Slashdot Mirror
Ask Slashdot: Ubuntu Lockdown Options?
First time accepted submitter clava writes "We have a desktop Java testing application that is going to be administering tests to students on lab computers running Ubuntu 10.x. These computers are used by the students for other purposes and we're not allowed to create special users or change the OS configuration. When the testing app is launched, we need to restrict users from exiting the app so they can't do things like search the internet for answers or use other applications. Is there a good way to put an Ubuntu machine in kiosk mode or something via our application and have exiting kiosk mode be password protected? Any ideas are appreciated."
I'm afraid if you want it actually locked-down, you're pretty screwed. You can't really disable things like switching to a tty with ctrl-alt-f1 without "changing the OS configuration."
Just make them easy to re-image.
Why not let them use resources? Similar to what they will have available to them in the workforce.
Create your own custom locked down kiosk boot image and require users to boot from that? Keep in mind that users might take the boot media home with them so they'll have a copy of the test app if you store it locally (as opposed to retrieving it from a website)
Here's an example:
http://jacob.steelsmith.org/content/ubuntu-kiosk-based-910
(I'm not vouching for this particular implementation, I just found it through a quick google search).
you could always use a livecd, restrict it any way you want....
Not sure how hard this would be to do, but it seems like it would be fairly easy to boot from a livecd/usb key. If you remove packages you don't want the end user to have access to (it's hard to browse the web for test answers if there's no browser installed) that should address at least some of your concerns. An added bonus is that if you need to repurpose the machine, or if it doesn't need to be in test mode all the time, a simple reboot could restore it to a vanilla version of the OS.
Facts have a liberal bias.
Simply put: no.
Long answer: No, not without trapping the keyboard driver.
If you cannot change the OS configuration, there is absolutely nothing you can do, beyond securing it against idiots, unless the OS configuration happens to be what you need it to be.
If you can physically restrict the keyboard function keys, you can prevent people from getting to the shell.
If you aren't prepared to do it and try to "cheat" by asking slashdot, why should you expect any different from your students?
Design tests that challenge understanding of the subject and reasoning, not memory. But I guess mediocre teachers are good enough for mediocre students. Or was it the other way around?
Seven puppies were harmed during the making of this post.
Pull out the Ethernet connection. TADA!
did you even google your question?
http://lmgtfy.com/?q=ubuntu+lockdown
maybe this will help you
http://ubuntuforums.org/showthread.php?t=456549
http://users.telenet.be/mydotcom/howto/linuxkiosk/ubuntu01.htm
http://library.gnome.org/admin/system-admin-guide/stable/menustructure-13.html.en
It's not a typo if you understood the meaning!
no, not without changing the OS configuration.
What you want is fundamentally incompatible with the restriction not to change the OS configuration.
Go for a solution in which you control the machine the software runs on. ie. a remote desktop like solution or a web based solution.
Why is this even being asked ?
If any app can take over a machine without being having a specific configuration / account to do so, then that app behaves like a blackhat app. I sincerely hope there is no way to do what you want. You should be required to modify the environment / create an account to stop window managers / desktop tools, etc. It is easy to do it that way.
And I mean that for any OS. Not just Ubuntu.
The way they did a test at our University was to run a script which didn't so much lock everything down, but recorded whether a students had used Firefox / Chrome and copied their history to a remote folder. If students know that's going to happen, it's not much help, but if they don't, it could catch the cheaters.
The school system: memorize shit for a test and then forget it afterwards (unless you have an outstanding memory, of course)! Brilliant!
.. or at least you are doing their homework here.
Would disabling internet access be enough? You could have your app unload the Ethernet driver when it runs and then reload the driver when it exits. Of course your app would have to have system level permissions to futz with Ethernet and you'd have to deny those permissions to the user.
I'm not sure how you could disable running other applications if you're not allowed to change the OS configuration.
Put the hardware far away from the user (or near to him but securely locked down).
Then use SDL or the X11 dev libs in your software to capture all keystrokes and prevent the users from doing anything other than using the app. Look at the code of xtrlock for a X11 example.
They'll still be able to do Ctrl+Alt+Backspace though, and access ttys too (F1 => F6), so disable those in Xorg's conf. Nevertheless, also make sure none of the user have accounts on the machine - *you* log on beforehand with a known password.
Of course, that'd work except you're using Java. You might be able to do what you want anyway but I suspect it'll be a real pain (I doubt java will allow you to capture all keystrokes this way). Frankly, java sucks.
Just use the default Unity desktop bundled with recent Ubuntu releases. It's so fucking unusable in every respect that malicious and benign users alike will want nothing to do with it. They'll use only the Java testing application solely to avoid having to deal with Unity.
You'll never have to worry about them using Facebook, or adding additional users, or installing their own software. Even long-time Unity users have a whole fuck of a lot of trouble doing those things. Many just learn to accept that they never be able to.
IMHO, you should do Xwindows in server and client mode... then use transperant proxy on the gateway of the device and force the user through the proxy except for internal addresses then have 2 proxy modes while the app is running it sends a call to the proxy which runs a script to disable external access and allows only internal access period. Done deal.
With some of the games I play under wine, attempting to background the window will crash it, but I doubt that's intended to be a feature...
Realistically your best bet is probably just to temporarily disable networking. This is really easy to do, and if you can add a script/syscall that just says:
killall nm-applet
sleep(3)
then I doubt anyone will be looking up answers anywhere or communicating with other students via the internet. That's probably as locked down as you need, they'll still have their phones et al. most likely, so I wouldn't put more effort into it than that.
In my linux class the instructor had a openBSD class server in the room that hosted the labs and the homework as well as the testing system.
Among the many things that the system did for us, the testing taking system was all scripted server side and displayed to you through your browser. OpenSSL was installed and forced for the test taking system.
When he didnt want anybody to have internet access he simply unplugged the classroom from the outside world.
Now this is assuming that each workstation connects to a switch in the same classroom that can easily be "unplugged" from the outside.
The server did a lot of things. He even had a really neat system setup with CVS and TeX for note taking as he gave the lecture.
He had most of fthe important stuff all in the note file and as he got to each subject, he would un-comment the relevant text in the latex file.
On the client side there was a makefile for updating the cvs, compiling the changes and displaying them too you.
You could also add notes to your personal copy of the file and it would still update like normal.
Pretty cool if you ask me.
I'd suggest having a whitelist of allowed process names that are allowed to be running during the test as that user. If any other programs are running when the program starts, it should not allow the test to be started until those programs are shut down (add a "kill all" button for newbie users). It should also have a watchdog that polls to make sure that the system is still clean. If it finds any unwanted programs, it should give the user 10 seconds to kill them or fail the test (or require a password to ignore this process). If you can do this in the same thread as the testing program, and in such a way that you can't just attach gdb and pause execution while you google the answers, you're onto a winner.
Can't change users
Can't change OS config
What douche nozzle thought this up?
In the bios turn off the internal drive. Configure a custom live CD, remove browser, ability to kill X, ability to go to a shell, etc. Have the application run under most minimal X, no window manager, nada and have it run the java application. Whomever writes the application shouldn't even have to stifle the window decorations as there should be none.
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
Dont try to stay in one application and prevent access by this . Use iptables and apparmor to prevent everything you dont want the pupils to do. If they find a way to crash the app they are using, it will be no problem.
can pass the test and have no idea on how to use the concepts?
Don't try to block internet access at the local level, they'll work around it. At the firewall level whitelist specific sites and block everything else. Then even if they fire up a web browser it'll be useless.
And simply uninstall or use user permissions to block access to unwanted applications.
No Technology required:
1. Announce anyone caught cheating WILL fail the course.
2. Post exactly ONE proctor at the rear of the room. His job is to catch the FIRST cheat.
3. The first cheat should be escorted from the room, and given the following choice: become the proctor and catch another cheat, or fail. If you catch a cheat, you may retake the test and the cheat becomes the proctor with the same choice.
Lather, Rinse, Repeat.
I recommend you film for future entertainment value.
Red
KDE has had a kiosk mode for quite a while, leading me to believe it's quite mature by now. It even has a GUI setup tool.
LTSP has support for some lockdown options, and Ubuntu has support for LTSP. It's meant for running classrooms. You can netboot the clients into LTSP when you want to do an exam, and they can run their own install the rest of the time.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
are to restrictive. you cant achieve what you want so either change the requirements or accept the risk.
"Lockdown" or "Kiosk" or any of the other terms are simply shorthand ways of referring to sets of system modifications. If you can't modify the OS configuration, or even create new limited users, about the worst you can do is have your application do something annoying like constantly re-grabbing focus if it detects that it has lost focus, or other horrid little WM-nuisance tricks...
You pretty much have two options:
1. Lean on/buy beer for/be real nice to/go over the heads of/whatever it takes the IT staff and get authorization to run your own OS image(liveCD, PXE boot). The desire to not have you breaking their image is fair; but if you need a kiosk, and can boot a kiosk without touching the disk(indeed, any good kiosk mode image wouldn't touch r/w storage) they can suck it up.
2. Assuming the Ubuntu is reasonably stock, it has a provision for the user to allow a VNC session to shadow their desktop. Tell the kiddies that this test is going to be proctored. Have each open a server with the password you give on the whiteboard or whatever before the test starts. Point vncrec or vnc2flv at each VNC server. If the resultant footage shows cheating, garrote the offender with a mouse cord.
the network drivers.
disable the network in the bios.
log everything moving through the network.
I mean, really.
The Kruger Dunning explains most post on
If you're not going to supervise them, then it doesn't matter how tightly you lock down their computers since they'll just use google/IM from their phones instead.
If you're supervising them closely enough to know that they aren't typing on a phone on their lap, then you should be able to see if they are running a web browser.
With a smart phone, they can access the internet quite easily.
If you pull the ethernet cable and watch for phone use, you'll have effectively cut off the internet without having to change the machine config. Assuming these aren't on a wireless network.
Pessulus and the Epiphany browser. They are in the Ubuntu Repos. And these if you really want it locked down: http://beginlinux.com/server_training/linux-terminal-server/1058-lock-down-user-privileges
If you're worried about a user jumping out of your app and then searching the Internet, and you're in a a testing setting, you should be looking at a wholistic approach.
Your students will break your application, it's only a matter of time. Use other approaches to make this a useless option.
1) Don't allow any Internet access from the network layer, at all, this includes DNS servers. Ideally your systems should be on a completely disconnected network, meaning there are absolutely no external network connections.
2) Use SELinux to lock down your system. SELinux uses a mandatory permissions model, meaning you *must* be granted permission to be able to do anything.
3) Lock down alternative means of cheating. Cell phones, paper notes and so forth.
4) Follow through with punishing cheating in an appropriate manner.
5) Listen to the feedback of your users (Instructors and Students). This may seem counter intuitive, but it can help you build a better system.
---- Fight to protect your right to keep and arm bears! ummmm... ya I think that's right....
Each person caught cheating would have incentive to dob someone else in whether or not they cheat. You would HAVE to tape it just to prove the person actually cheated. It would also be a huge distraction to have people pulled out of the test. If the lab is designed correctly, it should be trivial to make the Internet unreachable. If not, fix it and you're good to go for all future exams.
However all this is a waste of time - all you're testing here is memorisation skills. If that's what you need to test, fine. But otherwise design the test so the student only passes if they can actually apply the material. Then allow external references including the Internet.
These posts express my own personal views, not those of my employer
Why don't you setup a VM on each machine that is locked down?
1. Take bribes from other students to be the first one to cheat.
2. Blatantly cheat and get caught.
3. Become the proctor, and ignore everyone now cheating.
You don't need a window manager to run X applications. Start your app from the command line and their will be no messy GUI to lock down.
Remove the network cables, or remove access at the firewall.
That is the ONLY way to remove their internet access without changing the OS configuration that will work. By the way, have I said that it is a stupid requirement to change the way the OS works without changing the OS configuration?
Rethinking email
If this is the only app you need to run on the machine, just create a user that is defaulting to the testing app as window manager.
Just don't allow the user to start a new graphic session by hitting ctrl-shift-f* keys.
Fundamentally, you're trying for the impossible: you are trying to use the app to control the window manager.
This is a bit like google trying to stop you closing a browser window!
BUT: If your test happens to be multiple-choice, you could consider making the app run full-screen maximised (windowless), and then unplugging the keyboard. That would work.
[My dept has some computer systems designed for tracking who is present in the buidling; they solve the lockdown problem with a special keyboard that has only alphanumeric keys - if you physically remove the Ctrl, Alt, Esc, Fx, etc keys you can reasonably make this work!]
An alternative would be to temporarily make the system run just a single X application. If you were to change the first line of the file "/etc/X11/Xsession" to be "exec your-java-app", then you'd get a single-window desktop that runs without a window manager.
This would work on windows, dissable all systemkeys and make the program start in fullscreen mode.
http://www.codeproject.com/KB/winsdk/AntonioWinLock.aspx
I did'nt find anything similar for ubuntu, but there should be I guess.
Good luck!
ohh and: java to nativ calls are easy with JNA
You're looking for a technological solution to a pedagogical problem. Redesign the questions and let them have all the Internet access they want.
I had to take a drivers ed course a while back.. I decided to do it online.. what they did that worked pretty well.. they allowed 3 warnings..warnings went off when the window lost focus and between that and random questions like what was the color of the car in the last section(another warning) they pretty much locked down the test.
You could maximize the window and tell them if they lose focus on the window (do anything else, open any other programs, surf the web, etc..) they fail the test. Have the app close the window when it loses focus or lock the app with a big message which has to be test-admin reset.
keep track of the window and the time and tell the students it's being tracked. If they switch tasks or change the windows size during the test at any time, it will be logged and they'll lose 10% for each minute of the infraction.
Another option is to disable the network(ipdown?) for the duration of the test and test for it during the exam. if it comes up at any time, shut it down and log it and the processes running to see if a browser or some user action caused it.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
I don't get it. Isn't this super easy in linux? Or am I missing something?
Aside from Kiosk solutions in various FOSS Desktop and Windowing systems, why don't you just set up a runlevel that has some super-simple Xorg setup that launches with a minimalist window manager (all options disabled, hideously reconfigured or - if all else fails - overridden in the sourcecode and recompiled) and your desired app.
Switch to that runlevel, log off, and your set. It's that simple. ... Disable eth devices in said runlevel and such if you're super paranoid and want to be extra sure.
This all works in Ubuntu just as in any other distro.
Am I - 13 year long Linux user - missing something here, or isn't it that simple? ... I'm kinda weary, since no one else yet offered that sort of answer.
Please enlighten me if I'm mistaken.
My 2 cents.
We suffer more in our imagination than in reality. - Seneca
Put them in a Faraday Cage !
0) install Fluxbox
1) edit the keys file and remove the right-click option (disable the other hotkeys too)
2) have firefox set to launch at startup
3) use the firefox addon 'Kiosk mode' and edit settings
That should protect you against most undesired activity.
"The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
This Ask Slashdot is a good illustration of what I said later on in this comment
If you code the app so that it closes the test if they move or resize or minimize your problem will be solved. Set an event on closing to record the users test score. Let them explain why their test was ended early.
Why not answer the question or keep silent, rather than introduce irrelevant questions of your own? The requirements are stated. The person asking knows the problem more intimately than you do, and probably better understand their needs.
And, yes, students have to learn stuff. Deal with it, you fucking slacker.
Install the KDE Desktop (Kubuntu) then use the Kiosk Admin Tool.
Learning HOW to think is more important than learning WHAT to think.
I've had such a test. The trick is, there was something like 15 seconds for each question, so there was no time to do anything.
Of course if you saved time on some questions, you could spend it on other, skip/go back, etc.
Is this supposed to be a dedicated testing setup, or are these computers being used during the class and the students take the test at the end? Reason I ask is that the first scenario gives you time to boot to a CD or lock down the machines. The second scenario means your Java program must monitor for losing focus, or you have some other quick means of dropping internet access.
Personally, I vote for disconnecting the switch unless you need the local network to run the Java App.
Seriously, this is the best answer I have read here so far. It is simple and elegant. No booting custom images, whitelisting sites, or any of that.
Also, gotta love that half of the answers are: just give a different test, who cares about cheating, just install a different operating system, just fail anyone who cheats, yada yada yada. Why do so many Slashdotters always feel like the best answer to a question is "you're doing it wrong"? Sheesh.
no open book or web and how many people can remember all of the command line tools / all kind of key combos?
Program it so that it runs fullscreen, and that if the apps loses focus (the user opens other windows) then he automatically fails the test. Students will be notified of this at the beginning of the test by the app itself.
Seems like the only option to me, as you don't have control on the user or the OS configuration.
Have the user login then unplug the network cable. Also disallow iPhones, ipods etc
Now try to install KDE on Ubuntu, as opposed to kubuntu
ctrl+alt+F1 $ lynx
Snowden and Manning are heroes.
If you're really worried, put firefox/links/curl/wget/etc to a particular group, set the permissions to 550, and remove any test takers from that group.
If your java app requires a browser, setup some iptables rules that only allow the bare minimum outgoing connections (dns, central test server if it exists, etc), or just block them at the firewall. Most schools I know have a proxy, so you could simply have them blocked at the proxy when doing tests.
Don't people Google and trade answers in the workforce?
Yeah, like "how do connect to db, have client that need us for implement the general CRRSK[1] general ledger application, please provide code sample to do the needful, kindest regards."
Tests like this that forbids people for going to teh googlez do so to avoid this kind of retarded, google-copy-paste cheating. There is a reason why there is an increase of in-person coding tests taking place in code interviews (specially for senior positions.)
Yes, in the workforce we all rely on google and stackoverflow and what not. But those are tools of the trade that are supposed to be used by people with 1) the sufficient training and analytical skills to 2) know what to look for apply as appropriate. You want to test for #1 without #2 because #2 can be done by even the most craptacular of Shakespeare-typing code monkeys.
This should be, I dunno, fucking obvious to anyone who is in IT/software for a living, that 1) is not a google-copy-paste code monkey, and 2) that has been subjected to cleaning the turds said "professionals" leave behind.
[1] Replace with any random, business-specific acronym that no ones outside of said company knows what the fuck it stands for.
This is exactly the solution I would have proposed, except it goes against the users requirements.
Disabling TTY access requires changes to the OS configuration which he is not allowed to make. Furthermore in Ubuntu, you can't just kill the current X session and start a new one from the command line with the application as the window manager, because it will helpfully restart X when it crashes (or is intentionally killed). You would either need to create a special user whose default WM is the application you want to run, or you would need to reconfigure the OS graphical login settings, neither of which he is allowed to do.
User applications are intentionally prevented from locking down a machine, otherwise any old piece of malware could do so. The only way to really lock it down to modify the OS configuration. That is why all the other answers are suggesting round-about ways to achieve the same goal. IMHO adamdoyle's is the best.
Launch the testing app inside a standalone X11 instance - no window manager, just itself.
Have you checked out Webconverger? http://webconverger.com/
Their site may not look like much, but the guy customizes pretty cheaply, and it's a great product (I'm using it for single-appification of a series of computers using a minimally customized version).
It's Debian, so perhaps this isn't entirely responsive, but it's worth checking out.
Switch to Windows and lock down with group policy. Done.
Look up Bentham's Panopticon on wikipedia or google it. Basically it is a well known principle in security (anti-shoplifting devices for example) that so long as the prisoner believes himself to be constantly under the surveillance of the authorities then he will conform to the rules. So, you simple post a stern notice that says something like "All keystrokes are logged by a security application and any student that attempts to search online for answers to any of the test questions will be immediately dismissed from the examination and their test will be marked with a failing grade." Essentially, all you have to do is create a believable regime of Security Theater that will deter deviation from your desires and 99.99 per cent of the students will conform. Its a proven sociological fact.
if your life is such a big joke then why should I care?
Boot off of ethernet into your own environment or just unplug the switch that a the macines are connected to during the exam.
The options depend on if you just need to lock them out of Internet access or need to actually restrict access to load other programs.
Options to lock-out Internet access:
- Unplug the trunk/uplink from the switch
- Use a firewall rule on the router to block access
- Configure a sudo script to bring down the network interface or set iptables rules accordingly
Options to lock down application access:
- Create a boot CD/USB thumb drive with just the applications they should have access to
- Create a chroot environment with just X and the application they should have access to
- Use setfacl to block the user used for running the test application from having access to the other applications
- Create a SELinux template that limits access to just the files and system calls that the user requires for the test application
- Set an ulimit -u so that launching any additional applications would exceed the maximum number of processes permitted for the test user
How to avoid virtual console switching: /etc/inittab and restart
- Remove the additional gettys from spawning in the
Put an actual human being in the room. They can make sure nobody cheats. It's low-tech, but it works.
easy..... /etc/profile...
end of /etc/profile add this...
"
my_java_app
exit
"
They can log in...get your java app...and then they exit!
Look at this photograph. It depicts Einstein working with various equations.
Do you suppose he knew what the operators did? That he knew differentiation and integration rules? That he knew algebra? Or are you suggesting that he went back to his 101 textbooks at every step.
It is the most absurd thing to use Einstein to defend willful ignorance.
Yes, you do actually have to know stuff to learn how to think, guide your intuition, solve problems efficiently, and discuss topics intelligently. Get over it. Learning and understanding takes work beyond typing your query into Google or Alpha.
I have done this with Ubuntu 10.04 (Gnome 2). Create a new user which will be used for this test. Make sure you have keyboard shortcuts for password protected scripts to launch gconf-editor, logout, and perhaps the keyboard shortcut editor. Disable all other keyboard shortcuts, remove menu bars, disable the desktop. Now set the user's profile to launch the desired application upon startup. They can close the application at their own risk, or you can control this too. Once the profile is satisfactory, replicate as needed.
I am supposing the machines log on to the network using DHCP?
Just make sure the server is set to block port 80 or disable any internet connection to the server during the tests.
Also since they are using Ubuntu, does it have a "guest" account with limited rights already?? If so get them to log into that account to run the tests.
Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
Opera in Kiosk mode (opera.com/support/mastering/kiosk) plus app running on system w/ Guacamole remote desktop software (guacamole.sourceforge.net/)
How about teacher supervision? How about talking to the students about honor, self respect, and honesty. How about respecting them. No. let's just assume they are a bunch of cheaters. This mentality is awful.
you could have listeners for when the app [jframe] loses focus and so on.. there is quite a lot you can do with java, and you wouldn't need any lockdown..
Why do so many Slashdotters always feel like the best answer to a question is "you're doing it wrong"?
In my opinion, it relates to a point in ESR's essay "How To Ask Questions The Smart Way" titled "Describe the goal, not the step".
Just load UNity on it and you will have an UNworkable, UNbelievable mess. That should take care of security because the users will be wasting all their time trying to figure out simple stuff. It's the new distro in town ... UNbuntu!
Just make the app the shell for your desktop, no WM or anything.
This isn't really hard.
The users don't login to gnome or unity or kde or whatever, when they login the .xinitrc (I'm assuming GUI app) or whatever it is these days starts your java app instead of the normal desktop shell. No window manager, you don't need/want one, so no menus to start other apps or browsers unless you build one into your app.
If they close your app, they just get logged out, you'll need to build something in if you're not going to run a window manager though so they can logout.
Have you guys used Google before? I realize there are umpteen posts on here with crazy ass ways to install weird shit and tweak configs and all sorts of stuff, but there really isn't any point. You make it so their login only runs the app and nothing else, so switching to another console or tty doesn't matter.
This would be a trivial per user change, or system wide, but theres nothing you can do in your app itself, the whole system is designed so a rogue app CAN'T take over the system like you are designing, so you have to change the system to allow for your design.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Opera has a Kiosk mode as well as some of the other suggestions above if you are using a web based interface for the Java application. You can restrict it to just a particular site and if you move to a different computer/operating system it would allow for future proofing to a point.
Use debian instead, with no window manager installed at first. Install Xorg and configure your Java application to be started from a script in /etc/rc.d even before the user have to login and run in fullscreen. Your user don't need to have an account on the machine and the application belongs to root. They can't log to TTYs, can't access network, can't mount any device in the machine BUT your application must take care of the identification stage.
Chrome has a kiosk mode. you can make an application launcher with chrome and the needed commands to kiosk it.
Buy another computer and set it up the way you want, COMPLETELY forget the first one. Connect your new computer to the network and let er rip!!!
Someone asked a very similar question on Stack Overflow. It's here. The short version is: if you're running KDE and can change the window manager configuration, no problem. If you can change which window manager, then sure. (Also, the previous "yank the ethernet cable" or "boot off of live CD/USB" suggestions are quite reasonable. However, it is possible to handle most of it in the application using JNI to write X-Windows code which will capture most all keystrokes. It doesn't get ctrl-alt-backspace, but it appears to get prevent most of the rest.
Have them buy a Windows Terminal Server, lock it down. Teacher can remotely view each session.
yeah, those pesky not-seers.
Don't load X at startup. Have a bare-bones console login account with an "xinit /path/to/app" in .bashrc (don't & the command, let it hold .bashrc open waiting for the app to close). Last command in .bashrc should be "exit". If the user closes the app, .bashrc finishes and logs the user out. Add some authentication and user database to the java app to authenticate different students. I'd like to see supermarket auto-tellers do something like this instead of that windows xp login prompt after the app has crashed/puked/rebooted badly.
.bashrc foo in debian, not ubuntu though.
I've done this no X,
Two words - Live CD
Webconverger is a locked down Debian, that only allows access to a Web browser. Conceivably the Java testing app could be deployed through the browser via their Java browser plugin.
By default Webconverger does not ship with Java, though you can order a customised version from http://webconverger.com/buy with it included.
This is a great version of the Communist nightmare.
"If you're not passionate about your operating system, you're married to the wrong one."
Leave them without internet access. Only LAN access for stuff related to your desktop Java App.
Most people these days considers a computer is useless without internet.
If you care about them messing with the settings, perhaps an app to 'freeze' Ubuntu might come in handy. I can only think of the Windows equivalent (DeepFreeze) but I bet there must be a Linux equivalent.
http://www.linuxjournal.com/content/tech-tip-start-kiosk-style-machine-running-single-x11-application
Use a live CD. 10 years ago when I was a Freshman at RPI, everyone taking Calculus 1 or 2 had to take this online Gateway exam which then set the ceiling on your course grade. (A C on Gateway meant you could not earn better than a C in the course, but an A would not change your C average one bit).
To administer the exam, the CS department sysadmin made a FreeBSD 4.x live CD that had Netscape 4.x as the sole application launched via Xinit with no window manager. Quitting Netscape triggered the shutdown process and ejected the CD. I don't remember the rest of the details about how they prevented Internet usage, I have a sneaky suspicion they messed with the DNS servers and routing tables so it was nearly impossible to go to a site other than the browser home page.
Given the advancements in Live CD technology in last 11-12 years, it should not be hard to make an Ubuntu or Knoppix or Gentoo LiveCD that boots and has your app as the only app on the CD, thus satisfying the rules of no modifications to the testing computers and not allowing outside resources to the test takers.
we're not allowed to create special users or change the OS configuration
You're pretty much screwed as far as that OS is concerned. If you're really lucky there might be a copy of KDE installed with it's kiosk mode, or perhaps you can kill enough of the window manager to get it stuck (but that's supposed to result in the window manager restarting itself).
If you can't change the disk you're only option is to replace it. I don't mean physically, though that may be an option, I mean with live CD, usb or netboot
The Debian Live project allows you to easily create a live CD (or the other media) with your choice of packages; so easily in fact that there used to be an automatic service for it, upload the package list, download the ISO.
So install a minimal Debian with ONLY the bits you need turn it into a live image and boot it off the network.
Bah, only humans need such petty things, such as problem solving and origination. Any intelligent being would know it, before it was ever needed, without ever bothering with recorded nonsense. It is absolutely comical to assume Einstein was even human. He was born at the peak of Baden-Württemberg, in a blizzard, and when he arrived--the snow melted and the adolescent Winter abruptly screeched to a halt. I learned this on Ask.com.
If the answer is on Google, what good is the question then? Get better educated teachers to ask better questions.
Don't know if this work with newer versions of Ubuntu and I have only used this configuration on my personal computers and don't know how hard this would be to deploy in a multiuser environment.
If your users don't need an account of their own to save their stuff, but use an USB-stick or similar, then you can install Ubuntu with only one user account (except admin) that the students automatically log in to, then use unionfs to overlay the installation with a RAM-disk.
Every time a student turn of the computer, all the stuff that is in the RAM-disk is wiped clean. The next student that turn on the computer will have a clean account with the default configuration.
It's like running Ubuntu of a CD, but with the speed of a hard disk and you can still use the hard disk for swap-partitions et c.
We (University of Applied Sciences Northwestern Switzerland) have developed a live system for exams. It can be booted from DVD, USB flash drives, SD cards, etc.
If a computer is booted with this system, access to all other storage media and network access is blocked. It can be started in English, German, French, Italian, Spanish, Portuguese, Russian and Albanian. Here is the download link to the latest version.
http://www.imedias.ch/dateien/lernstick-testversion/lernstick_pruefungsumgebung_debian6_2011-10-17.iso
Here are some more details about the normal (unlocked) version:
http://www.imedias.ch/lernstick/lernstick_en
Both systems can be easily adopted to your needs (e.g. add your test application).
If you have any questions, feel free to contact me: ronny.standtke at fhnw.ch
I worked on this project for a Primary school. It's worked well for >2 years for 120 pupils.
http://linuxcentre.net/wiki/
The parts about automatically resetting the homedir after reboot is probably of interest to you.
http://linuxcentre.net/wiki/index.php/Detailed_Maverick_Meerkat_OS_Netbook_Customisation below Home_Directory_Synchronisation
Don't lock down the computers, it's almost impossible. Get your administrator to install iTALC or some other monitoring software. What you get is image of the monitors of whole classroom at once - in 4x3 or 5x4 configuration you can see what are students doing, if there is more windows they are too small to recognize but it's big enough to detect foul play. It uses VNC and it's very nice.
Alternative is just using VNC server on each computer and "VNC Thumbnail Viewer" ( http://thetechnologyteacher.wordpress.com/vncthumbnailviewer/ ).
This is simple and clean solution, and you can monitor students even if you're not there (e.g. ask a friend at home to look for foul play while you're walking around in the classroom).
Did you use Google? To find ways to make sieves water tight? I suspect you should need to plug many holes. Alternatively you could just buy a pot or a sealed vessel if that's what you need.
Seriously though, restrictions will make students work around your efforts. Maybe a small, isolated network for your lab would suit you. Protect BIOS, use decent root passwords and maintain a cache for updates.
And ban smart phones.
I hadn't the slightest objection to his spending his time planning massacres for the bourgeoisie... (P.G. Wodehouse)
We have a somewhat similar setting to administer tests to our students (not using a java app but a web app developed in house and moodle with its quiz module, according to the type of test)
If you are not allowed to make changes to the computers configuration, I cannot give specific advice on "computer locking" to disable the launch of other applications.
As far as the internet access is concerned we have all of our computers (~ 40) behind a linux nat/firewall and we simply "tune" the nat configuration in order to avoid internet access during the tests.
Anyway, in every room, there is always at least one proctor.
Read about the chroot command.
You set up an directory tree that contains only the java runtime system and the application.
To start the app you have a shell script that "changes the root" and starts the Java App.
The shell script should remove the key bindings to alt-Fx cmobinations and then you are done.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
There are two ways in which a user can "escape" from your application, namely through the windowmanager and through keyboards shortcuts handled by X or the operating system. Since everybody can choose their own windowmanager, the only solution is to replace it with your application which will then run fullscreen. Exiting the application should logout the user in order to revive their own windowmanager. Many windowmanagers have a --replace option; you should mimic that.
The other escape is VT switching using the CTRL+ALT+Fx keys. This thread provides some startiong points on how to achieve that:
http://old.nabble.com/How-to-disable-ctrl-alt-Fn--td14994350.html
Hope that helps. You'll never get it totally secure as long as the users are using their own accounts; as long as they can run other processes than yours, they can do whatever they want.
0x or or snor perron?!
I studied computing at Imperial College London and there was such a setup for lab exams. It would lock down the Linux machine so you couldn't communicate with the Internet or with other computers in the lab, but it would communicate with a central server so you could submit your work. You could contact the Department of Computing to ask if they still have this system and if they would share it.
-- Ed Avis ed@membled.com
Its quite simple to disable the tty with hot keys ctrl+alt+F*.
There is an option on Xorg.conf that disable that, pretty simple
I did?
The original post: “Why not let them use resources? Similar to what they will have available to them in the workforce.”
The retort: “[S]tudents have to learn stuff. Deal with it”
You: “Having no access to reference material is a ridiculous limitation.”
Me: “Learning and understanding takes work beyond typing your query into Google or Alpha.”
I never wrote "no work at all;" I am stating that hard memorization work needs to be done. Tell me, are you fluent more than one spoken language?
If you can't change the OS configuration, you're screwed.
What I'd suggest for something like this is to set up a locked-down OS image for the testing app, and make that image do what you want (which should probably include some kind of heartbeat script that notifies a proctor if a machine goes down, for example if someone is trying to reboot it).
When the time comes to test, netboot the machines using that image. When testing is over, boot the machines back up normally.
...But the students aren't the ones being tested. You are being tested on whether you will accept responsibility for something while being denied the very resources and authority you need in order to carry out that responsibility. And you failed, when you didn't insist on it, and throw the restrictions back in their faces.
I know your not allowed to change the OS configuration but what if you wrote some kind of boot script that boot only certain services and then launch X and started the java terminal. You could cut off dhcp from running this way and at the same time leave the students with a very stripped down graphical interface if they did exit the application. When the job is done just revert back to the old settings, it would be as easy as appending an option to the grub boot-loader.
Why not just load a customized Linux from the CDROM/DVDROM drive and boot from that? This would not make any changes to the existing OS and you could disable whatever you wish. It doesn't even have to be Ubuntu if you feel more comfortable with another distribution.
seriously? you didnt google for "kiosk mode"?
No you cannot do that. That would be a vulnerability that allowed normal users to lock down working system.
Just use custom live CD. There are many options for kiosk style apps.
When starting up let user provide URL where to download your exam app.
They really won't boot that system, because they would lose any previous answers while booting.
And anyway writing any long enough URL will erase their short term memory on which they rely when cheating.
In the file /etc/X11/Xwrapper.config make the line
allowed_users=console
into
allowed_users=anybody
Create a file /etc/X11/kiosk.conf which contains
Section "ServerFlags"
Option "DontVTSwitch" "true"
EndSection
Now you can start your kiosk (no system access needed):
X -config kiosk.conf :1 & metacity --display=:1 & your_program
To kill the session: alt-sysrq-k alt-f7
or use the power button
one issue to solve: the "print screen" button brings up a dialog which can be used to browse the filesystem. But you can't read files or access the internet with that.
Atari rules... ermm... ruled.
Why not just create a special "test" user with limited privileges?
Then switch all machines to this user when the students have to do the test, and switch them back to a user account with more privileges for normal use. Or am I missing something?
Whatever you do, make sure to run it against the batter at http://ikat.ha.cked.net/Windows/. They are dedicated to breaking through hardened internet kiosks. If you can handle what Paul can throw at you, you should be good.
I do security
Don't worry about browsers or any specific applications; just use iptables to not allow networking except to a small set of IP addresses that are whitelisted (the site to submit results, for example, and anything else you want to allow). Make sure that no sites that allow pass-throughs are on that list (e.g. no SSH servers).
This still doesn't prevent having a parallel machine with network access (a laptop, tablet, or smartphone), but kiosk mode wouldn't prevent that anyway.
An easier approach would be to create a special account for the students that does not have root access or sudo privileges. Then it does not matter if the user can switch terminal or whatever. Prevent the account running web browsers and similar applications and prevent it from accessing the network. Of course it would not prevent the users from exiting the app.
What about disabling internet access?
Coder's Stone: The programming language quick ref for iPad
Gotta have duct tape in there somewhere. Over the ethernet port for a start. And then over the corner of the monitor so they can't click that minimise button.
If it sees them run other applications, then you can fail them for cheating. Or kill the other applications on them.
You could "freeze" the ability of the desktop application from running....the user owns the PID after all. Then when your app is done, you could SIGCONTINUE it.
Both of these could be done with a simple killall command before and after your app runs.
Except for yours. It should be relatively simple. Then continue them when you are done. I think you can do it in about 5 lines of shell.
Hmm, you guys seem to be doing clava's homework for him.
Just sayin'
You might have to settle for a live CD if booting the machines for the test is acceptable. That way, whatever special configurations you use will just disappear once the machine is booted without the CD.
Otherwise, you're pretty stuck. There's several ways to make a Linux kiosk app, but all of them require that you configure the system appropriately.
I'd now like to see proof a low registered 'luser' /. ID = better tech skills in computing.
* SEE - IF THE BEST YOU HAVE IS AN UNJUSTIFIED MOD DOWN OF MY POSTS, & THE INABILITY TO PRODUCE PROOF OF THE ABOVE QUESTION'S ANSWER SHOWING A LOW REGISTERED "LUSER" ID ON /. = HIGHER TECHNICAL SKILLS IN COMPUTING? U FAIL... hugely.
APK
P.S.=> Of course, we'll NEVER see proof of that, as it doesn't exist & is illogical to assume in the first place!
... apk
"no surprise that they mod you down, it's just the logical thing (edit - > ) FOR AN EFFETE TROLL TO DO!" - by Anonymous Coward on Friday December 09, @06:39PM (#38320862)
It's just what "that kind", does: Downmod w/ no technical grounds justification given based on his UTTERLY RIDICULOUS PREMISE/IMPLICATION that a LOW REGISTERED "LUSER" ID ON /. IS INDICATIVE OF SUPERIOR SKILLS IN COMPUTING.
(Thta's utterly ridiculous...)
* New NEWS/NewsFlash/Clue: It's far, Far, FAR from that I have found in fact...
(Especially in real world practice here in my sweeping the floor with the "best & brightest" of /. in computing related topics just too, Too, TOO MANY TIMES on my part... lol!)
APK
P.S.=>
"don't piss off the judge/referee" is just common sense. No technicality involved in that decision." - by Anonymous Coward on Friday December 09, @06:39PM (#38320862)
Wrong - PISS ON THEM if they're nothing but "hit & run downmodders" who can't combat my points with facts or logic (valid ones on BOTH accounts) to disprove what I stated in my downmodded posts like this one was unjustly on no technical grounds -> http://developers.slashdot.org/comments.pl?sid=2563338&cid=38305588
... apk
where your reasoning fails is that a guy that answers a post on slashdot CANNOT MOD (up or down). so elsurexiste did not mod you. period.
the judges here are independent of the case. you insulted the thousands people with a low UID reading slashdot, one of them had mod point to spare, he did. I doubt he/she even read your lunatic posts
now you can run and hide your stupidity.
1st - Did I say elsurexiste downmodded me? No. Show us a quote of where I did state that literally... ok??
"where your reasoning fails is that a guy that answers a post on slashdot CANNOT MOD (up or down). so elsurexiste did not mod you. period." - by Anonymous Coward on Saturday December 10, @05:23AM (#38324268)
2nd - Clue/New NEWS/NewsFlash: LEARN TO READ!
(3rd/Additionally - Stop trying to put words in others mouths they never stated... Thank you!)
---
"the judges here are independent of the case." - by Anonymous Coward on Saturday December 10, @05:23AM (#38324268)
Oh, really? Are they also LOW USER ID's AROUND HERE ON SLASHDOT TOO??
(You know - The kind that elsurexiste (you no doubt posting as ac now I wager) implies have "superior computing knowledge due to them being a low user id on slashdot registered 'lusers'"?)
4th - LOL, what a CROCK that is, that implication of his/yours - that a lower registered "luser" ID around slashdot makes them better @ computing topics here!
Utterly ridiculous...
---
"you insulted the thousands people with a low UID reading slashdot, one of them had mod point to spare, he did." - by Anonymous Coward on Saturday December 10, @05:23AM (#38324268)
They're insulted (or those that are actually intelligent must be) that such implications were made here in the 1st place (see above) that a low registered "luser" ID on /. makes them superior @ computing...
I.E.-> It's too damn illogical of a statement for them NOT to be (& thus, they're, as readers, naturally insulted @ being surrounded by those so unintelligent that such implications were made by they (makes slashdot LOOK BAD, lol)).
---
"I doubt he/she even read your lunatic posts" - by Anonymous Coward on Saturday December 10, @05:23AM (#38324268)
Somehow I DOUBT that you have your PHD in psychiatric sciences & a license to practice in that area professionally that allows you to legally libel someone as you have myself... because we KNOW you don't possess a formal evaluation administered in a professional environs to do that much either!
APK
P.S.=>
"now you can run and hide your stupidity." - by Anonymous Coward on Saturday December 10, @05:23AM (#38324268)
LMAO - Speak for yourself, after reading the above, lol...
... apk
If cheating is a problem, fix the social problem of cheating otherwise just tell students not to leave the app while taking the test.
webconverger. its debian based and if you know what you are doing you can easily change its functionality to what you want.
Somehow I DOUBT that you have your PHD in psychiatric sciences & a license to practice in that area professionally that allows you to legally libel someone as you have myself... because we KNOW you don't possess a formal evaluation administered in a professional environs to do that much either!
Your posts truly reflect a crazy paranoid and lunatic personality, actually, so much that I'm sure you're faking it !
... Peter (hey I'm back, your favorite fan (not!) )
Oh, by the way, did you get that PhD in computer sciences and computer security so that you can continue to post your "security advices" on slashdot ? or are you going to stop bugging us
To show for yourself in Comp. Sci. period, per my subject-line above.
* You "demanded" I & doubtless others post proofs of that before, but when it comes time YOU have to prove the same? LMAO - YOU HAVE ZERO, lol...
(That's part of what ALWAYS "KICKS YOUR A$$" badly when you try to "troll me", lol... every time!)
APK
P.S.=> So much for this line of b.s. here from you now I'll requote for "posterities' sake" and FOR LAUGHS:
"Actually, you don't know anything about my degrees or accomplishment, simply because I've never claimed anything." - by Anonymous Coward on Saturday December 17, @04:01PM (#38411108)
Again, because you have "none of the above" (and YOU KNOW IT, I know it, & anyone here reading knows it as well, lol!)...
... apk
And we (me and others you claimed known nothing in C.Sc.) don't have to prove anything because we never claimed and bragged about anything (as opposed to you boasting braggart)
:-)
...
Besides you factually failed to prove YOU did every single time:
* You proved that a guy named Alex Kowalski did go to some barely known college to practice a sport called Lacrosse.
* You failed to prove that he had achieved any degree there.
* Most importantly you failed to prove that you were him. As far as we know, you're just some random anonymous coward and troll claiming to be him, which doesn't prove anything (tip: that's the part were you start getting your ass kicked about what a fact (or lack thereof in your case) is). Note that even if you were to prove that you are actually named Alexander Peter Kowalski, you might still (although doubful) not be that Alex Kowalski (you could be an homonym, you know)
* Also you proved with facts and reputable sources (that YOU gave us), that you were a multi-banned troll and claimed (withouth proof, but still) that you were using an army of astroturfer to mod your posts up and that you were threatening people of frivolous lawsuits (which you never filled of course)
* Finally you proved to everyone here that English is not your native language, which (arguably) sounds weird coming from a guy pretending he's been raised in US school/college.
I wonder if you could be prosecuted for libeling all the people you claimed have no degree (be it B.S., M.S. or PhD) the day they meet you face to face with their diploma
I'm no delusional, I don't even hope you'll answer any of the points above since you never did before
See you later in Awesomeland Peter
U asked 4 info. of me, so why RUN from it when same's asked of u?
* See here http://developers.slashdot.org/comments.pl?sid=2563338&cid=38412100
APK
P.S.=> "Run troll - RUN!", lmao - the "burden of proof's on YOU" now, & as-per-your-cowardly/trollish usual? You'll EVADE IT, to no end... utterly HILARIOUS (what's it LIKE being a "ne'er-do-well" like yourself?)
... apk
Yes, totally, the burden of proof is on me. And since I claimed nothing or bragged about nothing, I'm going to prove it.
:-)
... Now you're going to tell me it's illegal to claim nothing ?
So here it is: since I've nothing to prove, I just proved nothing, easy one
Your turn now: prove everything you claimed and bragged about (like I just did) or find something I bragged about that I have to prove
It's really funny how you cannot even make the simplest rational reasoning
Whoever you are, until now you didn't prove that you are who you claim to be: Alex Kowalski practicing Lacrosse in the 80's (and I doubt you can)
Yet you demanded I show that I had (& I did, in both education + decent enough accomplishments over time in the computer sciences) - however, when YOU are asked to produce the same?
YOU RUN!
* Of course, in pure evasion on YOUR part as per your usual? Well - NOW you say you have "nothing to prove" - of course, you haven't done anything provable in computer sciences: Zero, Zilch, Nada, Squat, etc./et al, lmao...
APK
P.S.=> Same story every time with you, & you end up with "egg on your face" each time... I'm not dealing with a peer in you obviously (& that's that)... apk