[Fedora-livecd-list] Preventing access to /mnt/live (inter alia)
Mads Kiilerich
mads at kiilerich.com
Fri Mar 5 11:31:32 UTC 2010
On 03/05/2010 11:11 AM, James Heather wrote:
> Hi all,
>
> What I'm trying to do is to create a bunch of Fedora USB sticks for use
> in practical examinations at uni. The existing Windows setup in the labs
> is pretty woeful, and the only way I can be in control of the
> environment is to boot up off something else.
>
> I have it working pretty nicely, but I have a few issues I'm not sure
> how to resolve.
> (1) I want to stop non-root users from being able to mount other drives,
> e.g., other USB sticks. How do I do that? (It's not enough to kill off
> the auto-mounting if people will still be able to mount from the command
> line.)
You probably want to configure polkit (PolicyKit in F11) to not allow
local users to do such administrative tasks.
I would start looking at
/etc/polkit-1/localauthority.conf.d/60-desktop-policy.conf (perhaps
/etc/PolicyKit in F11).
Or perhaps it could be solved at DeviceKit-disks level ...
But how will you prevent the users from booting another USB stick where
they have full root access and from which they can open, run and hack
your usb stick?
I think you should focus on creating an USB stick where you can
guarantee that it works unless they shoot them self in their foot.
> (2) On a more relevant point for this list, I've noticed that all users
> have access to the base FAT32 filesystem of the bootable USB stick,
> on /mnt/live. How do I get this mounted so that only root can
> read /mnt/live? I don't want someone to be able to write code to unpick
> the squashfs image, etc. These are programming exams, so they have a
> compiler available, and a few of them can probably use it...
I assume that everything in the squashfs already is mounted on / , so
what are you trying to avoid?
> (I don't know if it's relevant, but currently I have to build this as
> Fedora 11, because my first go is a 3D graphics exam, and they need the
> proprietary ATI driver.)
That is almost the same as giving them root access.
(Just kidding. I really don't know. But neither do you. ;-) )
/Mads
More information about the livecd
mailing list