Linux Desktop Security for New Users?

theblkadder asks: "Our company is currently undergoing a company-wide transition to Linux on the desktop. While there are numerous excellent guides and tutorials for the admin crowd, I haven't been able to turn up much for the non-technical user. I'm looking for something that would cover such topics as basic desktop do's and don'ts, like 'do choose a non-dictionary password' and 'don't blindly drop to root and install an unverified/unauthenticated RPM that you receive via email,' etc. Anyone seen a guide like this?"

Sure I've read that guide

It's called the don't-give-anyone-root.
You don't give anyone root and let them do whatever they want.

You'll probably end up writing your own...

[toddlg]

I'm looking for something that would cover such topics as basic desktop do's and don'ts, like...'don't blindly drop to root and install an unverified/unauthenticated RPM that you receive via email,' etc.

When you say non-technical and 'basic dos and don'ts,' that example seems pretty technical. You might just as easily say "don't double-click unverified email attachments."

IMO you will probably be in the best position to write this documentation because you know your typical user and probably know what they are and aren't allowed to do already on their new desktop. I'd be interested in seeing what something like this looks like if it does exist...

Todd

FP-First Point.

theblkadder asks: "Our company is currently undergoing a company-wide transition to Linux on the desktop."

and

"I'm looking for something that would cover such topics as basic desktop do's and don'ts, like 'do choose a non-dictionary password' and 'don't blindly drop to root and install an unverified/unauthenticated RPM that you receive via email,' etc."

Um...excuse me. Why do your desktop users have the root password?

Besides Linux can be set up to reject inappropriate passwords.

root

[BinLadenMyHero]

don't blindly drop to root and install an unverified/unauthenticated RPM that you receive via email

That would be nice to say to a home user.
But on a work environment, why give the root password to the (non-linux-experienced) users in the first place?

Re:root

[ManxStef]

don't blindly drop to root and install an unverified/unauthenticated RPM that you receive via email

That would be nice to say to a home user.

...and if a home user actually understood what the above phrase meant rather than looking at you like you just insulted their mother in a foreign language , that would be nice too! ;)

Dropping to root?

[Lochin+Rabbar]

Why would non technical users have root access in a commercial environment. Not even management should have such access, beyond being able to get the password from a sealed package in a safe in an emergency, and then only with checks to ensure that no one can withdraw it without authority. No system is secure unless the root password is restricted to the admin that needs to use it, and ideally that should be a single person.

Re:Dropping to root?

[Lochin+Rabbar]

Yes, but they don't hand out root access to the universities machines, and if they're wise they minimise the number of people with root access to any given machine. For example a computer lab will have a small team responsible for it but the people in that team won't have root access to the machines in the library. The central records database will have a dedicated admin and so on.

Alice's Adventures in Wonderland

Someone once told me that _Alice's Adventures in Wonderland_ is the best book on any subject for the layman. Try that.

Why?

[Jerf]

I'm looking for something that would cover such topics as basic desktop do's and don'ts, like 'do choose a non-dictionary password' and 'don't blindly drop to root and install an unverified/unauthenticated RPM that you receive via email,' etc. Anyone seen a guide like this?

Why?

Do you expect anyone to actually read this document?

Oh, I wish I were being sarcastic.

Either enforce things (your password policy), or wait for people to have trouble so you know what to document (every installation is unique, and you're wasting time trying to predict how your users will react when you could just wait and see).

The only purpose of such a document, in the end, is CYA anyhow. And again, I wish I were being sarcastic. If you can't enforce it, people are going to do it.

The only possible exception is if this is a technical group of users who will be daily and strongly held accountable for violations. Basically, the only group of people who meet these two criteria are Computer Science (or related disciplines) students.

Otherwise, don't bother. Not sarcasm.

Let me get this straight...

[Brandybuck]

Let me get this straight. You're company is transitioning to Linux on the desktop, but they're leaving administrative policy to the user? Make sure your resume is in order, because you may need it.

Password policy will already be determined by the IT department. Users will never have to worry about unauthenticated packages, because users will never be able to install them. Yada, yada, yada. This is so damned obvious I must be missing something in the question...

A couple of thoughts

[Prior+Restraint]

Others have pointed out that root for an end-user is a bad idea, so here's a couple of other ideas off the top of my head.

• Avoid putting . or ~/bin in your PATH if possible. If you absolutely must do so, put them at the end.
• Don't walk away from the machine without locking it (not Linux-specific, but it bears mentioning).
• "rm does not move a file to the trash; it's gone for real"
• Don't hit Ctrl-Alt-Backspace.
• "Copy and paste" can be as easy as "highlight and middle-click."

When I try to come up with a list of Don'ts for computers, I think of my dad. He's the living embodiment of the phrase, "A little bit of knowledge can be a dangerous thing" (No, Dad, you can't save disk space by getting rid of that .dll). Most users won't ever bring up an xterm, but people get bored at work, and then they start looking for interesting ways to entertain themselves.

Re:A couple of thoughts

[hattmoward]

Bah! Users will never figure out that 'rm' will very much eat their files. Personally, though, I find a misplaced shell redirect '> pron.txt' (Crap, I meant to overwrite plan.txt!) is even more trouble than that. Insta-wipe with no left-over data on the disk.

I'd recommend looking into libtrash. Very handy, saves stretch on your tapes -- we are keeping regular backups, right?

Another good tip that gets me sometimes is, when you use the paste buffer (explicit Ctrl-C), the originating program has to still be running to make the paste.

Re:A couple of thoughts

[Piquan]

Avoid putting . or ~/bin in your PATH if possible.

Huh? I can understand not putting . in your PATH-- icky nasty security issues abound-- but what's wrong with ~/bin?

Don't hit Ctrl-Alt-Backspace.

Again, why not? I've seen labs with notices to hit Ctrl-Alt-Backspace before leaving. (That's the only way to logout that works across WMs.)

I also would expect that it's a good idea to hit it before logging in, to make sure you're really looking at XDM. This is why you hit Ctrl-Alt-Delete to log into NT: apps can't intercept it.

As far as that goes one of your tips is to lock your box, another is to never hit C-A-BS. In a lab environment, these can be mutually exclusive. Many times, somebody will walk off and leave their computer locked, so C-A-BS can be the only way for somebody else to use the computer.

Re:A couple of thoughts

[Brandybuck]

That's the only way to logout that works across WMs

Except it doesn't log out. It just kills everything very nastily. Unless you're trying to kick someone off, log out normally. All modern, and most ancient, window managers have a way to log out.

Re:A couple of thoughts

[Piquan]

Except it doesn't log out. It just kills everything very nastily.

Not too nastily. Less nastily than a kill -9, for sure. The apps still can do whatever shutdown operations they need to.

But let me paint you a picture. A lab where most of the occupants aren't Unix people. Some of them aren't really computer people. They're hardware designers, or embedded systems programmers, or {domain} experts, or other such things. All of them are good at what they're hired for, but may not be good at other stuff. Like using a PC.

Most of these people got their .profile and .xsession by copying somebody else's, if they're not just using the system default. They didn't pick their WM, because they don't really care much about their WM. They've never taken time to learn anything. They have their xterm start up when they log in, and a row of CDE-style buttons to launch other xterms, a web browser, and maybe Citrix. No easy button to log out.

So they'll often log into a box, do what they need, then wander over to some piece of equipment they need to work on, without logging out. There's only six general-purpose PCs in the lab, so it doesn't take long before they run out if people stay logged in when they're not using them There's a new threat: people hitting the Reset switch when they come across a logged-in but unoccupied machine.

Now, the lab manager needs to make a notice to log out. If there aren't concise, clear instructions on lab notices, they don't get followed. So that's the notice.

Now the other end. What's the harm? Apps still get their notice to shut down. They can save user configs, send termination notices to network peers, whatever they need to do as long as it doesn't involve interaction with the X server.

Sure, it'd be nice if everybody knew all about the tools they used. Hell, it'd be nice if they had basic understanding of their WMs. But they don't, and we don't expect most of them to any more than we expect them to play a trumpet. It's just not what they need to do for their job.

Re:A couple of thoughts

[Profane+MuthaFucka]

This is how to enforce the machine locking rule:

When you find a machine that is unlocked, open up the e-mail program and send a short mail to everyone in the company saying "Hi my name is [owner of unlocked machine] and I left my machine unlocked. Just thought you should know. Come laugh at me later, will you". Then you helpfully lock the machine for the person.

The other employees will soon start policing themselves in an effort to embarass their colleagues.

Re:A couple of thoughts

[Piquan]

If your user account is compromised, you can be tricked into running a different program than you intend.

If my user account is compromised, then I don't really need to be tricked; the attacker can just run the programs directly. Or if he's trying to spoof a password prompt, he can edit my .profile and set my PATH to whatever he wants anyway.

Alternately, if you mess up the permissions on your ~, you can be made to run a different program, compromising the account.

Again, if ~ has bad perms, then the attacker can edit my .profile, so again it's irrelevant what I set my PATH to.

If you disable it in your X config, apps can intercept it, so it's foolish to assume that you're looking at a genuine X/K/GDM after hitting it.

Uh... If the X config has been edited, then that means that root was already compromised. Besides, you can see the monitor mode switch if you hit a C-A-BS and it takes effect.

Don't Choose a Dictionary Password

[oO+Peeping+Tom+Oo]

With the hype around Linux's security, why are users allowed to do this? Would it not be easier to deny the ability to use a non-alpha+numperic password? This could be easily implemented into any distrobution.

Re:Don't Choose a Dictionary Password

[Brandybuck]

There's some hype about Linux's security, but unless you're using SE Linux or something, it really isn't that spectacular. Unix security in general is pretty lame. It's just that it was so much better than DOS/Win9x that people thought it was great.

A properly secure Linux (even SE Linux) requires a good system administrator. Ditto for any other Unix like system.

The other half of...

[zcat_NZ]

The other half of 'don't give users root' - you need to set permissions or assign users to groups so that they never need root in normal use. And you should leave sshd running so that when a user calls, you can make these changes without leaving your desk.

Some examples; /dev/floppy, /dev/cdrom; needs to automount when a disk is inserted, or be mountable and ejectable by a desktop icon.

dialup networking; use modemlights, kppp, or set up dial-on-demand.

shutting down; some distros require the root password to shutdown. If yours does, reconfigure this.

The end user shouldn't need root _ever_ for day-to-day computer use. If they want anything more than the basic 'look and feel' desktop settings changed, they should call tech support.

You might also want to make the machine console-secure as far as possible. Boot only from HDD, set a password on the bootloader and BIOS, replace the case screws with torx screws, etc. It depends who has physical access, and how secure you need to be.

Are you a Windows administrator?

[flabbergast]

I'm not asking the subject question to poke fun at you or flame. From your description and discerning how you plan to setup Linux on the desktop it sounds like you're missing one of the benefits of Unix because you're looking at it as a Windows admin. But I could be completely wrong.
You can set up desktop as basically a terminal using X. I know, what a waste of a desktop right? But, that's how Unix is built. You can setup a server (or multiple servers of necessary) to act as your main server and each desktop is really logging into the server using XDMCP. Or look at the Linux Terminal Server ProjectYou lock out logging into the local machine and poof! All user files are forced onto the server so there's no pesky phone calls like "Well I saved the file onto c:\pron\pron\pron\pron2\pron2 but the hard disk just went bad! YOU need to get it back for my board meeting in five minutes!" I realize this is a lot of overhead, but you can gain alot of control this way like upgrading OO.org for everyone without having to update every single desktop.

Perhaps XDMCP is too insecure for you or you have so many users that XDMCP would be too difficult. That doesn't mean you can't set it up like I've described. It just gets complicated, which means its beyond my meager expertise, but I've seen it set up that way at school.

Re:Are you a Windows administrator?

[ameoba]

Going to XDMCP seems a bit on the extreme side; moving over to an NIS/NFS (or other more modern or secure systems like Kerberos/LDAP and AFS) and forcing all user files to be written to their home directory which is shared over NFS.

There's enough tools out there (such as cfengine) to handle updating the desktops that, if you have decent desktops, I can't see why you'd want to make them all dumb terminals.

Re: shell redirects

[Prior+Restraint]

As long as we're on the topic...

sed s/foo/bar/g < in.txt > in.txt

Whoops! (had a coworker do this just yesterday)

Also, I don't know if any distributions still do this, but I used to have an old version of RedHat that defaulted to aliasing rm to rm -i; ditto for cp and mv. It seems newbie-friendly, but it really just encourages carelessness in the event they find themselves on a different system.

I suspect you'll have to write it.

[munpfazy]

Which probably isn't as large a task as you might imagine. It will also give you the chance to customize it to your users, which makes it a whole lot more likely that people will read it. There is plenty of online material to use as a reference, especially when it comes to password choice. Also look around for documents from university computer labs or university computer support services. You may find some ideas there.

You also might want to consider making people pass a quiz in order to get an account. Sure, it's irritating... but it actually does work. Make it part of the regular procedure for getting access, so that you catch new users.

A presentation can also work, if you're a decent speaker or you are willing to hire one. Doing something flashy could be fun. Consider having everyone create an account for themselves on a test machine at the start of the presentation and then having a password cracker grind through them all while the meeting is in progress. If you've got a couple fast machines to spare, you could probably shock the hell out of people by guessing their passwords before the meeting ends. Better have a backup plan, in case your users are more savey than you think.

And, to repeat what's already been repeated many times: you really shouldn't be letting new users choose arbitrary passwords nor giving them root access if you can help it. If you can't avoid giving them root, then try to give it to as few people as possible, and have a nice long talk with them about appropriate procedures first. (And make damned sure you have regular backups, so you can repair things when they screw up.) Sudo is your friend!

Good password, changed frequently, never shared

[jgardn]

It's really not much more complicated like that. If you can get everyone to choose good passwords, change them frequently, and not share them with each other, then you are good to go.

You can hire network administrators to tell you which protocols are safe and which are not, and where you should use them and how. You can hire system administrators to watch your main systems and harden them as well. You can even get some internal tech support people to help out the users and make sure all the machines are up and secure.

But it always comes down to the individual users: Get a good password, change it frequently, and never share it with anyone, period.

Re:Here's what you do...

[prodangle]

Clicking on Word launches OO.org Writer.
Clicking Internet Explorer launches Mozilla.
Clicking Outlook launches KMail.
Clicking My Documents launches Nautilus or Konqueror.

Changing the name of the Mozilla icon to 'Web Browser', and home to 'Home Folder' wouldn't be a bad idea, but giving them the names of Microsoft products is very misleading. Why not just rename Linux to 'Microsoft Windows' while your at it?

Non-techy people have been able to successfuly using word processors since long before Word version 1.0. People can easily learn the name of a new application, as they did with MS Word, Claris Works, and Word Perfect.

Even in the default Windows XP start menu, Internet Explorer's title is 'Internet', and Outlook's is 'Email'.

Re:Congratulations

[SpaceLifeForm]

Nice to see the moderators ready to crack the whip.

So, moderators, how does a first post become 'Redundant' again?

Turning of Ctrl-Alt-foo in XFree86

[Ecks]

Ctrl-Alt-Backspace & similar functions can be turned off.

• Option "DontVTSwitch" in the appropriate section of your XF86Config file disables switching to text virtual terminals;
• Option "DontZap" Neuters Ctrl-Alt-Backspace;
• Option "DontZoom" Turns of resolution switching.

Read the manual page for XF86Config for details. There are probably several things in here that you want to setup if you are trying to create a linux desktop for normal users.

-- Ecks

Simple Question

[mrcutrer]

Has anyone in here ever recieved a unauthenticated RPM in email?

I have never recieved one personally. It's always nasty window crap I get, and laugh at because I don't run windows.

The only time I get ebuilds are from portage. And from the official websites of programs I am seeking, never in email attachments.

This raises another question though. If linux takes off, will we see a huge influx of linux worms and general crap that are proliferating windows right now?