect.
one more thing. using netscape i was able to edit the preferences.js file to disable all sorts of menus, settings on the web browser. i haven't tried doing the same with mozilla, but you'll probably want to make sure you use a browser with a lockable config file so kids can't change the homepage to playboy.com or whatnot.
jim
first of all saying "u" brings bias against yourself.
/tmp behaves and you'll see what i mean).
/tmp or even just giving them enough write permissions to deal with temp files for KDE/GNOME and the web browser (i.e. let root own guests directory with global read then parts of ~guest/.kde are global write). For this type of system, that's fine.
First of all, remember that you have the sticky bit to work wthin directory perms (look at how
Actually, setting the guest user's homedir to
if you want to disallow write access to a file then just change the owner and make the file globally readable...
And please don't make wide and unfounded generaliztions about unix if you're going to be wrong.
Brian