Linux Desktop Security for New Users? 80
theblkadder asks: "Our company is currently undergoing a company-wide transition to Linux on the desktop. While there are numerous excellent guides and tutorials for the admin crowd, I haven't been able to turn up much for the non-technical user. I'm looking for something that would cover such topics as basic desktop do's and don'ts, like 'do choose a non-dictionary password' and 'don't blindly drop to root and install an unverified/unauthenticated RPM that you receive via email,' etc. Anyone seen a guide like this?"
oo! oo! I know this one ! (Score:1, Offtopic)
I'm guessing the ??? is "Microsoft" ?
Sure I've read that guide (Score:3, Insightful)
You don't give anyone root and let them do whatever they want.
Re:Sure I've read that guide (Score:2)
Re:Congratulations (Score:3, Funny)
So, moderators, how does a first post become 'Redundant' again?
You'll probably end up writing your own... (Score:4, Insightful)
When you say non-technical and 'basic dos and don'ts,' that example seems pretty technical. You might just as easily say "don't double-click unverified email attachments."
IMO you will probably be in the best position to write this documentation because you know your typical user and probably know what they are and aren't allowed to do already on their new desktop. I'd be interested in seeing what something like this looks like if it does exist...
Todd
FP-First Point. (Score:2, Informative)
and
"I'm looking for something that would cover such topics as basic desktop do's and don'ts, like 'do choose a non-dictionary password' and 'don't blindly drop to root and install an unverified/unauthenticated RPM that you receive via email,' etc."
Um...excuse me. Why do your desktop users have the root password?
Besides Linux can be set up to reject inappropriate passwords.
root (Score:5, Insightful)
That would be nice to say to a home user.
But on a work environment, why give the root password to the (non-linux-experienced) users in the first place?
Re:root (Score:3, Funny)
rootie toot (Score:2)
OK, now for a SU war story. I used to work at Sun, and shortly before I was hired they instituted a policy that nobody got their machines root password unless they could convince IT they really needed it. This was
Dropping to root? (Score:5, Insightful)
Why would non technical users have root access in a commercial environment. Not even management should have such access, beyond being able to get the password from a sealed package in a safe in an emergency, and then only with checks to ensure that no one can withdraw it without authority. No system is secure unless the root password is restricted to the admin that needs to use it, and ideally that should be a single person.
Re:Dropping to root? (Score:1, Informative)
Re:Dropping to root? (Score:3, Insightful)
Yes, but they don't hand out root access to the universities machines, and if they're wise they minimise the number of people with root access to any given machine. For example a computer lab will have a small team responsible for it but the people in that team won't have root access to the machines in the library. The central records database will have a dedicated admin and so on.
Re:Dropping to root? (Score:2)
Alice's Adventures in Wonderland (Score:3, Funny)
Re:Alice's Adventures in Wonderland (Score:2)
Re:Alice's Adventures in Wonderland (Score:2)
Why? (Score:5, Insightful)
Why?
Do you expect anyone to actually read this document?
Oh, I wish I were being sarcastic.
Either enforce things (your password policy), or wait for people to have trouble so you know what to document (every installation is unique, and you're wasting time trying to predict how your users will react when you could just wait and see).
The only purpose of such a document, in the end, is CYA anyhow. And again, I wish I were being sarcastic. If you can't enforce it, people are going to do it.
The only possible exception is if this is a technical group of users who will be daily and strongly held accountable for violations. Basically, the only group of people who meet these two criteria are Computer Science (or related disciplines) students.
Otherwise, don't bother. Not sarcasm.
Re:Why? (Score:1)
Re:Why? (Score:1)
Let me get this straight... (Score:3, Interesting)
Password policy will already be determined by the IT department. Users will never have to worry about unauthenticated packages, because users will never be able to install them. Yada, yada, yada. This is so damned obvious I must be missing something in the question...
A couple of thoughts (Score:5, Informative)
Others have pointed out that root for an end-user is a bad idea, so here's a couple of other ideas off the top of my head.
When I try to come up with a list of Don'ts for computers, I think of my dad. He's the living embodiment of the phrase, "A little bit of knowledge can be a dangerous thing" (No, Dad, you can't save disk space by getting rid of that .dll). Most users won't ever bring up an xterm, but people get bored at work, and then they start looking for interesting ways to entertain themselves.
Re:A couple of thoughts (Score:2)
Don't hit ctrl-alt-anything, in fact disable all of them if you can.
"Copy and paste" can be as easy as "highlight and middle-click."
But frequently it isn't. The most *consistent* way to get copy/paste to work, especially between vastly different apps (wine/openoffice/mozilla/kde) is just to use the old hilight+right-click way and don't even tell them about the other way(s) unless they ask.
Otherwise, good suggestions a
Wrong - copy and paste (Score:2)
Historically you are correct, but an office should select which apps users run. One thing to select on is conformance with Freedesktop.org [freedesktop.org] standards. KDE and GNOME both follow this, as do most other modern X apps (which is a minority I grant)
Turning of Ctrl-Alt-foo in XFree86 (Score:2, Informative)
Read the manual page for XF86Config for details. There are probably several things in here that you want to setup if you are trying to create a linux desktop for normal users.
-- Ecks
Re:A couple of thoughts (Score:3, Informative)
Bah! Users will never figure out that 'rm' will very much eat their files. Personally, though, I find a misplaced shell redirect '> pron.txt' (Crap, I meant to overwrite plan.txt!) is even more trouble than that. Insta-wipe with no left-over data on the disk.
I'd recommend looking into libtrash [m-arriaga.net]. Very handy, saves stretch on your tapes -- we are keeping regular backups, right?
Another good tip that gets me sometimes is, when you use the paste buffer (explicit Ctrl-C), the originating program has to st
Re: shell redirects (Score:2, Interesting)
As long as we're on the topic...
sed s/foo/bar/g < in.txt > in.txt
Whoops! (had a coworker do this just yesterday)
Also, I don't know if any distributions still do this, but I used to have an old version of RedHat that defaulted to aliasing rm to rm -i; ditto for cp and mv. It seems newbie-friendly, but it really just encourages carelessness in the event they find themselves on a different system.
Re:A couple of thoughts (Score:3, Informative)
Avoid putting . or ~/bin in your PATH if possible.
Huh? I can understand not putting . in your PATH-- icky nasty security issues abound-- but what's wrong with ~/bin?
Don't hit Ctrl-Alt-Backspace.
Again, why not? I've seen labs with notices to hit Ctrl-Alt-Backspace before leaving. (That's the only way to logout that works across WMs.)
I also would expect that it's a good idea to hit it before logging in, to make sure you're really looking at XDM. This is why you hit Ctrl-Alt-Delete to log into NT: ap
Re:A couple of thoughts (Score:3, Informative)
Except it doesn't log out. It just kills everything very nastily. Unless you're trying to kick someone off, log out normally. All modern, and most ancient, window managers have a way to log out.
Re:A couple of thoughts (Score:4, Insightful)
Except it doesn't log out. It just kills everything very nastily.
Not too nastily. Less nastily than a kill -9, for sure. The apps still can do whatever shutdown operations they need to.
But let me paint you a picture. A lab where most of the occupants aren't Unix people. Some of them aren't really computer people. They're hardware designers, or embedded systems programmers, or {domain} experts, or other such things. All of them are good at what they're hired for, but may not be good at other stuff. Like using a PC.
Most of these people got their .profile and .xsession by copying somebody else's, if they're not just using the system default. They didn't pick their WM, because they don't really care much about their WM. They've never taken time to learn anything. They have their xterm start up when they log in, and a row of CDE-style buttons to launch other xterms, a web browser, and maybe Citrix. No easy button to log out.
So they'll often log into a box, do what they need, then wander over to some piece of equipment they need to work on, without logging out. There's only six general-purpose PCs in the lab, so it doesn't take long before they run out if people stay logged in when they're not using them There's a new threat: people hitting the Reset switch when they come across a logged-in but unoccupied machine.
Now, the lab manager needs to make a notice to log out. If there aren't concise, clear instructions on lab notices, they don't get followed. So that's the notice.
Now the other end. What's the harm? Apps still get their notice to shut down. They can save user configs, send termination notices to network peers, whatever they need to do as long as it doesn't involve interaction with the X server.
Sure, it'd be nice if everybody knew all about the tools they used. Hell, it'd be nice if they had basic understanding of their WMs. But they don't, and we don't expect most of them to any more than we expect them to play a trumpet. It's just not what they need to do for their job.
Re:A couple of thoughts (Score:1)
Re:A couple of thoughts (Score:2)
It's like saying hitting reset is a good way to log out, It's not.
Re:A couple of thoughts (Score:2)
If your user account is compromised, you can be tricked into running a different program than you intend. Alternately, if you mess up the permissions on your ~, you can be made to run a different program, compromising the account.
While I don't think it's a huge risk, it's not exactly good practice, and should definitely be disabled in a corp. desktop/multiuser environment.
"I also would e
Re:A couple of thoughts (Score:2)
What's the difference? If someone is writing to ~/bin, my account has already been compromised. They can trick me into doing what? Deleting all my files? But they could have just done that themselves if they had write access to my home directory.
Re:A couple of thoughts (Score:3, Insightful)
If your user account is compromised, you can be tricked into running a different program than you intend.
If my user account is compromised, then I don't really need to be tricked; the attacker can just run the programs directly. Or if he's trying to spoof a password prompt, he can edit my .profile and set my PATH to whatever he wants anyway.
Alternately, if you mess up the permissions on your ~, you can be made to run a different program, compromising the account.
Again, if ~ has bad perms, then the att
Re:A couple of thoughts (Score:2)
Re:A couple of thoughts (Score:2, Funny)
When you find a machine that is unlocked, open up the e-mail program and send a short mail to everyone in the company saying "Hi my name is [owner of unlocked machine] and I left my machine unlocked. Just thought you should know. Come laugh at me later, will you". Then you helpfully lock the machine for the person.
The other employees will soon start policing themselves in an effort to embarass their colleagues.
No private bin? (Score:2)
I can't think of any reason you'd have to have . in your PATH. It's not that hard to type "./" before a command. (Though I admit, having learned Unix back in more innocent days, I still usually forget.) But I'd really balk at not being able to have a private bin directory, especially on a machine where I didn't have root access. Nor do I see the point. If you're sophisticated enough to write your own prog
Re:No private bin? (Score:2)
some of the boxes I work on at school add it atomatically. I would just manually set the path, but that is annoying for two reasons.
The first being that occasionally they add something, which would break things and I would have to then go and fix it manually.
the second being that their script is all nicely machine independant and replicating that would take actual work
it seems as though one sed line should do it, but I couldn't figure it out (hardware person, not so
Re:A couple of thoughts (Score:1)
Also, rm doesn't stand for rename. (oops)
Don't Choose a Dictionary Password (Score:2, Insightful)
Re:Don't Choose a Dictionary Password (Score:2)
You mean like John the Ripper [openwall.com]?
Re:Don't Choose a Dictionary Password (Score:3, Insightful)
A properly secure Linux (even SE Linux) requires a good system administrator. Ditto for any other Unix like system.
Re:Don't Choose a Dictionary Password (Score:1, Informative)
I think pam_cracklib can do that, plus it automatically runs a quick dictionary attack before storing the chosen password. There's also pam_passwdqc [openwall.com], but I've never used it.
The other half of... (Score:4, Informative)
Some examples;
dialup networking; use modemlights, kppp, or set up dial-on-demand.
shutting down; some distros require the root password to shutdown. If yours does, reconfigure this.
The end user shouldn't need root _ever_ for day-to-day computer use. If they want anything more than the basic 'look and feel' desktop settings changed, they should call tech support.
You might also want to make the machine console-secure as far as possible. Boot only from HDD, set a password on the bootloader and BIOS, replace the case screws with torx screws, etc. It depends who has physical access, and how secure you need to be.
Re:The other half of... (Score:1)
Re:The other half of... (Score:2)
(cause linux init=/bin/bash is tons of fun, but not something you want someone else to do
Re:The other half of... (Score:2)
Think carefully about putting automount on the floppy and CD. Most users won't need it. Writable media opens up the possibility that a spy is selling your secrets. (Of course they still can sell them without write access, but it is harder) Other users will use the floppy/CD to install non-work related things (games, or pirated software because they have decided foo is better than what the company legally has).
There are a few other arguments against having user accessable media drives on the desktop, w
Re:The other half of... (Score:2)
These are end users. Configure your systems to shut down cleanly when they press the off switch. Have a look in /etc/acpi to find out how to do this.
Re:The other half of... (Score:1)
(Yeah, I'm an idiot, I should have known it was possible but I've got used to crap like my TV-out being unsupported, so I never thought about it. Why isn't this the default on major distro's already?)
Re:The other half of... (Score:1)
Re:Here's what you do... (Score:4, Informative)
Clicking Internet Explorer launches Mozilla.
Clicking Outlook launches KMail.
Clicking My Documents launches Nautilus or Konqueror.
Changing the name of the Mozilla icon to 'Web Browser', and home to 'Home Folder' wouldn't be a bad idea, but giving them the names of Microsoft products is very misleading. Why not just rename Linux to 'Microsoft Windows' while your at it?
Non-techy people have been able to successfuly using word processors since long before Word version 1.0. People can easily learn the name of a new application, as they did with MS Word, Claris Works, and Word Perfect.
Even in the default Windows XP start menu, Internet Explorer's title is 'Internet', and Outlook's is 'Email'.
Are you a Windows administrator? (Score:4, Insightful)
You can set up desktop as basically a terminal using X. I know, what a waste of a desktop right? But, that's how Unix is built. You can setup a server (or multiple servers of necessary) to act as your main server and each desktop is really logging into the server using XDMCP [tldp.org]. Or look at the Linux Terminal Server Project [ltsp.org]You lock out logging into the local machine and poof! All user files are forced onto the server so there's no pesky phone calls like "Well I saved the file onto c:\pron\pron\pron\pron2\pron2 but the hard disk just went bad! YOU need to get it back for my board meeting in five minutes!" I realize this is a lot of overhead, but you can gain alot of control this way like upgrading OO.org for everyone without having to update every single desktop.
Perhaps XDMCP is too insecure for you or you have so many users that XDMCP would be too difficult. That doesn't mean you can't set it up like I've described. It just gets complicated, which means its beyond my meager expertise, but I've seen it set up that way at school.
Re:Are you a Windows administrator? (Score:1)
Re:Are you a Windows administrator? (Score:1)
All good Unix installations I've used have had thin clients - either just enough disk to boot and NFS mount everything, or (more rarely) set up as X terminals.
Any Windows install where all software is installed separately on hundreds of desktops looks stoneage compared to that.
Linux Terminal Server project (Score:1)
As many people have suggested you will probably have to write this on your own. Users will not have access to root... is probably a good place to start.
The Linux terminal server project [ltsp.org] would be a good place to look for ideas on how to build this. In my opinion the real bang for the buck from Linux on the desktop would come from leveraging X11, NFS, and NIS or the "thin client model", to create a graphical computing environment analogous to the VAX/VMS environment for vt-220 terminals from the mid 1980s.
Re:Are you a Windows administrator? (Score:1)
With regards to your suggestion, I appre
Re:Are you a Windows administrator? (Score:2)
I was just responding to seeing a mix of technical(but non-Linux experienced) & non-technical people in the organization doing Bad Things(TM). When said things were pointed out to them, they requested a do's&don't document, which I was elated to see them ask for.
I think I now understand why your users have root, at least for their own machines. It's still a mistake, at least for the non technical users. One of the great things about Linux is that a machine with a broadband connection can be admi
Re:Are you a Windows administrator? (Score:3, Interesting)
There's enough tools out there (such as cfengine) to handle updating the desktops that, if you have decent desktops, I can't see why you'd want to make them all dumb terminals.
I suspect you'll have to write it. (Score:2, Insightful)
You also might want to consider making people pass a quiz in order to get an account
Good password, changed frequently, never shared (Score:3, Insightful)
You can hire network administrators to tell you which protocols are safe and which are not, and where you should use them and how. You can hire system administrators to watch your main systems and harden them as well. You can even get some internal tech support people to help out the users and make sure all the machines are up and secure.
But it always comes down to the individual users: Get a good password, change it frequently, and never share it with anyone, period.
Re:Good password, changed frequently, never shared (Score:2)
While I agree in principle, those two are almost mutally exclusive. Unless you have a super memory, it's going to be difficult to have genuinely good that change frequently. By good, I mean randomly generated, containing characters from different sets (uppercase, lowercase, numbers, symbols) and of sufficient length (6-8 characters).
At the company I work, there is a password policy in effect that mandates password rotation every 90 days. When I first
You are trolling, right? (Score:2)
Common practices for desktops change very little from platform to platform and have more to do with your environment.
Use the previous policies you surely had, addapt them to Linux, and add the bits that pertain only to Linux.
Simple Question (Score:2, Interesting)
I have never recieved one personally. It's always nasty window crap I get, and laugh at because I don't run windows.
The only time I get ebuilds are from portage. And from the official websites of programs I am seeking, never in email attachments.
This raises another question though. If linux takes off, will we see a huge influx of linux worms and general crap that are proliferating windows right now?