Thanks for the info, I don't harbor illusions about having some sort of foolproof shield that keeps unsupervised users from using their ingenuity to do as they wish on the workstations. Any workstation that you don't have physical control of should be assumed to be unsecure, and I limit the amount of "sensitive" information that is kept on the workstations for this very reason (though it is important to have the private half of a key on the teacher workstation, that one should theoretically be better supervised than the student workstations). I don't think the added complexity of using encrypted filesystems, for example, is worth the effort, but adding a password to the recovery mode seems to have a good Return On Investment. I fully expect a knowledgeable and bored student to compromise our security at some point. They've been doing it on our Windows XP desktops for years! However, I do want to make sure it's a little more of a challenge than reading the Ubuntu guide ;-) Hope you're having a beautiful day! Sim?n
________________________________ From: Paul O'Malley [mailto:[EMAIL PROTECTED] Sent: Sun 3/4/2007 7:44 AM To: Simon Ruiz Cc: Edubuntu Devel Group Subject: Re: newby Simon Ruiz wrote: [snip] > So you mean there's a simple way for any user, any student, to get root > access to our machines? > > Can this be helped by MAKING a root password? > > Hope this finds you all doing great! > > Simon [snip] Kind of long reply! I am sending this to the devel list, but think that perhaps there are better places for it, it raises issues that people may wish to take on board to build better management systems, and for that reason alone I let it go. Root adds nothing to the process, other than meaning that all machines have a similar logon that can be brute force attacked from the console or remotely that is another arguement, and as strong passwords should be in use anyway. Computer security is not an action, nor is it a product, but a set of behaviours wrapped up in technology, i.e. a process. If you want to protect the box a little more then put a password on GRUB and don't forget it. The whole security aspect is very broad and I give some treatment to the questions involved before you do any more below. The instructions for doing so are beyond the scope of this mail however: http://www.ubuntuforums.org/showthread.php?t=7353 WARNING: if you do this you can't really afford to make a mistake if it is your only way onto the internet. With physical access to the machine a person with the right knowledge can still get in. For instance, if the bios has a password on the machine and you want to boot off a CDROM what combinations to bypass that measure are available to you? Encrypted file systems are an option, costing CPU cycles, thus making the box slower. This is to say nothing of the cost to convenience if your hard drive/raid crashes and you need new hardware. This then creates other issues around your backups, are they to be in plain text or encrypted, should they be tied to the machine or something else? Who will document this process so when the person who sets it up goes elsewhere, or is sick and something needs to be done and maybe if they have forgotten how it was done. How are those instuctions to be held? Are the computers available for people to interact with zero supervision? What are you trying to protect, workstations or servers. At what point do you trust your users, if you say you don't trust them at all, let me point out they do get to use the boxes. There is no security system that is fool proof, humans make them, they can be complex, but humans can and will break them. Perhaps I'll cease before this becomes a full on discussion of IT security, it seems that someone hit one of my buttons. ;-) Regards, Paul O'Malley -- edubuntu-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/edubuntu-devel
