I need help with skell. I have default profile saved for users that login with MS AD, but I want when new user login to (MS AD) to create folder “Doc” at desktop and that he can only write to that folder “Doc” at desktop .
And Desktop folder must be locked (he cant create or delete at desktop ).
Long story short : Disable desktop write except that folder “Doc” at desktop.
My first Q would be whether you really need a “Doc” folder on the Desktop.
Whenever a specified User Account is used to login (including a network security account like AD) a /home directory is created for that specific User, not shared with others.
If you want the $USER/Documents folder accessible from the Desktop, you can create a shortcut to the ready-made directory.
Ordinarily the User has full rw permissions for everything in /home but I guess it might be possible to remove write permissions from most of the directories.
By default, a non-root User is supposed to see all files on the system, but without sudo or su would find it generally hard to access more than what is in the User’s /home directory. If you want to lock the system down further, one way might be to deploy the system in “kiosk” mode (I haven’t looked at this recently).
I’m not sure what you mean by an AD Profile, AFAIK unless you implement a Linux extension to AD I don’t think that AD User Profiles will do anything on a Linux box (AD Profiles enable a User to maintain a common setup and preferences across Windows Hosts).
Skel is new to me (learn something new once in awhile).
Looks like Skel was created long ago, and I haven’t found any references for use with network security (like AD) but a few describing how it can be used to set up machines in a consistent way.
So, Skel is only a <method> for applying whatever you want, and primarily copying files.
Instead of concentrating on the <method> you should instead define your <objective> and then concentrate on what might be done to achieve that objective.
As I described,
By default in today’s Linux systems the logged in User has access to more than just the Desktop, the entire /home directory is rw.
Do you want to restrict all of /home or only the specified User folder?
And, what applications will you allow since some/many of them write some data to /home as well?
After you’ve clearly defined the above, then you can think about how to achieve your objective
You will want to create the special User folder
You will want to think about how best to apply security, since you’re talking about file security a likely candidate is either by Access Control Lists(ACL) or simply scripting your changes.
Keep in mind running a LiveCD automatically won’t allow a User to “write to disk”
You might be able to create a custom LiveCD using SUSE Studio or Kiwi that also mounts a network share(ie your User folder).
Might be the fastest way to do what you want.
From what I read, I doubt Skel is necessary or could even provide a complete solution to what you want.
But, if you more or less follow the approach I outlined, you should be able to achieve your objective.
Locking entails changing the ownership and group of the folder to something that the user does not have permissions to write only read access. Note that some programs may need write access and might fail if the user does not have permissions to write. But those should be mostly edge cases. Don’t know if that can be set in skel or you need to run a script to mod the permissions.