Help with Skel

restyle20 · August 21, 2017, 6:54pm

Hello ,

I need help with skell. I have default profile saved for users that login with MS AD, but I want when new user login to (MS AD) to create folder “Doc” at desktop and that he can only write to that folder “Doc” at desktop .

And Desktop folder must be locked (he cant create or delete at desktop ).

Long story short : Disable desktop write except that folder “Doc” at desktop.

Thanks

tsu2 · August 21, 2017, 9:04pm

So,
My first Q would be whether you really need a “Doc” folder on the Desktop.
Whenever a specified User Account is used to login (including a network security account like AD) a /home directory is created for that specific User, not shared with others.

If you want the $USER/Documents folder accessible from the Desktop, you can create a shortcut to the ready-made directory.
Ordinarily the User has full rw permissions for everything in /home but I guess it might be possible to remove write permissions from most of the directories.

By default, a non-root User is supposed to see all files on the system, but without sudo or su would find it generally hard to access more than what is in the User’s /home directory. If you want to lock the system down further, one way might be to deploy the system in “kiosk” mode (I haven’t looked at this recently).

I’m not sure what you mean by an AD Profile, AFAIK unless you implement a Linux extension to AD I don’t think that AD User Profiles will do anything on a Linux box (AD Profiles enable a User to maintain a common setup and preferences across Windows Hosts).

TSU

restyle20 · August 21, 2017, 9:25pm

I have Windows domain with windows PC-s , and now i need to replace 100 PC-s with Windows OS with 100 PC-s with Linux OS.
I managed to connect linux users to the windows domain. And in the Skel folder I put the profile as it should look for the users.
Users are stupid keep the documents on the desktop rather than the folder I created.
I need one folder at Desktop to be rw and Desktop to be locked for writing.
I need then to put it in Skel so that can be replicated to all new users.

restyle20 · August 21, 2017, 9:35pm

tsu2:

So,
My first Q would be whether you really need a “Doc” folder on the Desktop.
Whenever a specified User Account is used to login (including a network security account like AD) a /home directory is created for that specific User, not shared with others.

If you want the $USER/Documents folder accessible from the Desktop, you can create a shortcut to the ready-made directory.
Ordinarily the User has full rw permissions for everything in /home but I guess it might be possible to remove write permissions from most of the directories.

By default, a non-root User is supposed to see all files on the system, but without sudo or su would find it generally hard to access more than what is in the User’s /home directory. If you want to lock the system down further, one way might be to deploy the system in “kiosk” mode (I haven’t looked at this recently).

I’m not sure what you mean by an AD Profile, AFAIK unless you implement a Linux extension to AD I don’t think that AD User Profiles will do anything on a Linux box (AD Profiles enable a User to maintain a common setup and preferences across Windows Hosts).

TSU

I have Windows domain with windows PC-s , and now i need to replace 100 PC-s with Windows OS with 100 PC-s with Linux OS.
I managed to connect linux users to the windows domain. And in the Skel folder I put the profile as it should look for the users.
Users are stupid keep the documents on the desktop rather than the folder I created.
I need one folder at Desktop to be rw and Desktop to be locked for writing.
I need then to put it in Skel so that can be replicated to all new users.

restyle20 · August 23, 2017, 2:22pm

Hello ,

does anyone have a solution?

Restrict new users that login to write on Desktop.

tnx

tsu2 · August 23, 2017, 5:14pm

Skel is new to me (learn something new once in awhile).
Looks like Skel was created long ago, and I haven’t found any references for use with network security (like AD) but a few describing how it can be used to set up machines in a consistent way.

So, Skel is only a <method> for applying whatever you want, and primarily copying files.
Instead of concentrating on the <method> you should instead define your <objective> and then concentrate on what might be done to achieve that objective.

As I described,
By default in today’s Linux systems the logged in User has access to more than just the Desktop, the entire /home directory is rw.
Do you want to restrict all of /home or only the specified User folder?
And, what applications will you allow since some/many of them write some data to /home as well?

After you’ve clearly defined the above, then you can think about how to achieve your objective

You will want to create the special User folder
You will want to think about how best to apply security, since you’re talking about file security a likely candidate is either by Access Control Lists(ACL) or simply scripting your changes.

Keep in mind running a LiveCD automatically won’t allow a User to “write to disk”
You might be able to create a custom LiveCD using SUSE Studio or Kiwi that also mounts a network share(ie your User folder).
Might be the fastest way to do what you want.

From what I read, I doubt Skel is necessary or could even provide a complete solution to what you want.
But, if you more or less follow the approach I outlined, you should be able to achieve your objective.

restyle20 · August 24, 2017, 8:02am

tsu2:

Skel is new to me (learn something new once in awhile).
Looks like Skel was created long ago, and I haven’t found any references for use with network security (like AD) but a few describing how it can be used to set up machines in a consistent way.

So, Skel is only a <method> for applying whatever you want, and primarily copying files.
Instead of concentrating on the <method> you should instead define your <objective> and then concentrate on what might be done to achieve that objective.

As I described,
By default in today’s Linux systems the logged in User has access to more than just the Desktop, the entire /home directory is rw.
Do you want to restrict all of /home or only the specified User folder?
And, what applications will you allow since some/many of them write some data to /home as well?

After you’ve clearly defined the above, then you can think about how to achieve your objective

You will want to create the special User folder

You will want to think about how best to apply security, since you’re talking about file security a likely candidate is either by Access Control Lists(ACL) or simply scripting your changes.

Keep in mind running a LiveCD automatically won’t allow a User to “write to disk”
You might be able to create a custom LiveCD using SUSE Studio or Kiwi that also mounts a network share(ie your User folder).
Might be the fastest way to do what you want.

From what I read, I doubt Skel is necessary or could even provide a complete solution to what you want.
But, if you more or less follow the approach I outlined, you should be able to achieve your objective.

Thanks for your answer.

I have at desktop (Email client , Chrome , and office tools and one folder that i created for saving data) i erased all other folders and then I put it in the Skel folder.

So new user when he sign via MSAD the folder is created on the system : user\mydomain\username

And my wish is to lock folder: user\mydomain\username**desktop

**For all new users when they login.

Thenks.

gogalthorp · August 24, 2017, 3:53pm

Locking entails changing the ownership and group of the folder to something that the user does not have permissions to write only read access. Note that some programs may need write access and might fail if the user does not have permissions to write. But those should be mostly edge cases. Don’t know if that can be set in skel or you need to run a script to mod the permissions.