Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Desktop Security for New Users?

Posted by Cliff on from the protecting-the-initiates dept.

theblkadder asks: "Our company is currently undergoing a company-wide transition to Linux on the desktop. While there are numerous excellent guides and tutorials for the admin crowd, I haven't been able to turn up much for the non-technical user. I'm looking for something that would cover such topics as basic desktop do's and don'ts, like 'do choose a non-dictionary password' and 'don't blindly drop to root and install an unverified/unauthenticated RPM that you receive via email,' etc. Anyone seen a guide like this?"

10 of 80 comments (clear)

  1. FP-First Point. by Anonymous Coward · · Score: 2, Informative

    theblkadder asks: "Our company is currently undergoing a company-wide transition to Linux on the desktop."

    and

    "I'm looking for something that would cover such topics as basic desktop do's and don'ts, like 'do choose a non-dictionary password' and 'don't blindly drop to root and install an unverified/unauthenticated RPM that you receive via email,' etc."

    Um...excuse me. Why do your desktop users have the root password?

    Besides Linux can be set up to reject inappropriate passwords.

  2. Re:Dropping to root? by Anonymous Coward · · Score: 1, Informative

    Most universities allow staff, faculty, and students to plug their own computers into the network. Most of them control their own computers and have root access on platforms that have root. Many of these people are "non-technical" as well. This tends to make support and network administration more difficult, but that's why those guys get paid the big bucks.

  3. A couple of thoughts by Prior+Restraint · · Score: 5, Informative

    Others have pointed out that root for an end-user is a bad idea, so here's a couple of other ideas off the top of my head.

    • Avoid putting . or ~/bin in your PATH if possible. If you absolutely must do so, put them at the end.
    • Don't walk away from the machine without locking it (not Linux-specific, but it bears mentioning).
    • "rm does not move a file to the trash; it's gone for real"
    • Don't hit Ctrl-Alt-Backspace.
    • "Copy and paste" can be as easy as "highlight and middle-click."

    When I try to come up with a list of Don'ts for computers, I think of my dad. He's the living embodiment of the phrase, "A little bit of knowledge can be a dangerous thing" (No, Dad, you can't save disk space by getting rid of that .dll). Most users won't ever bring up an xterm, but people get bored at work, and then they start looking for interesting ways to entertain themselves.

    1. Re:A couple of thoughts by hattmoward · · Score: 2, Informative

      Bah! Users will never figure out that 'rm' will very much eat their files. Personally, though, I find a misplaced shell redirect '> pron.txt' (Crap, I meant to overwrite plan.txt!) is even more trouble than that. Insta-wipe with no left-over data on the disk.

      I'd recommend looking into libtrash. Very handy, saves stretch on your tapes -- we are keeping regular backups, right?

      Another good tip that gets me sometimes is, when you use the paste buffer (explicit Ctrl-C), the originating program has to still be running to make the paste.

    2. Re:A couple of thoughts by Piquan · · Score: 2, Informative

      Avoid putting . or ~/bin in your PATH if possible.

      Huh? I can understand not putting . in your PATH-- icky nasty security issues abound-- but what's wrong with ~/bin?

      Don't hit Ctrl-Alt-Backspace.

      Again, why not? I've seen labs with notices to hit Ctrl-Alt-Backspace before leaving. (That's the only way to logout that works across WMs.)

      I also would expect that it's a good idea to hit it before logging in, to make sure you're really looking at XDM. This is why you hit Ctrl-Alt-Delete to log into NT: apps can't intercept it.

      As far as that goes one of your tips is to lock your box, another is to never hit C-A-BS. In a lab environment, these can be mutually exclusive. Many times, somebody will walk off and leave their computer locked, so C-A-BS can be the only way for somebody else to use the computer.

    3. Re:A couple of thoughts by Brandybuck · · Score: 2, Informative

      That's the only way to logout that works across WMs

      Except it doesn't log out. It just kills everything very nastily. Unless you're trying to kick someone off, log out normally. All modern, and most ancient, window managers have a way to log out.

      --
      Don't blame me, I didn't vote for either of them!
  4. The other half of... by zcat_NZ · · Score: 4, Informative

    The other half of 'don't give users root' - you need to set permissions or assign users to groups so that they never need root in normal use. And you should leave sshd running so that when a user calls, you can make these changes without leaving your desk.

    Some examples; /dev/floppy, /dev/cdrom; needs to automount when a disk is inserted, or be mountable and ejectable by a desktop icon.

    dialup networking; use modemlights, kppp, or set up dial-on-demand.

    shutting down; some distros require the root password to shutdown. If yours does, reconfigure this.

    The end user shouldn't need root _ever_ for day-to-day computer use. If they want anything more than the basic 'look and feel' desktop settings changed, they should call tech support.

    You might also want to make the machine console-secure as far as possible. Boot only from HDD, set a password on the bootloader and BIOS, replace the case screws with torx screws, etc. It depends who has physical access, and how secure you need to be.

    --
    455fe10422ca29c4933f95052b792ab2
  5. Re:Don't Choose a Dictionary Password by Anonymous Coward · · Score: 1, Informative

    Would it not be easier to deny the ability to use a non-alpha+numperic password?

    I think pam_cracklib can do that, plus it automatically runs a quick dictionary attack before storing the chosen password. There's also pam_passwdqc, but I've never used it.

  6. Re:Here's what you do... by prodangle · · Score: 4, Informative

    Clicking on Word launches OO.org Writer.
    Clicking Internet Explorer launches Mozilla.
    Clicking Outlook launches KMail.
    Clicking My Documents launches Nautilus or Konqueror.

    Changing the name of the Mozilla icon to 'Web Browser', and home to 'Home Folder' wouldn't be a bad idea, but giving them the names of Microsoft products is very misleading. Why not just rename Linux to 'Microsoft Windows' while your at it?

    Non-techy people have been able to successfuly using word processors since long before Word version 1.0. People can easily learn the name of a new application, as they did with MS Word, Claris Works, and Word Perfect.

    Even in the default Windows XP start menu, Internet Explorer's title is 'Internet', and Outlook's is 'Email'.

  7. Turning of Ctrl-Alt-foo in XFree86 by Ecks · · Score: 2, Informative
    Ctrl-Alt-Backspace & similar functions can be turned off.
    • Option "DontVTSwitch" in the appropriate section of your XF86Config file disables switching to text virtual terminals;
    • Option "DontZap" Neuters Ctrl-Alt-Backspace;
    • Option "DontZoom" Turns of resolution switching.
    Read the manual page for XF86Config for details. There are probably several things in here that you want to setup if you are trying to create a linux desktop for normal users.

    -- Ecks