Can I require a user to enter password to open terminal?

xpacker · September 21, 2010, 4:38pm

I’m in the process of configuring a “guest” account for houseguests to use my computer. I’ve got the file permissions set, but I’d also like to restrict their access to the terminal. It seems to me that most of the damage that can be done to a computer goes through the terminal.

I downloaded Pessulus (I use Gnome), but it doesn’t require a password. So the profiled user can just open Pessulus and alter their profile – what’s the point?

Is there a way I can require a user to enter a password, either for any terminal or Pessulus? I like Pessulus – it’s concise and easy to use. But it doesn’t seem very secure as I understand it.

Thanks in advance for any suggestions.

xpacker · September 21, 2010, 5:11pm

Oh, I’ve just read that I can run Pessulus as root. However, when I type $ sudo pessulus
I get this message. Sorry for the long post – I couldn’t figure out how to place the text in a scroll box.

/usr/lib/python2.6/site-packages/gtk-2.0/gtk/init.py:57: GtkWarning: could not open display
warnings.warn(str(e), _gtk.Warning)
/usr/lib/python2.6/site-packages/Pessulus/main.py:49: Warning: invalid (NULL) pointer instance
message_format = _(“Cannot contact the GConf server”))
/usr/lib/python2.6/site-packages/Pessulus/main.py:49: Warning: g_signal_connect_data: assertion G_TYPE_CHECK_INSTANCE (instance)' failed message_format = _("Cannot contact the GConf server")) /usr/lib/python2.6/site-packages/Pessulus/main.py:49: GtkWarning: gtk_settings_get_for_screen: assertion GDK_IS_SCREEN (screen)’ failed
message_format = _(“Cannot contact the GConf server”))
/usr/lib/python2.6/site-packages/Pessulus/main.py:49: Warning: g_object_get: assertion G_IS_OBJECT (object)' failed message_format = _("Cannot contact the GConf server")) /usr/lib/python2.6/site-packages/Pessulus/main.py:49: Warning: value "TRUE" of type gboolean’ is invalid or out of range for property visible' of type gboolean’
message_format = _(“Cannot contact the GConf server”))
/usr/lib/python2.6/site-packages/Pessulus/main.py:55: GtkWarning: Screen for GtkWindow not set; you must always set
a screen for a GtkWindow before using the window
dialog.run ()
/usr/lib/python2.6/site-packages/Pessulus/main.py:55: GtkWarning: gdk_pango_context_get_for_screen: assertion GDK_IS_SCREEN (screen)' failed dialog.run () /usr/lib/python2.6/site-packages/Pessulus/main.py:55: PangoWarning: pango_context_set_font_description: assertion context != NULL’ failed
dialog.run ()
/usr/lib/python2.6/site-packages/Pessulus/main.py:55: PangoWarning: pango_context_set_base_dir: assertion context != NULL' failed dialog.run () /usr/lib/python2.6/site-packages/Pessulus/main.py:55: PangoWarning: pango_context_set_language: assertion context != NULL’ failed
dialog.run ()
/usr/lib/python2.6/site-packages/Pessulus/main.py:55: PangoWarning: pango_layout_new: assertion context != NULL' failed dialog.run () /usr/lib/python2.6/site-packages/Pessulus/main.py:55: PangoWarning: pango_layout_set_text: assertion layout != NULL’ failed
dialog.run ()
/usr/lib/python2.6/site-packages/Pessulus/main.py:55: PangoWarning: pango_layout_set_attributes: assertion layout != NULL' failed dialog.run () /usr/lib/python2.6/site-packages/Pessulus/main.py:55: PangoWarning: pango_layout_set_alignment: assertion layout != NULL’ failed
dialog.run ()
/usr/lib/python2.6/site-packages/Pessulus/main.py:55: PangoWarning: pango_layout_set_ellipsize: assertion PANGO_IS_LAYOUT (layout)' failed dialog.run () /usr/lib/python2.6/site-packages/Pessulus/main.py:55: PangoWarning: pango_layout_set_single_paragraph_mode: assertion PANGO_IS_LAYOUT (layout)’ failed
dialog.run ()
/usr/lib/python2.6/site-packages/Pessulus/main.py:55: PangoWarning: pango_layout_set_width: assertion layout != NULL' failed dialog.run () /usr/lib/python2.6/site-packages/Pessulus/main.py:55: PangoWarning: pango_layout_get_extents: assertion layout != NULL’ failed
dialog.run ()
/usr/lib/python2.6/site-packages/Pessulus/main.py:55: GtkWarning: gtk_icon_theme_get_for_screen: assertion GDK_IS_SCREEN (screen)' failed dialog.run () /usr/lib/python2.6/site-packages/Pessulus/main.py:55: GtkWarning: gtk_settings_get_for_screen: assertion GDK_IS_SCREEN (screen)’ failed
dialog.run ()
/usr/lib/python2.6/site-packages/Pessulus/main.py:55: GtkWarning: gtk_icon_size_lookup_for_settings: assertion `GTK_IS_SETTINGS (settings)’ failed
dialog.run ()
/usr/lib/python2.6/site-packages/Pessulus/main.py:55: GtkWarning: Invalid icon size 6

dialog.run ()
/usr/lib/python2.6/site-packages/Pessulus/main.py:55: GtkWarning: gtk_icon_theme_load_icon: assertion GTK_IS_ICON_THEME (icon_theme)' failed dialog.run () /usr/lib/python2.6/site-packages/Pessulus/main.py:55: GtkWarning: Error loading theme icon 'gtk-dialog-error' for stock: dialog.run () /usr/lib/python2.6/site-packages/Pessulus/main.py:55: GtkWarning: gtkstyle.c:2355: invalid icon size '6' dialog.run () /usr/lib/python2.6/site-packages/Pessulus/main.py:55: GtkWarning: gtk_style_render_icon: assertion pixbuf != NULL’ failed
dialog.run ()
/usr/lib/python2.6/site-packages/Pessulus/main.py:55: Warning: g_object_ref: assertion G_IS_OBJECT (object)' failed dialog.run () /usr/lib/python2.6/site-packages/Pessulus/main.py:55: PangoWarning: pango_layout_set_wrap: assertion PANGO_IS_LAYOUT (layout)’ failed
dialog.run ()
/usr/lib/python2.6/site-packages/Pessulus/main.py:55: Warning: g_object_unref: assertion G_IS_OBJECT (object)' failed dialog.run () /usr/lib/python2.6/site-packages/Pessulus/main.py:55: GtkWarning: gdk_screen_get_width: assertion GDK_IS_SCREEN (screen)’ failed
dialog.run ()
/usr/lib/python2.6/site-packages/Pessulus/main.py:55: PangoWarning: pango_layout_get_line_count: assertion `layout != NULL’ failed
dialog.run ()
Floating point exception

DenverD · September 21, 2010, 6:09pm

xpacker wrote:
> Thanks in advance for any suggestions.

using this google search string:
prevent user “terminal access” SUSE

i found several likely candidates to solve your problem (i’ve not
faced it myself so don’t know the best answer for you)…

–
DenverD
CAVEAT: http://is.gd/bpoMD [posted via NNTP w/openSUSE 10.3]

ab · September 21, 2010, 7:03pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I’m skeptical about the feasibility of what you’re after. The terminal is
not evil… inappropriate rights assignments are evil. Even if you were
to delete all shells a user could throw in a thumb drive or download a new
one from the Internet. If you do not make a shell obvious chances are
guest users won’t use one. Even if you do hide it, though, somebody
wanting to do something nasty will not be in inhibited by your attempts
(imo). If you restrict permissions properly the most malicious of
commands will have no real effect.

Good luck.

On 09/21/2010 08:46 AM, xpacker wrote:
>
> I’m in the process of configuring a “guest” account for houseguests to
> use my computer. I’ve got the file permissions set, but I’d also like
> to restrict their access to the terminal. It seems to me that most of
> the damage that can be done to a computer goes through the terminal.
>
> I downloaded Pessulus (I use Gnome), but it doesn’t require a password.
> So the profiled user can just open Pessulus and alter their profile –
> what’s the point?
>
> Is there a way I can require a user to enter a password, either for any
> terminal or Pessulus? I like Pessulus – it’s concise and easy to use.
> But it doesn’t seem very secure as I understand it.
>
> Thanks in advance for any suggestions.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMmOVjAAoJEF+XTK08PnB58B4P/10DnHpAkh/q8oiqCx/dMgrn
BG01K7Sw5nh2fWmyP0Hc6Lj/STbw+zy2U7bk3XMzkFnrB6A3HHwfjGU2Wrpadu2N
u27yAu2eJc9Q7mKHLBLqePRBljmbjMKKqfxSWYIcVcNy4HEN1z8y1fFCdJp8mxgu
iV9IJJwueyvIeXe1d5JuK8d5l7ZsjnEXX6xnjzyomJk5RGMduv6cRsCRDlZ4xXpF
J8ElUdp6kT89NTZuir02hlzpDzQFJbevnj8gH3uaoSfkV5uL3FlhDxDGZ9ZehHMr
OlsWG4I5QFiAVCSefv+AKJiN3CxuB2b/4iwx0c+sqJMvyxuUUPUxngOKgsWW32DI
AcIQkbykdwCkgnn3HphXgRdJKx2cygjjk4Hap6K9St8a6jQePrsKbubJy6xRK/L5
Wk133B5vzL5aLsMx6D1vFWHlY84apgF8KvRlNqXJXs47C6MrJUWS6TIzWoX2yEPM
WG4pAD53HpUQaLbJ2bni7tHdyFsc7eX3CBVZFsqHeoLuV112H1DGiNC+ZmlHdML3
UKlaLrJsFlOlVJ7UP5OSq+9tBolSSn260+ZVruHJH68nKYItTNdzVpyOL/QV3NZG
rWGq4KQD8fLV9H/lTmAi3pe+IzEG0FTvLxobs9sfV7SwzPCSUDdCPoapAmrCFM5z
sp0enc7Mkhsuj6MHll2U
=aqZk
-----END PGP SIGNATURE-----

gogalthorp · September 21, 2010, 7:53pm

If someone with knowledge and bad intent has physical access to your machine the can do just about anything they want.

ab · September 21, 2010, 9:58pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Exactly, and regardless of the presence of a terminal. The power button
along with a USB stick or bit of optical media can mean doom for your data
either by destruction or theft.

Good luck.

On 09/21/2010 12:06 PM, gogalthorp wrote:
>
> If someone with knowledge and bad intent has physical access to your
> machine the can do just about anything they want.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJMmQ54AAoJEF+XTK08PnB5tSYP/2ws6BG1vwJOl9Sv8Gz285NJ
gejvJiDH/GVzFGCNMxVXzEq6DYBPRAfa8PiNte7IbAgaP9qrpFX4pT1B/V7KnC71
c008DJUPV8PM/wYf2ExUwyjFuasml1x6RCj54eiHUn5qcgAY52twM3BuAEL0gGOh
ABODCkNQJHVG6dXGDysrfRHqIII2jOHxvvlxr/4y15URRlUqCHx2DySuuyHR/yf6
F4E9fPLV8DtZvXRSIuHcH9+re42KgPLQyoQPmzg/8S/MDi4T2/6NmBPr7hynX007
Tibp6WEXCfCQbveY7jOKZ9yczvDfs8AXromCXnhkxNHknJubtLoAkOkWIBdOyQ3g
SEj90HjHNnPliervNHwiM71eUkxpVGD5MI26lFEfFc7J6KDkmsiyWDTLRv1UsWvy
U4fgra6U9wVAPOcHb4HjLkoG7omMUHwIeYH+24MYekBzwK1ABXGZuD4civ65FkAy
4HYkdGGbQZcuZ9pOT/Hq/Bc2uNgtGSE899ah0Z7UH6OLr61fijbUfRSeqrOw461l
uN5o9Tw0ovOFDuJjDVwMd2UlnlOXNma+6UK7Rbv6cd7HqXbFkKTNUs3PeY9xKuHV
l2Yd7nOO8aNnd8XuJ7mhMVkeaRW8jqsBvZRxZxXsmK46ThzmPAjYYf/5kRY/9L9X
jgnB2REkbMmCrB1S28ct
=CX3A
-----END PGP SIGNATURE-----