Slashdot Mirror
Ask Slashdot: Ubuntu Lockdown Options?
First time accepted submitter clava writes "We have a desktop Java testing application that is going to be administering tests to students on lab computers running Ubuntu 10.x. These computers are used by the students for other purposes and we're not allowed to create special users or change the OS configuration. When the testing app is launched, we need to restrict users from exiting the app so they can't do things like search the internet for answers or use other applications. Is there a good way to put an Ubuntu machine in kiosk mode or something via our application and have exiting kiosk mode be password protected? Any ideas are appreciated."
I'm afraid if you want it actually locked-down, you're pretty screwed. You can't really disable things like switching to a tty with ctrl-alt-f1 without "changing the OS configuration."
Why not let them use resources? Similar to what they will have available to them in the workforce.
Create your own custom locked down kiosk boot image and require users to boot from that? Keep in mind that users might take the boot media home with them so they'll have a copy of the test app if you store it locally (as opposed to retrieving it from a website)
Here's an example:
http://jacob.steelsmith.org/content/ubuntu-kiosk-based-910
(I'm not vouching for this particular implementation, I just found it through a quick google search).
you could always use a livecd, restrict it any way you want....
Not sure how hard this would be to do, but it seems like it would be fairly easy to boot from a livecd/usb key. If you remove packages you don't want the end user to have access to (it's hard to browse the web for test answers if there's no browser installed) that should address at least some of your concerns. An added bonus is that if you need to repurpose the machine, or if it doesn't need to be in test mode all the time, a simple reboot could restore it to a vanilla version of the OS.
Facts have a liberal bias.
Pull out the Ethernet connection. TADA!
did you even google your question?
http://lmgtfy.com/?q=ubuntu+lockdown
maybe this will help you
http://ubuntuforums.org/showthread.php?t=456549
http://users.telenet.be/mydotcom/howto/linuxkiosk/ubuntu01.htm
http://library.gnome.org/admin/system-admin-guide/stable/menustructure-13.html.en
It's not a typo if you understood the meaning!
If any app can take over a machine without being having a specific configuration / account to do so, then that app behaves like a blackhat app. I sincerely hope there is no way to do what you want. You should be required to modify the environment / create an account to stop window managers / desktop tools, etc. It is easy to do it that way.
And I mean that for any OS. Not just Ubuntu.
The way they did a test at our University was to run a script which didn't so much lock everything down, but recorded whether a students had used Firefox / Chrome and copied their history to a remote folder. If students know that's going to happen, it's not much help, but if they don't, it could catch the cheaters.
The school system: memorize shit for a test and then forget it afterwards (unless you have an outstanding memory, of course)! Brilliant!
Would disabling internet access be enough? You could have your app unload the Ethernet driver when it runs and then reload the driver when it exits. Of course your app would have to have system level permissions to futz with Ethernet and you'd have to deny those permissions to the user.
I'm not sure how you could disable running other applications if you're not allowed to change the OS configuration.
Just use the default Unity desktop bundled with recent Ubuntu releases. It's so fucking unusable in every respect that malicious and benign users alike will want nothing to do with it. They'll use only the Java testing application solely to avoid having to deal with Unity.
You'll never have to worry about them using Facebook, or adding additional users, or installing their own software. Even long-time Unity users have a whole fuck of a lot of trouble doing those things. Many just learn to accept that they never be able to.
You are mean!
I'd suggest having a whitelist of allowed process names that are allowed to be running during the test as that user. If any other programs are running when the program starts, it should not allow the test to be started until those programs are shut down (add a "kill all" button for newbie users). It should also have a watchdog that polls to make sure that the system is still clean. If it finds any unwanted programs, it should give the user 10 seconds to kill them or fail the test (or require a password to ignore this process). If you can do this in the same thread as the testing program, and in such a way that you can't just attach gdb and pause execution while you google the answers, you're onto a winner.
Dont try to stay in one application and prevent access by this . Use iptables and apparmor to prevent everything you dont want the pupils to do. If they find a way to crash the app they are using, it will be no problem.
can pass the test and have no idea on how to use the concepts?
Hey, asshole. Ever occurred to you that, given clava's high UID, he/she isn't a geek and don't know enough of Linux/technology to do this? Look at how this question was redacted: it's obvious that he/she is not in control of the system, and is looking for some info here, where people with knowledge gather. Just answer the question if you can help and don't be pompous.
I rarely respond to comments. Also, don't ask for clarifications: a brain and Google are faster, believe me!
Don't try to block internet access at the local level, they'll work around it. At the firewall level whitelist specific sites and block everything else. Then even if they fire up a web browser it'll be useless.
And simply uninstall or use user permissions to block access to unwanted applications.
WTF Man. Maybe they are a math/english/whatever teacher using some sort automated grading system. Maybe they're a good teacher but bad with computers? But NO! Unless you crafted it yourself bit by bit then its tantamount to "cheating".
No Technology required:
1. Announce anyone caught cheating WILL fail the course.
2. Post exactly ONE proctor at the rear of the room. His job is to catch the FIRST cheat.
3. The first cheat should be escorted from the room, and given the following choice: become the proctor and catch another cheat, or fail. If you catch a cheat, you may retake the test and the cheat becomes the proctor with the same choice.
Lather, Rinse, Repeat.
I recommend you film for future entertainment value.
Red
KDE has had a kiosk mode for quite a while, leading me to believe it's quite mature by now. It even has a GUI setup tool.
Design tests that challenge understanding of the subject and reasoning, not memory.
But that's such a pain! "Test and forget" is so much more simple!
Filthy, filthy copyrapists!
LTSP has support for some lockdown options, and Ubuntu has support for LTSP. It's meant for running classrooms. You can netboot the clients into LTSP when you want to do an exam, and they can run their own install the rest of the time.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
"Lockdown" or "Kiosk" or any of the other terms are simply shorthand ways of referring to sets of system modifications. If you can't modify the OS configuration, or even create new limited users, about the worst you can do is have your application do something annoying like constantly re-grabbing focus if it detects that it has lost focus, or other horrid little WM-nuisance tricks...
You pretty much have two options:
1. Lean on/buy beer for/be real nice to/go over the heads of/whatever it takes the IT staff and get authorization to run your own OS image(liveCD, PXE boot). The desire to not have you breaking their image is fair; but if you need a kiosk, and can boot a kiosk without touching the disk(indeed, any good kiosk mode image wouldn't touch r/w storage) they can suck it up.
2. Assuming the Ubuntu is reasonably stock, it has a provision for the user to allow a VNC session to shadow their desktop. Tell the kiddies that this test is going to be proctored. Have each open a server with the password you give on the whiteboard or whatever before the test starts. Point vncrec or vnc2flv at each VNC server. If the resultant footage shows cheating, garrote the offender with a mouse cord.
More or less, probably the easiest way of doing it would be to boot a CDROM and load the home directory over the network if need be. I haven't gotten it figured out, but you can load ISOs directly from disk using GRUB2 if need be.
http://www.panticz.de/MultiBootUSB
the network drivers.
disable the network in the bios.
log everything moving through the network.
I mean, really.
The Kruger Dunning explains most post on
Indeed. On my HTPC I have Xbmc running without a window manager, which doesn't allow you to run anything else and logs out if the program exits. But that requires some reconfiguration, and you'll still need to disable the virtual console features so they can't log in and start another X session.
You really can't expect to lock down a system that you can't reconfigure.
If you're not going to supervise them, then it doesn't matter how tightly you lock down their computers since they'll just use google/IM from their phones instead.
If you're supervising them closely enough to know that they aren't typing on a phone on their lap, then you should be able to see if they are running a web browser.
And they say Slashdot is full of unhelpful elitists. Pshaw!
Pessulus and the Epiphany browser. They are in the Ubuntu Repos. And these if you really want it locked down: http://beginlinux.com/server_training/linux-terminal-server/1058-lock-down-user-privileges
If you're worried about a user jumping out of your app and then searching the Internet, and you're in a a testing setting, you should be looking at a wholistic approach.
Your students will break your application, it's only a matter of time. Use other approaches to make this a useless option.
1) Don't allow any Internet access from the network layer, at all, this includes DNS servers. Ideally your systems should be on a completely disconnected network, meaning there are absolutely no external network connections.
2) Use SELinux to lock down your system. SELinux uses a mandatory permissions model, meaning you *must* be granted permission to be able to do anything.
3) Lock down alternative means of cheating. Cell phones, paper notes and so forth.
4) Follow through with punishing cheating in an appropriate manner.
5) Listen to the feedback of your users (Instructors and Students). This may seem counter intuitive, but it can help you build a better system.
---- Fight to protect your right to keep and arm bears! ummmm... ya I think that's right....
you forgot: "and design a new test every year, for each class, and different from all tests ever put out by the tens of thousands of universities over the years, coz those will end up on the interwebz".
since you're obviously not mediocre, i guess you're volunteering, genius ?
The Cloud - because you don't care if your apps and data are up in the air.
Each person caught cheating would have incentive to dob someone else in whether or not they cheat. You would HAVE to tape it just to prove the person actually cheated. It would also be a huge distraction to have people pulled out of the test. If the lab is designed correctly, it should be trivial to make the Internet unreachable. If not, fix it and you're good to go for all future exams.
However all this is a waste of time - all you're testing here is memorisation skills. If that's what you need to test, fine. But otherwise design the test so the student only passes if they can actually apply the material. Then allow external references including the Internet.
These posts express my own personal views, not those of my employer
Why don't you setup a VM on each machine that is locked down?
1. Take bribes from other students to be the first one to cheat.
2. Blatantly cheat and get caught.
3. Become the proctor, and ignore everyone now cheating.
Also: why the hell shouldn't your students be able to search on the internet ?
Making them learn CS stuff like robots is retarded. Searching on the internet *will* be part of their jobs later (of course, almost all CS uni I've seen is doing it wrong too).
Of course, they'll also be able to communicate between them. That's an advantage, not a problem - later on, they'll also need to work with other people.
That leaves the *real* problem: figuring out how to rate them despite the fact they're communicating together. Logging what they do all the way would work - it'll increase the workload of rating them, though.
Why assume it's a CS test? Just because the test is running on computers doesn't mean it's a Computer Science test - I've heard that other departments have started using computers now.
Maybe it's an English Lit test where the test taker is expected to have read the book before the test, not google for answers.
And searching on the internet isn't always an option even in the real world. When I interview a developer, he better be able to write out code to solve a simple problem (I don't care if it's syntactically valid). I won't hire a developer that needs use Google to come up with an algorithm to reverse the order of characters in a string.
Remove the network cables, or remove access at the firewall.
That is the ONLY way to remove their internet access without changing the OS configuration that will work. By the way, have I said that it is a stupid requirement to change the way the OS works without changing the OS configuration?
Rethinking email
Fundamentally, you're trying for the impossible: you are trying to use the app to control the window manager.
This is a bit like google trying to stop you closing a browser window!
BUT: If your test happens to be multiple-choice, you could consider making the app run full-screen maximised (windowless), and then unplugging the keyboard. That would work.
[My dept has some computer systems designed for tracking who is present in the buidling; they solve the lockdown problem with a special keyboard that has only alphanumeric keys - if you physically remove the Ctrl, Alt, Esc, Fx, etc keys you can reasonably make this work!]
An alternative would be to temporarily make the system run just a single X application. If you were to change the first line of the file "/etc/X11/Xsession" to be "exec your-java-app", then you'd get a single-window desktop that runs without a window manager.
You're looking for a technological solution to a pedagogical problem. Redesign the questions and let them have all the Internet access they want.
I had to take a drivers ed course a while back.. I decided to do it online.. what they did that worked pretty well.. they allowed 3 warnings..warnings went off when the window lost focus and between that and random questions like what was the color of the car in the last section(another warning) they pretty much locked down the test.
You could maximize the window and tell them if they lose focus on the window (do anything else, open any other programs, surf the web, etc..) they fail the test. Have the app close the window when it loses focus or lock the app with a big message which has to be test-admin reset.
keep track of the window and the time and tell the students it's being tracked. If they switch tasks or change the windows size during the test at any time, it will be logged and they'll lose 10% for each minute of the infraction.
Another option is to disable the network(ipdown?) for the duration of the test and test for it during the exam. if it comes up at any time, shut it down and log it and the processes running to see if a browser or some user action caused it.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
Am I - 13 year long Linux user - missing something here, or isn't it that simple? ... I'm kinda weary, since no one else yet offered that sort of answer.
Please enlighten me if I'm mistaken.
The only thing you're missing is the submitter's requirements:
These computers are used by the students for other purposes and we're not allowed to create special users or change the OS configuration.
It's also likely that the submitter is not technically savvy enough to configure or alter the source code of his Window Manager enough to lock it down securely.
0) install Fluxbox
1) edit the keys file and remove the right-click option (disable the other hotkeys too)
2) have firefox set to launch at startup
3) use the firefox addon 'Kiosk mode' and edit settings
That should protect you against most undesired activity.
"The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
This Ask Slashdot is a good illustration of what I said later on in this comment
Install the KDE Desktop (Kubuntu) then use the Kiosk Admin Tool.
Learning HOW to think is more important than learning WHAT to think.
Why reimage? just boot from a Live Image on a usb stick.
Making a custom live ubuntu is brain dead easy.
Do not look at laser with remaining good eye.
I've had such a test. The trick is, there was something like 15 seconds for each question, so there was no time to do anything.
Of course if you saved time on some questions, you could spend it on other, skip/go back, etc.
Is this supposed to be a dedicated testing setup, or are these computers being used during the class and the students take the test at the end? Reason I ask is that the first scenario gives you time to boot to a CD or lock down the machines. The second scenario means your Java program must monitor for losing focus, or you have some other quick means of dropping internet access.
Personally, I vote for disconnecting the switch unless you need the local network to run the Java App.
Seriously, this is the best answer I have read here so far. It is simple and elegant. No booting custom images, whitelisting sites, or any of that.
Also, gotta love that half of the answers are: just give a different test, who cares about cheating, just install a different operating system, just fail anyone who cheats, yada yada yada. Why do so many Slashdotters always feel like the best answer to a question is "you're doing it wrong"? Sheesh.
dingdingding. Don't want access to internet? UNPLUG the internet (hosted question server can be done on private lan). Don't want access to shell? Pop off all the keyboard keys that the applet doesn't need. In fact, knowing most applets, it's probably multiple choice, so just unplug the damn keyboard altogether and make the question system a fullscreen application.
Program it so that it runs fullscreen, and that if the apps loses focus (the user opens other windows) then he automatically fails the test. Students will be notified of this at the beginning of the test by the app itself.
Seems like the only option to me, as you don't have control on the user or the OS configuration.
ctrl+alt+F1 $ lynx
Snowden and Manning are heroes.
If you're really worried, put firefox/links/curl/wget/etc to a particular group, set the permissions to 550, and remove any test takers from that group.
If your java app requires a browser, setup some iptables rules that only allow the bare minimum outgoing connections (dns, central test server if it exists, etc), or just block them at the firewall. Most schools I know have a proxy, so you could simply have them blocked at the proxy when doing tests.
Don't people Google and trade answers in the workforce?
Yeah, like "how do connect to db, have client that need us for implement the general CRRSK[1] general ledger application, please provide code sample to do the needful, kindest regards."
Tests like this that forbids people for going to teh googlez do so to avoid this kind of retarded, google-copy-paste cheating. There is a reason why there is an increase of in-person coding tests taking place in code interviews (specially for senior positions.)
Yes, in the workforce we all rely on google and stackoverflow and what not. But those are tools of the trade that are supposed to be used by people with 1) the sufficient training and analytical skills to 2) know what to look for apply as appropriate. You want to test for #1 without #2 because #2 can be done by even the most craptacular of Shakespeare-typing code monkeys.
This should be, I dunno, fucking obvious to anyone who is in IT/software for a living, that 1) is not a google-copy-paste code monkey, and 2) that has been subjected to cleaning the turds said "professionals" leave behind.
[1] Replace with any random, business-specific acronym that no ones outside of said company knows what the fuck it stands for.
This is exactly the solution I would have proposed, except it goes against the users requirements.
Disabling TTY access requires changes to the OS configuration which he is not allowed to make. Furthermore in Ubuntu, you can't just kill the current X session and start a new one from the command line with the application as the window manager, because it will helpfully restart X when it crashes (or is intentionally killed). You would either need to create a special user whose default WM is the application you want to run, or you would need to reconfigure the OS graphical login settings, neither of which he is allowed to do.
User applications are intentionally prevented from locking down a machine, otherwise any old piece of malware could do so. The only way to really lock it down to modify the OS configuration. That is why all the other answers are suggesting round-about ways to achieve the same goal. IMHO adamdoyle's is the best.
I do not carry such information in my mind since it is readily available in books. ...The value of a college education is not the learning of many facts but the training of the mind to think.
-- Albert Einstein
Was he a slacker too?
Time spent memorizing stuff is time that could be better used understanding it. Having no access to reference material is a ridiculous limitation.
Dilbert RSS feed
Launch the testing app inside a standalone X11 instance - no window manager, just itself.
Look up Bentham's Panopticon on wikipedia or google it. Basically it is a well known principle in security (anti-shoplifting devices for example) that so long as the prisoner believes himself to be constantly under the surveillance of the authorities then he will conform to the rules. So, you simple post a stern notice that says something like "All keystrokes are logged by a security application and any student that attempts to search online for answers to any of the test questions will be immediately dismissed from the examination and their test will be marked with a failing grade." Essentially, all you have to do is create a believable regime of Security Theater that will deter deviation from your desires and 99.99 per cent of the students will conform. Its a proven sociological fact.
if your life is such a big joke then why should I care?
The options depend on if you just need to lock them out of Internet access or need to actually restrict access to load other programs.
Options to lock-out Internet access:
- Unplug the trunk/uplink from the switch
- Use a firewall rule on the router to block access
- Configure a sudo script to bring down the network interface or set iptables rules accordingly
Options to lock down application access:
- Create a boot CD/USB thumb drive with just the applications they should have access to
- Create a chroot environment with just X and the application they should have access to
- Use setfacl to block the user used for running the test application from having access to the other applications
- Create a SELinux template that limits access to just the files and system calls that the user requires for the test application
- Set an ulimit -u so that launching any additional applications would exceed the maximum number of processes permitted for the test user
How to avoid virtual console switching: /etc/inittab and restart
- Remove the additional gettys from spawning in the
Put an actual human being in the room. They can make sure nobody cheats. It's low-tech, but it works.
Look at this photograph. It depicts Einstein working with various equations.
Do you suppose he knew what the operators did? That he knew differentiation and integration rules? That he knew algebra? Or are you suggesting that he went back to his 101 textbooks at every step.
It is the most absurd thing to use Einstein to defend willful ignorance.
Yes, you do actually have to know stuff to learn how to think, guide your intuition, solve problems efficiently, and discuss topics intelligently. Get over it. Learning and understanding takes work beyond typing your query into Google or Alpha.
I have done this with Ubuntu 10.04 (Gnome 2). Create a new user which will be used for this test. Make sure you have keyboard shortcuts for password protected scripts to launch gconf-editor, logout, and perhaps the keyboard shortcut editor. Disable all other keyboard shortcuts, remove menu bars, disable the desktop. Now set the user's profile to launch the desired application upon startup. They can close the application at their own risk, or you can control this too. Once the profile is satisfactory, replicate as needed.
I am supposing the machines log on to the network using DHCP?
Just make sure the server is set to block port 80 or disable any internet connection to the server during the tests.
Also since they are using Ubuntu, does it have a "guest" account with limited rights already?? If so get them to log into that account to run the tests.
Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
Opera in Kiosk mode (opera.com/support/mastering/kiosk) plus app running on system w/ Guacamole remote desktop software (guacamole.sourceforge.net/)
How about teacher supervision? How about talking to the students about honor, self respect, and honesty. How about respecting them. No. let's just assume they are a bunch of cheaters. This mentality is awful.
you could have listeners for when the app [jframe] loses focus and so on.. there is quite a lot you can do with java, and you wouldn't need any lockdown..
Why do so many Slashdotters always feel like the best answer to a question is "you're doing it wrong"?
In my opinion, it relates to a point in ESR's essay "How To Ask Questions The Smart Way" titled "Describe the goal, not the step".
Just make the app the shell for your desktop, no WM or anything.
This isn't really hard.
The users don't login to gnome or unity or kde or whatever, when they login the .xinitrc (I'm assuming GUI app) or whatever it is these days starts your java app instead of the normal desktop shell. No window manager, you don't need/want one, so no menus to start other apps or browsers unless you build one into your app.
If they close your app, they just get logged out, you'll need to build something in if you're not going to run a window manager though so they can logout.
Have you guys used Google before? I realize there are umpteen posts on here with crazy ass ways to install weird shit and tweak configs and all sorts of stuff, but there really isn't any point. You make it so their login only runs the app and nothing else, so switching to another console or tty doesn't matter.
This would be a trivial per user change, or system wide, but theres nothing you can do in your app itself, the whole system is designed so a rogue app CAN'T take over the system like you are designing, so you have to change the system to allow for your design.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
> cat /etc/issue
Ubuntu 10.04.1 LTS \n \l
> sudo aptitude search kubuntu-desktop
i kubuntu-desktop - Kubuntu Plasma Desktop system
lol 2 grand for a computer, must be an apple user ....
Someone asked a very similar question on Stack Overflow. It's here. The short version is: if you're running KDE and can change the window manager configuration, no problem. If you can change which window manager, then sure. (Also, the previous "yank the ethernet cable" or "boot off of live CD/USB" suggestions are quite reasonable. However, it is possible to handle most of it in the application using JNI to write X-Windows code which will capture most all keystrokes. It doesn't get ctrl-alt-backspace, but it appears to get prevent most of the rest.
I do not carry such information in my mind since it is readily available in books. ...The value of a college education is not the learning of many facts but the training of the mind to think.
-- Albert Einstein
Was he a slacker too?
Time spent memorizing stuff is time that could be better used understanding it. Having no access to reference material is a ridiculous limitation.
How did this quote come to you? From memory?
You want the taste of dried leaves boiled in water?
Don't load X at startup. Have a bare-bones console login account with an "xinit /path/to/app" in .bashrc (don't & the command, let it hold .bashrc open waiting for the app to close). Last command in .bashrc should be "exit". If the user closes the app, .bashrc finishes and logs the user out. Add some authentication and user database to the java app to authenticate different students. I'd like to see supermarket auto-tellers do something like this instead of that windows xp login prompt after the app has crashed/puked/rebooted badly.
.bashrc foo in debian, not ubuntu though.
I've done this no X,
Webconverger is a locked down Debian, that only allows access to a Web browser. Conceivably the Java testing app could be deployed through the browser via their Java browser plugin.
By default Webconverger does not ship with Java, though you can order a customised version from http://webconverger.com/buy with it included.
This is a great version of the Communist nightmare.
"If you're not passionate about your operating system, you're married to the wrong one."
Leave them without internet access. Only LAN access for stuff related to your desktop Java App.
Most people these days considers a computer is useless without internet.
If you care about them messing with the settings, perhaps an app to 'freeze' Ubuntu might come in handy. I can only think of the Windows equivalent (DeepFreeze) but I bet there must be a Linux equivalent.
Use a live CD. 10 years ago when I was a Freshman at RPI, everyone taking Calculus 1 or 2 had to take this online Gateway exam which then set the ceiling on your course grade. (A C on Gateway meant you could not earn better than a C in the course, but an A would not change your C average one bit).
To administer the exam, the CS department sysadmin made a FreeBSD 4.x live CD that had Netscape 4.x as the sole application launched via Xinit with no window manager. Quitting Netscape triggered the shutdown process and ejected the CD. I don't remember the rest of the details about how they prevented Internet usage, I have a sneaky suspicion they messed with the DNS servers and routing tables so it was nearly impossible to go to a site other than the browser home page.
Given the advancements in Live CD technology in last 11-12 years, it should not be hard to make an Ubuntu or Knoppix or Gentoo LiveCD that boots and has your app as the only app on the CD, thus satisfying the rules of no modifications to the testing computers and not allowing outside resources to the test takers.
we're not allowed to create special users or change the OS configuration
You're pretty much screwed as far as that OS is concerned. If you're really lucky there might be a copy of KDE installed with it's kiosk mode, or perhaps you can kill enough of the window manager to get it stuck (but that's supposed to result in the window manager restarting itself).
If you can't change the disk you're only option is to replace it. I don't mean physically, though that may be an option, I mean with live CD, usb or netboot
The Debian Live project allows you to easily create a live CD (or the other media) with your choice of packages; so easily in fact that there used to be an automatic service for it, upload the package list, download the ISO.
So install a minimal Debian with ONLY the bits you need turn it into a live image and boot it off the network.
I wonder if there could be a custom window manager installed for which students could log out, then switch to ManacledWM when the time comes for testing? This would allow the overall configuration of each user account and system to remain intact: when done testing, they switch back to FVWM or Gnome or whatever they normally use. IT may be willing to install additional packages. This would be much quicker than rebooting from a Live CD, as some have proposed, and would allow test-takers to use their own accounts, if that is somehow important to the collecting of the test results. And if this sort of solution to the problem is amenable (and available in a nice package), IT may be able to carry the day with their savvy.
Doesn't solve the Virtual TTY problem, though.
Bah, only humans need such petty things, such as problem solving and origination. Any intelligent being would know it, before it was ever needed, without ever bothering with recorded nonsense. It is absolutely comical to assume Einstein was even human. He was born at the peak of Baden-Württemberg, in a blizzard, and when he arrived--the snow melted and the adolescent Winter abruptly screeched to a halt. I learned this on Ask.com.
Or, if you don't have a bunch of USB sticks, NetBoot! I promise, netboot is your friend in any situation involving running a common system on more than 3 computers.
I worked on this project for a Primary school. It's worked well for >2 years for 120 pupils.
http://linuxcentre.net/wiki/
The parts about automatically resetting the homedir after reboot is probably of interest to you.
http://linuxcentre.net/wiki/index.php/Detailed_Maverick_Meerkat_OS_Netbook_Customisation below Home_Directory_Synchronisation
Did you use Google? To find ways to make sieves water tight? I suspect you should need to plug many holes. Alternatively you could just buy a pot or a sealed vessel if that's what you need.
Seriously though, restrictions will make students work around your efforts. Maybe a small, isolated network for your lab would suit you. Protect BIOS, use decent root passwords and maintain a cache for updates.
And ban smart phones.
I hadn't the slightest objection to his spending his time planning massacres for the bourgeoisie... (P.G. Wodehouse)
We have a somewhat similar setting to administer tests to our students (not using a java app but a web app developed in house and moodle with its quiz module, according to the type of test)
If you are not allowed to make changes to the computers configuration, I cannot give specific advice on "computer locking" to disable the launch of other applications.
As far as the internet access is concerned we have all of our computers (~ 40) behind a linux nat/firewall and we simply "tune" the nat configuration in order to avoid internet access during the tests.
Anyway, in every room, there is always at least one proctor.
Read about the chroot command.
You set up an directory tree that contains only the java runtime system and the application.
To start the app you have a shell script that "changes the root" and starts the Java App.
The shell script should remove the key bindings to alt-Fx cmobinations and then you are done.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
There are two ways in which a user can "escape" from your application, namely through the windowmanager and through keyboards shortcuts handled by X or the operating system. Since everybody can choose their own windowmanager, the only solution is to replace it with your application which will then run fullscreen. Exiting the application should logout the user in order to revive their own windowmanager. Many windowmanagers have a --replace option; you should mimic that.
The other escape is VT switching using the CTRL+ALT+Fx keys. This thread provides some startiong points on how to achieve that:
http://old.nabble.com/How-to-disable-ctrl-alt-Fn--td14994350.html
Hope that helps. You'll never get it totally secure as long as the users are using their own accounts; as long as they can run other processes than yours, they can do whatever they want.
0x or or snor perron?!
I studied computing at Imperial College London and there was such a setup for lab exams. It would lock down the Linux machine so you couldn't communicate with the Internet or with other computers in the lab, but it would communicate with a central server so you could submit your work. You could contact the Department of Computing to ask if they still have this system and if they would share it.
-- Ed Avis ed@membled.com
I find the concept of netboot to be way above the abilities of most educational IT staff. I love netboot as well, it's a great way to really manage workstations. and if you are 1000bt it is as fast as booting from a 5200rpm hard drive.
Do not look at laser with remaining good eye.
If you can't change the OS configuration, you're screwed.
What I'd suggest for something like this is to set up a locked-down OS image for the testing app, and make that image do what you want (which should probably include some kind of heartbeat script that notifies a proctor if a machine goes down, for example if someone is trying to reboot it).
When the time comes to test, netboot the machines using that image. When testing is over, boot the machines back up normally.
I know your not allowed to change the OS configuration but what if you wrote some kind of boot script that boot only certain services and then launch X and started the java terminal. You could cut off dhcp from running this way and at the same time leave the students with a very stripped down graphical interface if they did exit the application. When the job is done just revert back to the old settings, it would be as easy as appending an option to the grub boot-loader.
You said "learning and understanding beyond typing a query", not memorization. That's not work at all.
hard memorization work needs to be done.
But why? What values does it provide compared to studying with reference material available to refresh your memory?
Tell me, are you fluent more than one spoken language?
You accidentally a word.
To answer your question, no, not really. I'd say I'm on level 3 and 2 of the ILR scale in English and Spanish*, respectively. I'm only really fluent in my native language.
* Well, Castellano. I can keep a simple conversation in Galego, but I end up mixing in words from other languages.
Dilbert RSS feed
In the file /etc/X11/Xwrapper.config make the line
allowed_users=console
into
allowed_users=anybody
Create a file /etc/X11/kiosk.conf which contains
Section "ServerFlags"
Option "DontVTSwitch" "true"
EndSection
Now you can start your kiosk (no system access needed):
X -config kiosk.conf :1 & metacity --display=:1 & your_program
To kill the session: alt-sysrq-k alt-f7
or use the power button
one issue to solve: the "print screen" button brings up a dialog which can be used to browse the filesystem. But you can't read files or access the internet with that.
Atari rules... ermm... ruled.
Why not just create a special "test" user with limited privileges?
Then switch all machines to this user when the students have to do the test, and switch them back to a user account with more privileges for normal use. Or am I missing something?
Whatever you do, make sure to run it against the batter at http://ikat.ha.cked.net/Windows/. They are dedicated to breaking through hardened internet kiosks. If you can handle what Paul can throw at you, you should be good.
I do security
Don't worry about browsers or any specific applications; just use iptables to not allow networking except to a small set of IP addresses that are whitelisted (the site to submit results, for example, and anything else you want to allow). Make sure that no sites that allow pass-throughs are on that list (e.g. no SSH servers).
This still doesn't prevent having a parallel machine with network access (a laptop, tablet, or smartphone), but kiosk mode wouldn't prevent that anyway.
What about disabling internet access?
Coder's Stone: The programming language quick ref for iPad
Gotta have duct tape in there somewhere. Over the ethernet port for a start. And then over the corner of the monitor so they can't click that minimise button.
If it sees them run other applications, then you can fail them for cheating. Or kill the other applications on them.
You could "freeze" the ability of the desktop application from running....the user owns the PID after all. Then when your app is done, you could SIGCONTINUE it.
Both of these could be done with a simple killall command before and after your app runs.
Except for yours. It should be relatively simple. Then continue them when you are done. I think you can do it in about 5 lines of shell.
You might have to settle for a live CD if booting the machines for the test is acceptable. That way, whatever special configurations you use will just disappear once the machine is booted without the CD.
Otherwise, you're pretty stuck. There's several ways to make a Linux kiosk app, but all of them require that you configure the system appropriately.
Creating netboot image is as simple as start a preconfigured machine via netboot and saving a copy of it's local drive as an image on whatever fileserver.
All of this is automated with a GUI using DeployStudio. Not hard stuff, should be IT 101, but yeah, I get it.