Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Desktop Security for New Users?

Posted by Cliff on from the protecting-the-initiates dept.

theblkadder asks: "Our company is currently undergoing a company-wide transition to Linux on the desktop. While there are numerous excellent guides and tutorials for the admin crowd, I haven't been able to turn up much for the non-technical user. I'm looking for something that would cover such topics as basic desktop do's and don'ts, like 'do choose a non-dictionary password' and 'don't blindly drop to root and install an unverified/unauthenticated RPM that you receive via email,' etc. Anyone seen a guide like this?"

8 of 80 comments (clear)

  1. You'll probably end up writing your own... by toddlg · · Score: 4, Insightful

    I'm looking for something that would cover such topics as basic desktop do's and don'ts, like...'don't blindly drop to root and install an unverified/unauthenticated RPM that you receive via email,' etc.

    When you say non-technical and 'basic dos and don'ts,' that example seems pretty technical. You might just as easily say "don't double-click unverified email attachments."

    IMO you will probably be in the best position to write this documentation because you know your typical user and probably know what they are and aren't allowed to do already on their new desktop. I'd be interested in seeing what something like this looks like if it does exist...

    Todd

  2. root by BinLadenMyHero · · Score: 5, Insightful

    don't blindly drop to root and install an unverified/unauthenticated RPM that you receive via email

    That would be nice to say to a home user.
    But on a work environment, why give the root password to the (non-linux-experienced) users in the first place?

  3. Dropping to root? by Lochin+Rabbar · · Score: 4, Insightful

    Why would non technical users have root access in a commercial environment. Not even management should have such access, beyond being able to get the password from a sealed package in a safe in an emergency, and then only with checks to ensure that no one can withdraw it without authority. No system is secure unless the root password is restricted to the admin that needs to use it, and ideally that should be a single person.

  4. Why? by Jerf · · Score: 4, Insightful

    I'm looking for something that would cover such topics as basic desktop do's and don'ts, like 'do choose a non-dictionary password' and 'don't blindly drop to root and install an unverified/unauthenticated RPM that you receive via email,' etc. Anyone seen a guide like this?

    Why?

    Do you expect anyone to actually read this document?

    Oh, I wish I were being sarcastic.

    Either enforce things (your password policy), or wait for people to have trouble so you know what to document (every installation is unique, and you're wasting time trying to predict how your users will react when you could just wait and see).

    The only purpose of such a document, in the end, is CYA anyhow. And again, I wish I were being sarcastic. If you can't enforce it, people are going to do it.

    The only possible exception is if this is a technical group of users who will be daily and strongly held accountable for violations. Basically, the only group of people who meet these two criteria are Computer Science (or related disciplines) students.

    Otherwise, don't bother. Not sarcasm.

  5. A couple of thoughts by Prior+Restraint · · Score: 5, Informative

    Others have pointed out that root for an end-user is a bad idea, so here's a couple of other ideas off the top of my head.

    • Avoid putting . or ~/bin in your PATH if possible. If you absolutely must do so, put them at the end.
    • Don't walk away from the machine without locking it (not Linux-specific, but it bears mentioning).
    • "rm does not move a file to the trash; it's gone for real"
    • Don't hit Ctrl-Alt-Backspace.
    • "Copy and paste" can be as easy as "highlight and middle-click."

    When I try to come up with a list of Don'ts for computers, I think of my dad. He's the living embodiment of the phrase, "A little bit of knowledge can be a dangerous thing" (No, Dad, you can't save disk space by getting rid of that .dll). Most users won't ever bring up an xterm, but people get bored at work, and then they start looking for interesting ways to entertain themselves.

  6. The other half of... by zcat_NZ · · Score: 4, Informative

    The other half of 'don't give users root' - you need to set permissions or assign users to groups so that they never need root in normal use. And you should leave sshd running so that when a user calls, you can make these changes without leaving your desk.

    Some examples; /dev/floppy, /dev/cdrom; needs to automount when a disk is inserted, or be mountable and ejectable by a desktop icon.

    dialup networking; use modemlights, kppp, or set up dial-on-demand.

    shutting down; some distros require the root password to shutdown. If yours does, reconfigure this.

    The end user shouldn't need root _ever_ for day-to-day computer use. If they want anything more than the basic 'look and feel' desktop settings changed, they should call tech support.

    You might also want to make the machine console-secure as far as possible. Boot only from HDD, set a password on the bootloader and BIOS, replace the case screws with torx screws, etc. It depends who has physical access, and how secure you need to be.

    --
    455fe10422ca29c4933f95052b792ab2
  7. Are you a Windows administrator? by flabbergast · · Score: 4, Insightful

    I'm not asking the subject question to poke fun at you or flame. From your description and discerning how you plan to setup Linux on the desktop it sounds like you're missing one of the benefits of Unix because you're looking at it as a Windows admin. But I could be completely wrong.
    You can set up desktop as basically a terminal using X. I know, what a waste of a desktop right? But, that's how Unix is built. You can setup a server (or multiple servers of necessary) to act as your main server and each desktop is really logging into the server using XDMCP. Or look at the Linux Terminal Server ProjectYou lock out logging into the local machine and poof! All user files are forced onto the server so there's no pesky phone calls like "Well I saved the file onto c:\pron\pron\pron\pron2\pron2 but the hard disk just went bad! YOU need to get it back for my board meeting in five minutes!" I realize this is a lot of overhead, but you can gain alot of control this way like upgrading OO.org for everyone without having to update every single desktop.

    Perhaps XDMCP is too insecure for you or you have so many users that XDMCP would be too difficult. That doesn't mean you can't set it up like I've described. It just gets complicated, which means its beyond my meager expertise, but I've seen it set up that way at school.

  8. Re:Here's what you do... by prodangle · · Score: 4, Informative

    Clicking on Word launches OO.org Writer.
    Clicking Internet Explorer launches Mozilla.
    Clicking Outlook launches KMail.
    Clicking My Documents launches Nautilus or Konqueror.

    Changing the name of the Mozilla icon to 'Web Browser', and home to 'Home Folder' wouldn't be a bad idea, but giving them the names of Microsoft products is very misleading. Why not just rename Linux to 'Microsoft Windows' while your at it?

    Non-techy people have been able to successfuly using word processors since long before Word version 1.0. People can easily learn the name of a new application, as they did with MS Word, Claris Works, and Word Perfect.

    Even in the default Windows XP start menu, Internet Explorer's title is 'Internet', and Outlook's is 'Email'.