Re: EDU Win Lab

[Michael A Hamblin <michaelh@utdallas.edu>]

I think the main reason I would want to see Linux used in classrooms is
for the increased security it brings, although there are other compelling
reasons. I don't know how familiar you are with Linux Dan, so don't feel
like I'm trying to patronize you :) A properly configured Linux machine
could easily be set up so that someone could not just go in and change the
settings. For example, if a card catalog program was running in a stock 
Windows 95/98 machine, a user could do anything they wanted, including
wiping the machine. But a Linux machine with a 'guest' account running
the card catalog software without any more set up than that would be
pretty much safe from the regular attacks that plague Windows 95 machines.

(Similarly user accounts on a Linux box are distinct. I can configure
backgrounds, screensavers, etc for my account and in no way affect another
user's account. Thus we eliminate the "background" wars common in Windows
labs, which waste kids time. Also password-locked screensavers that are a
rather constant annoyance on Windows labs are simple problems to fix in
Linux. Just log into the machine, become root and kill the screensaver or
login process. This is trivially easy to do, and at most requires an
instruction sheet for less-computer savvy teachers.)

But lemme discuss real quick about how Linux could help even in a
situation where you are locked into using Windows. For machines which are
public access, a minimum Windows installation is probably adequate. This
may not be the case in a Windows lab with Office and development programs
for Windows (sigh, some ppl will insist on using Microsoft programs for
writing programs. Best to be prepared, eh?) but this trick may still work
now that hard drive sizes are getting huge. When you first install
Windows and fdisk, split your hard drive into two equally sized partitions
and install Windows on the first partition. Then use your handy Linux on a
floppy (you do have one of these, right?) and `dd` the first partition to
the second, and mark the second unwriteable (it's late I don't remember
the exact term I'm looking for). You can do this easily like this:
`dd if=/dev/hda1 of=/dev/hda2 bs=512`. Then, when the Windows partition
goes completly haywire, just `dd` it back the other way, by swapping hda1
with hda2. [If that seems to complicated, consider the alternative of
reinstalling Windows 95 from scratch :) ]

Now I'm sure ghost will do the same thing, but I'm not familiar with it. I
suspect it's not free and not as trivial as this it. Also this little
trick will work with an image file on a network drive as well (some boot
disks support certain network cards and NFS mounts).

Another possible trick with Windows 95/98 is changing the shell to
something besides the explorer shell. Set the shell to your library
program, or even compile a shell like 'litestep' with limited features.
Windows in inherently insecure, so whenever possible I would reccommend
using Linux instead. If I was setting up a card catalog system which would
work under Linux, I think I would set it up like this. Each machine that a
human accesses is a terminal or client, and those machine connect to a
server which cannot be accessed directly except by staff. If we want
machines outside the library to be able to access the library database, we
can set up another network for the client machines. That way you can add
as many new library terminals as you like without wasting IP space, since
they don't need anything more than to connect to the server. Also it
severly limits what someone can do if they do get root access to a
machine.

 (Rest of Network)+ - + Library Server
                        [ PII Server ] + + - Client Machine
                                         + - Client Machine
                                         + - Client Machine
                                         + - Printer
                                         + - and so on...

This doesn't provide for web-surfing machines in the library network,
although if you wanted that it would be possible to set it up. But this
model is very simplistic and serves a very specific purpose. If you wanted
web browsing machines I might still keep them on the library network, but
would use another box for IP Masquerading and move the Library Server off
to the main network, and give it a web-based interface. And when you set
up the machines, make sure that they are physically arranged so that a
teacher or the librarians can see what everyone is doing in a quick
glance.

Enough for me for tonight... :)

On Sat, 8 May 1999, Harry McGregor wrote:

> Unless you absloutly need win9x security (best bet would be a ghost image
> every morning...), fortress is not very good.  It makes a PII 300 with
> 64MB ram perform like a P233MMX with 32MB ram.  That is becouse it traps
> system calls.  What I am looking for does not neccessarly have to prevent
> the student from modifying it during that session (though it would be nice
> to have some options in an rc file to set), but what files I need to give
> the students read access to, but take away write access.
> 
> > Harry,
> > 
> > While I'm new to this and don't know if there's a Linux equiv, a
> > software called "Fortress" is what some libraries use to keep the
> > patrons from changing settings.  The one I've seen runs on Win95/98.
> > Dan McMenamin
> > 
> 
> 

--
Michael Hamblin            http://www.utdallas.edu/~michaelh/
michaelh@utdallas.edu      http://www.ductape.net/
UTD Linux User Group       Engineering and Computer Science Support x2997