Slashdot Mirror
Linux and Public Access Computing?
An Anonymous Coward asks: "The Seattle Community Technology Alliance is a non profit, federally funded, public/private project that supports community technology centers in the Seattle area. We are interested in moving our public workstations from Win 2000 to Linux. In order to do this, we need good multi-lingual options and the abiltiy to create 'guest accounts' that prevent users from changing settings (to provide a consistent environment for users). What are the best tools for multi-user Linux labs? Should we use KDE? Gnome? How do we keep users from changing settings? We are eager to start experimenting, but would appreciate expert advice on starting points!"
http://www.linux.org/docs/ldp/howto/Kiosk-HOWTO. html
I would start here.
-=Skip
How about that Knoppix distro or similar that run completely from CD (or loads from it anyway).
After user is done, reboot and next one gets a fresh clean install. Plus, no data kept, so nothing for "The Man" to subpoena, no privacy to invade/violate.
- JoeShmoe
.
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
Well, it seems that first of all you should really research Linux in general. I know that you are eager to get off of Win2K, but you should really make sure that everyone is well trained. Users too need to be trained, so that they aren't confused. You should read up on the permissions structure (and alternatives like Novell's E-Directory), and fully understand Linux before you go slapping it on everyone's boxes.
The reason I bring up this, is because from your question, it seems that you are new to Linux- in the fact that you don't know how to deny permissions, the differences between KDE and GNOME, guest accounts, etc.
So go get Linux, format your box, test it out!. Experienment, and try different Distros. I would sugest one without too much bloating, but that's my personaly opinion. You don't want people in the public to get a bad opinion of Linux because of messed up public Linux boxes.
Tibbon
tibbon.com
Check out http://www.dnalounge.com/backstage/src/kiosk/ for information about how they set up their Kiosks. It might give you some ideas for starting points, the have similar goals and an extremely "hostile" environment.
What, the vim book review, "fastest browser" and "developers prefer Debian, vi and GNOME and are mostly married or living with someone" study weren't enough?
By way of an answer, I'd give an edge to KDE only because of wider Unicode support. You say you want multi-language support, and in Seattle, you'd be especially concerned about Asian languages, particularly Chinese, right? Until GNOME apps are widely ported to GNOME 2 (and then have gone through an upgrade cycle or two), KDE is probably a better choice.
Like someone else said, the best thing to do is probably to have the logout script clean out and replace the guest account each time it runs.
What I'm listening to now on Pandora...
If I did I'd tell you to contact another Gov funded project called SLAC (Stanford Linear Accelerator Center) They have without a doubt the best linux setup for lab work you will ever see. The tools etc of course are available to you, free of charge, and the people who work there are more than just helpful. the URL is http://www.slac.stanford.edu/ to start checking them out. They run 2000 server clusters and are fast approaching 1 petabyte of data. So they do know there stuff. AND it's a Linux house to boot. Sometimes Gov funded orgs do it right and these are some people who prove this is true.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
What are they doing on these general purpose machines? Are they essentially a kiosk to get online with? If so, maybe you should consider OEOne. This was previously mentioned on Slashdot a few days ago. It sits on top of Red Hat and looks like it gives the users the basic internet capabilities they need. I'm not sure how well it will lock down, however. I just thought I'd mention it since I'm thinking about setting up a box running this for my parents.
"Windows users freeze the second they see Gnome"
Good thing there's no partisanship here! KDE and GNOME are both fine interfaces. kde has always been slightly ahead of GNOME, and has a more consistant user interface. I use GNOME because I always have, and the range of apps seems larger. It's really a judgement call.
Gnome at least has language selection in its logon screen, kde might have something similar.
Jamie Zawinski of mozilla and xscreensaver fame owns a nightclub in San Francisco called DNA Lounge.
He installed IRC, telnet, ssh and web enabled diskless linux kiosks for just this purpose. His code is available, as well as instructions on how he did it. It may give you a good place to start.
best web host ever
I think the first issue is the cost of keeping those machines up to date.
The second is what the machines are supposed to be doing. If it's just surfing the web, emails, and basic word processing then you should be able to do this much cheaper than paying the annual MS tax.
A terminal server like setup would allow you to use cheaper boxes at the front. (Maybe you could put out 10 more boxes with the savings in hardware and software.)
Finally, it'll discourage the script kiddies. When Joe Jr. goes to logon and use his floppy disk with the latest priviledge elevating holes in Windows they'll be stuck at step one.
The best approach would be to figure out how to set up the new boxes and use them whenever you replace/rebuild a system. (You could probably create a pretty nice computer center with a server grade box and 10-20 PII class machines acting as terminals.)
--- I wish I could hear the soundtrack to my life. That way I'd know when to duck.
About the logout script. Just make sure you can read the SKEL files. Then make that logout script owned by someone other then the guest user, and make it read only by others.
I've always thought, if I was going to setup computers in a public area (such as a library), I'd easily go Linux over Windows. With windows, you either have to grab the most PITA programs to lock down a desktop (and break half the other things running), or you find the worst junk installed on it. Speaking of which, find an open source AIM/ICQ/MSN/whatever client. Under linux, you should be able to throw together a pretty TK/perl script to setup accounts. I've noticed many users love their IM. And, since the accounts are supposed to be wiped at each logout, everything is good.
Just my $.02
The biggest one I can think of is the "linux Terminal Server Project",
ltsp
Which has been adapted to public schools in the form of:
k12ltsp
The linux in education folks have tons of info on doing stuff like this and are very wise about digital divide issues.
Here are some links:
open source schools
School Forge
k12os
SEUL/Edu
Some case studies:
seul dat
There is also Simple End User Linux (SEUL)
SEUL
RedHats "Open Source Now" initiative has listings of people in the area who can help out. They also have a bunch of "why's" and "hows" on their site.
Open Source Now
I should be listed there in the Army of Friends, but have not gotten around to putting myself up. Feel free to contact me at cschwan4@attbi.com, as I am in the Seattle area.
Doing this kind of thing is a great interest of mine, and I work in education to help make these transistions.
Hope this helps.
I've set up a few machines now, each running Debian (Testing, even), that are now in use as public terminals in a university library. They have a minimum of software installed, but Mozilla and Opera for browsing, Acrobat reader and AbiWord for documents, as well as lynx, telnet, ssh, and scp available in xterms (each launched via xterm's '-e' option, so that the xterm quits when the program running in them quits). For ssh and scp, I wrote a couple of simple scripts, using 'dialog' to get input for hostname, username, etc. I'm using IceWM (no Gnome or KDE), with extremely minimal menus and no logout command; it's very fast, and has a Windows-like theme so that it looks familiar to most people. KDM handles auto-login very nicely. Automount handles floppy disks (so users can copy files to and from remote machines without having local hard disk access). Finally, since the machines have identical hardware, I built a custom kernel package for them.
.mozilla (or whatever directory/file is appropriate) from a master, root-owned, read-only copy. Beyond that, to increase security on the machines, I turned off the various virtual terminals on the console, tightened up /etc/fstab (noexec in /tmp, for example), configured grub appropriately, set up ssh for remote admin (actually the only way I can get a command line on the machine), and set up some simple firewalling rules.
/etc, scripts from /usr/local/bin, and preferences from /home/pubacc, all of which are backed up and ready for a reinstall. But, if you've got lots of machines to duplicate, there are likely more efficient methods -- like running a terminal server; see, e.g., the Linux Terminal Server Project or the K12 Linux Project.
For a 'guest' account, I set up a user in a unique group, and chown'ed all the files in that user's home directory to root, leaving them read-only for the guest. Problem: some programs expect to be able to write to disk, e.g., Mozilla expects to be able to make changes in $HOME/.mozilla -- so I wrote a simple script for each such program that, if the program isn't already running, will restore
So far, these machines have been completely stable, and our users have been pleased, even those using it mainly to check Hotmail, Yahoo, etc. It's reasonably easy to duplicate across various machines, too -- for only a few machines, this works fine: dpkg -[get|set]-selections to save and set which packages are installed, plus save settings from
My recommendation: it's definitely worth a try setting up Linux machines as public access terminals, especially if the programs the users need are few in number (e.g, web browser, telnet, ssh, and pdf viewer, which is all just about everyone in our library wants on a regular basis). Just be prepared to do a little fiddling or simple script-writing to handle programs that expect read-write access to the guest account's home directory, and/or provide an interface for programs that normally are run from the command line.