[TriLUG] Linux Lab

crimsun at fungus.sh.nu crimsun at fungus.sh.nu
Mon Nov 4 15:49:53 EST 2002


On Mon, Nov 04, 2002 at 01:21:37PM -0500, Jeff Bollinger wrote:
> What are y'alls recommendations for an open-source/Linux computer lab?

My first thought is, "Wow, you're going to do /what?/" [Looks like
something I discussed with Cheryl might finally be seeing the light of
day outside a specialty lab! Hooray!]

Andrew brought up the good point of ONYEN authentication. However, let
us be paranoid for a bit. Anonymous access isn't a good idea. Period.
You'll be better off choosing a type of 'guest' acct and nailing it down
_hard_, restricted interactive shells, ulimits, removing essentially all
suid/sgid root apps (aside from the obvious ones, like X and ones
essential to system function, of which /usr/bin/ping is _not_ essential
;-), etc. You know the drill. On the same token, ONYEN authentication
will require a bit more software infrastructure. In the case of a public
lab (as you noted below), K.I.S.S. works best. I don't recommend using
ONYEN auth.

Have you considered having the systems boot off a CD, like a "live"
install/use setup?

How many computers do you think will compromise this public lab? Just
monitoring and keeping things updated is a full-time job.

> This would be a public lab, which I think we'd want an auto-login rather
> than having people with different accounts.  Of course it would have to
> be secure (the main focus), but also incredibly useful with lots of good
> open-source tools (development, web, imaging, etc.) We're thinking
> strictly RedHat, w/ X Windows running.

"Incredibly useful with lots of good open-source tools" sounds great,
Jeff, but with every additional application and library you add, that's
an extra point of complexity. XFree86 itself is incredibly complicated
to nail down. Yes, it would obviously be required for a lot of those
nice gui development, web, imaging tools. Security often comes at the
cost of breadth of software, however.

I've already stated my opinion (as someone who does security auditing
and as someone who has had his boxes hacked) on anonymous or auto-
logins.

> Anyone know anyone who's succesfully done this, or where I can find some
> great info?

I mentioned "live" setups where all the essentials reside on a CD.
Fitting XFree86 on there will be a chore, but it's doable. I _believe_
/. had an article a while back (last week?) concerning such a demo
distribution. It wouldn't be difficult to modify that for your purposes.

-Dan

-- 
Dan Chen                crimsun at fungus.sh.nu
GPG key: www.unc.edu/~crimsun/pubkey.gpg.asc



More information about the TriLUG mailing list