Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Ubuntu Lockdown Options?

Posted by samzenpus on from the no-internet-for-you dept.

First time accepted submitter clava writes "We have a desktop Java testing application that is going to be administering tests to students on lab computers running Ubuntu 10.x. These computers are used by the students for other purposes and we're not allowed to create special users or change the OS configuration. When the testing app is launched, we need to restrict users from exiting the app so they can't do things like search the internet for answers or use other applications. Is there a good way to put an Ubuntu machine in kiosk mode or something via our application and have exiting kiosk mode be password protected? Any ideas are appreciated."

26 of 387 comments (clear)

  1. Depends how locked-down by Anonymous Coward · · Score: 5, Informative

    I'm afraid if you want it actually locked-down, you're pretty screwed. You can't really disable things like switching to a tty with ctrl-alt-f1 without "changing the OS configuration."

    1. Re:Depends how locked-down by adamdoyle · · Score: 5, Insightful

      If you ask me, you don't really need to prevent users from doing those things. You just need to tell they're not allowed to, and then have your java app detect if those things have occurred and then take action from there. By "take action," I mean that you could either (a) make some kind of notation in the database so that you can penalize them, or (b) send an SMS message or email or something to the test administrator to alert them of the situation so that they can walk over and determine if the student is attempting to cheat.

    2. Re:Depends how locked-down by c++0xFF · · Score: 5, Informative

      Disabling TTY switching is a pretty simple change, though, and won't affect the general use of the system.

      In fact, you might as well use this to your advantage: start up a new X server instance, but don't start up the window manager. Run your java app in this server.

      Now all a student can do is take the test -- there's no way to do anything besides take the test unless they can switch using ctrl-alt-F*, which has been disabled.

      That's as near to a "kiosk mode" as I can figure.

    3. Re:Depends how locked-down by adamdoyle · · Score: 4, Informative

      Or if you're feeling extra clever, you could straight up disable the keyboard and rely on the mouse for selecting answers. It would have to be enabled at the beginning for the user to enter his or her credentials, but then you could disable it during the actual test (there's no way to exit fullscreen with only a mouse), and then re-enable it upon completion. The site I linked to explains how to both enable and disable the entire keyboard programmatically. The linked site produces a shell script... In Java, you could run that shell script with: Process.Start(@"./scriptname.sh").

    4. Re:Depends how locked-down by Culture20 · · Score: 4, Informative

      Problem is, Windows' lockdown depends on Windows users being idiots.

      Not true. True kiosk mode exists in Windows world. Do some regedits and gedit.msc foo and you'll have replaced explorer.exe with your choice of program (so it's the only program that can run), auto-logged in your user and disabled most of the ctrl-alt-del functions. Lock the bios, boot only from HDD, and padlock the computer, and the end users will have to bring in a set of lockpicks and a live CD to do anything normal with the computer.

    5. Re:Depends how locked-down by ktappe · · Score: 4, Insightful

      you could straight up disable the keyboard and rely on the mouse for selecting answers.

      Which doesn't help in cases of 1. answers that aren't multiple choice, or 2. having to accommodate people with mobility impairments where limitation to a mouse imposes an undue hardship.

      Be fair, the restrictions on the implementation are severe: No OS mods one can kind of understand but you also can't create even a "testtaker" user account? As an OS deployment engineer I appreciate the former but I can't think of any justification for the latter.

      Anyway, given these handcuffs, a multiple-choice test will just have to do I think. And believe me, you can make some pretty darn hard multiple-choice exams. Go try to get MS or Apple certified some time. 80 adaptive multiple choice questions that nobody is going to do well at unless they studied hard and/or know their stuff.

      --
      "We can categorically state we have not released man-eating badgers into the area." - UK military spokesman, July 2007
    6. Re:Depends how locked-down by jrumney · · Score: 4, Informative

      True kiosk mode exists in the Linux world too, just not with the restrictions that the submitter placed "no special user accounts or changes to the OS configuration" is a pretty big restriction, no matter what OS you are trying to do this on.

    7. Re:Depends how locked-down by Bert64 · · Score: 4, Informative

      Kiosk mode is actually much easier on Linux...
      Instead of a full blown desktop environment, simply supply a minimal window manager (or none at all) and the desired application. Remove all unnecessary packages from the system, and ensure any area the user can write to is mounted noexec and gets automatically cleared each time the machine is used.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  2. Why? by Anonymous Coward · · Score: 4, Insightful

    Why not let them use resources? Similar to what they will have available to them in the workforce.

    1. Re:Why? by bonch · · Score: 4, Insightful

      Because they're supposed to learn and internalize the concepts, not learn how to type search terms into Google or trade answers via IM.

    2. Re:Why? by pmgarvey · · Score: 5, Insightful

      Firstly the submitter didn't say if this was a programming exam, or what it was. It could be a test on memorising the capitals of African countries.

      But more importantly is that allowing access to the internet doesn't just allow things like documentation, and other resources I might have in the workplace, but might allow me to ask my friend to email the entire solution, or even send the question to a guy in India and get the solution back for a fee. It's a comprimise between testing some memorisation and in the cases of some students, testing nothing at all.

    3. Re:Why? by LurkerXXX · · Score: 4, Insightful

      I guess you want that EMT to show up at your car crash to just google how to patch you up if he didn't pay attention in class. Better hope he doesn't lose signal to his cell phone.

    4. Re:Why? by Mr.+Freeman · · Score: 4, Insightful

      Some of my professors gave open-book exams. This allowed you to look up equations, material properties, etc. If you understood how to do all the work but were unsure of whether the last coefficient in a particular equation was positive or negative, this helped a lot. If you had no idea what you were doing then the book didn't help you at all. Brilliant exam, because in the real world you will have reference materials and you will sometimes forget things like the naiver-stokes equation.

      However, the professors wouldn't in a million years consider making these tests open-internet. The internet allows answers to be shared, which doesn't allow for testing of individual students. In addition, the internet has a lot more information than in a textbook. A student may be able to find problems almost identical to those on the exam and simply copy the answer verbatim.

      There's also a difference between being able to do your work with the assistance of a reference manual, and only being able to do your job if you have access to the internet.

      --
      -1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
  3. Boot from USB or CD-ROM? by hawguy · · Score: 5, Informative

    Create your own custom locked down kiosk boot image and require users to boot from that? Keep in mind that users might take the boot media home with them so they'll have a copy of the test app if you store it locally (as opposed to retrieving it from a website)

    Here's an example:

    http://jacob.steelsmith.org/content/ubuntu-kiosk-based-910

    (I'm not vouching for this particular implementation, I just found it through a quick google search).

    1. Re:Boot from USB or CD-ROM? by phoenix_rizzen · · Score: 5, Informative

      That's what we do. All our Linux stations boot off the network and use NFS mounts for everything. For government exams, teachers reboot the stations into "Exam Mode" which disables everything possible, launches a bare-bones X11 session with Firefox as the "WM", with all settings locked in, including an add-on that let's you specify a list of sites that are accessible, blocking access to everything else.

      Took a few iterations to get the configuration locked down completely, but there's really no better way to find the holes than watch a class of students try to break it. :)

      It's not bullet-proof, but we've made it hard enough that it's very obvious when a student is trying to break out of the box that anyone watching the lab will notice. :)

      If you can't change the OS config, you can't lock it down.

  4. LiveCD? by grahamsaa · · Score: 5, Informative

    Not sure how hard this would be to do, but it seems like it would be fairly easy to boot from a livecd/usb key. If you remove packages you don't want the end user to have access to (it's hard to browse the web for test answers if there's no browser installed) that should address at least some of your concerns. An added bonus is that if you need to repurpose the machine, or if it doesn't need to be in test mode all the time, a simple reboot could restore it to a vanilla version of the OS.

    --
    Facts have a liberal bias.
  5. Chortle! by MrBandersnatch · · Score: 5, Insightful

    Pull out the Ethernet connection. TADA!

    1. Re:Chortle! by wierd_w · · Score: 4, Informative

      Or simply don't expose it to the internet.

      Or, if it really needs to talk to the internet for some very special reason, put it behind a very configurable gateway.

      Block all traffic types except port 80 http, and then restrict which ip addresses inbound packets can come from. Tada. Can't use google. Instant 404 error.

      This won't stop them from playing uhrkan masters using the .deb they smuggled in, assuming they have the user rights to install. (Failing that they could smuggle in a binary blob version) but it would help prevent cheating.

      What I had always considered to be ideal for a kiosk system where you don't want users pwning your workstations is to use a minimalist boot kernel on a usb stick, have the workstation tftp a system image to ram, then boot that.

      This would make maintenance as easy as turning the system off, and on again, and would centralize maintenance of the system image.

      Initial bootup network activity would spike with all the clients pulling the ramdisk volumes, but you could make the actual kiosk as naked as you wanted that way. No internal hdd to hide stuff on, no optical drive, and only 1 usb port that needs the key inserted because it is the boot volume.

      If you go a bit further, and make sure the ctrl alt f1 seq can't be pressed at the hardware level from the kiosk, even better.

  6. Google??? by muphin · · Score: 5, Informative

    did you even google your question?
    http://lmgtfy.com/?q=ubuntu+lockdown

    maybe this will help you
    http://ubuntuforums.org/showthread.php?t=456549
    http://users.telenet.be/mydotcom/howto/linuxkiosk/ubuntu01.htm
    http://library.gnome.org/admin/system-admin-guide/stable/menustructure-13.html.en

    --
    It's not a typo if you understood the meaning!
  7. Just use Unity. by Anonymous Coward · · Score: 5, Funny

    Just use the default Unity desktop bundled with recent Ubuntu releases. It's so fucking unusable in every respect that malicious and benign users alike will want nothing to do with it. They'll use only the Java testing application solely to avoid having to deal with Unity.

    You'll never have to worry about them using Facebook, or adding additional users, or installing their own software. Even long-time Unity users have a whole fuck of a lot of trouble doing those things. Many just learn to accept that they never be able to.

    1. Re:Just use Unity. by PixetaledPikachu · · Score: 5, Funny

      Even long-time Unity users have a whole fuck of a lot of trouble doing those things. Many just learn to accept that they never be able to.

      There's no such thing as "long-time unity users"

    2. Re:Just use Unity. by Lumpy · · Score: 5, Funny

      yes there is, Anyone that has used unity for more than 1 hour and has not went on a murderous spree because the interface made them go completely insane.

      --
      Do not look at laser with remaining good eye.
  8. Re:Homework by elsurexiste · · Score: 5, Insightful

    Hey, asshole. Ever occurred to you that, given clava's high UID, he/she isn't a geek and don't know enough of Linux/technology to do this? Look at how this question was redacted: it's obvious that he/she is not in control of the system, and is looking for some info here, where people with knowledge gather. Just answer the question if you can help and don't be pompous.

    --
    I rarely respond to comments. Also, don't ask for clarifications: a brain and Google are faster, believe me!
  9. Social Solution by RedLeg · · Score: 5, Interesting

    No Technology required:

    1. Announce anyone caught cheating WILL fail the course.

    2. Post exactly ONE proctor at the rear of the room. His job is to catch the FIRST cheat.

    3. The first cheat should be escorted from the room, and given the following choice: become the proctor and catch another cheat, or fail. If you catch a cheat, you may retake the test and the cheat becomes the proctor with the same choice.

    Lather, Rinse, Repeat.

    I recommend you film for future entertainment value.

    Red

  10. Re:MOD PARENT UP by germansausage · · Score: 4, Insightful

    "Why do so many Slashdotters always feel like the best answer to a question is "you're doing it wrong"?"

    This happens everywhere on the internets where you ask a question. Ask a Microsoft support website how to do something that "should" be possible, but isn't. (Can't think of an example now) You'll get 10 answers telling you how to "work around" what you asked, and another 20 answers questioning why you or any one else would want to do this thing. What you will never ever get is even 1 person saying "Our product cannot do this thing".

  11. Re:Requires things he said he couldn't do by jrumney · · Score: 4, Informative

    Furthermore in Ubuntu, you can't just kill the current X session and start a new one from the command line with the application as the window manager.

    Why not?

    sudo service gdm stop; Xorg -sp security.policy & kiosk-mode-test-program

    Probably if you spend more than the two seconds I did thinking about this you can find a more robust version perhaps involving a custom gdm configuration that can restart the X server if the user logs out prematurely etc.