Configuring linux bootup and behavior

Configuring linux bootup and behavior

Post by Key » Wed, 25 Oct 2000 08:57:44



I work for a school that has just installed a big Windows NT Terminal
Server (4.0.) All the computers around the school (including Macs, PCs,
and NetStation (these are TV type cable boxes that are based on Acorn
system)) have been setup to to run a program called "Citrix ICA Client"
which basically allows the user to log into the WindowsNT server and have
a session (this is just like logging into a linux box remotely using X
windows etc.)

Now, the problem is the computers in the library are very old and are
currently running the ICA Client ontop of Window 3.x which makes
everything very very sluggish. So we have decided to install linux on all
these machines and run the linux ICA Client on them. However, we need to
configure the system so that:

- When the system boots up it should, if possible without requesting a
login, run the ICA Client (which automatically brings up the WindowsNT
login screen.)

- When the user quits the ICA Client, the program should be restarted
(showing the login screen again) automatically.

- A user should not ever be able to reach the command line. But an
administrator should be able to, say, get access to another run-level
where he/she get a login prompt and then a shell.

- The linux system should be cut down to the bare essentials, that is,
core system, network, and graphical support for the ICA Client.

I need some help in understanding what needs to be running/loaded for the
graphical interface to be available? In my full installation of RedHat 7.0
if I run the ICA Client from run-level 3, I get a "Can't open display"
error. Running the program from within Gnome (in run-level 5) however runs
the program great. Now how can I avoid Gnome being visible and accessible?
Is it possible to load up the graphical support (X server?) and then just
run the ICA Client from the command line?

I've kind off understood how to control the boot up process using the
symbolic link files in the rc.d folder. But do I need to write a script to
run the ICA Client or just make a link to it?

Any help would be very much appreciated, thank you,
Keyk

 
 
 

Configuring linux bootup and behavior

Post by Rob Ristro » Sun, 31 Dec 1899 09:00:00


I think you will find it very hard to prevent the students from being
able to reach some kind of prompt.  You can make it a little hard for
them, but the smart ones will figure it out anyway.

I would simply create a user "student", and let the machine boot up
without X windows automatically started.  Post a small sing on the
machine telling the users to login as "student", with whatever
password you give it; the student account can run startx in .login and
then run the citrix client as the last command in .xinitrc, as if it
was your window manager; thus when you exit the citrix client X will
exit.

The students will figure out how to root the machine, and how to
reboot and type "linux single" at the LILO prompt, and other ways of
using the machine.  I would advise not going down the path of patching
the various exploits that the kids will come up with.  Instead, just
acknowledge that it can be done, and take the fun out of it.  

But you should make some attempt at protection against people running
a fake screen that will look like the citrix client and capture
passwords.  A weak way to do this would be to make an easy way to
completely re-install the system (say have a disk image that you can
restore from) and do this automatically on a regular basis.  If you
can make it work, try making a bootable CD out of the linux
installation you settle on, and leave the machines with no harddrive
at all, and have them reboot with each login/logout.  (Do the machines
have enough memory to run X and the citrix client without swapping ?)

Just a few thoughts.

--Rob

Keyk>
Keyk> I work for a school that has just installed a big Windows NT Terminal
Keyk> Server (4.0.) All the computers around the school (including Macs, PCs,
Keyk> and NetStation (these are TV type cable boxes that are based on Acorn
Keyk> system)) have been setup to to run a program called "Citrix ICA Client"
Keyk> which basically allows the user to log into the WindowsNT server and have
Keyk> a session (this is just like logging into a linux box remotely using X
Keyk> windows etc.)
Keyk>
Keyk> Now, the problem is the computers in the library are very old and are
Keyk> currently running the ICA Client ontop of Window 3.x which makes
Keyk> everything very very sluggish. So we have decided to install linux on all
Keyk> these machines and run the linux ICA Client on them. However, we need to
Keyk> configure the system so that:
Keyk>
Keyk> - When the system boots up it should, if possible without requesting a
Keyk> login, run the ICA Client (which automatically brings up the WindowsNT
Keyk> login screen.)
Keyk>
Keyk> - When the user quits the ICA Client, the program should be restarted
Keyk> (showing the login screen again) automatically.
Keyk>
Keyk> - A user should not ever be able to reach the command line. But an
Keyk> administrator should be able to, say, get access to another run-level
Keyk> where he/she get a login prompt and then a shell.
Keyk>
Keyk> - The linux system should be cut down to the bare essentials, that is,
Keyk> core system, network, and graphical support for the ICA Client.
Keyk>
Keyk> I need some help in understanding what needs to be running/loaded for the
Keyk> graphical interface to be available? In my full installation of RedHat 7.0
Keyk> if I run the ICA Client from run-level 3, I get a "Can't open display"
Keyk> error. Running the program from within Gnome (in run-level 5) however runs
Keyk> the program great. Now how can I avoid Gnome being visible and accessible?
Keyk> Is it possible to load up the graphical support (X server?) and then just
Keyk> run the ICA Client from the command line?
Keyk>
Keyk> I've kind off understood how to control the boot up process using the
Keyk> symbolic link files in the rc.d folder. But do I need to write a script to
Keyk> run the ICA Client or just make a link to it?
Keyk>
Keyk> Any help would be very much appreciated, thank you,
Keyk> Keyk

 
 
 

Configuring linux bootup and behavior

Post by Nick Bisho » Fri, 27 Oct 2000 11:52:56




> I think you will find it very hard to prevent the students from being
> able to reach some kind of prompt.  You can make it a little hard for
> them, but the smart ones will figure it out anyway.

> I would simply create a user "student", and let the machine boot up
> without X windows automatically started.  Post a small sing on the
> machine telling the users to login as "student", with whatever
> password you give it; the student account can run startx in .login and
> then run the citrix client as the last command in .xinitrc, as if it
> was your window manager; thus when you exit the citrix client X will
> exit.

Additional protection: run a restricted shell, eg /bin/rsh.  In most
decent shells, you just create a symlink to it with a name of r*sh, and
if it is called that way, it will implement a range of restrictions.
Read the man page for sh(1) or bash(1).

Quote:> The students will figure out how to root the machine, and how to
> reboot and type "linux single" at the LILO prompt, and other ways of
> using the machine.  I would advise not going down the path of patching
> the various exploits that the kids will come up with.  Instead, just
> acknowledge that it can be done, and take the fun out of it.

You could put in a zero or very small timeout on the boot: prompt.  If a
zero timeout, then you have ready a rescue system that you use to boot
from.

Quote:> But you should make some attempt at protection against people running
> a fake screen that will look like the citrix client and capture
> passwords.  A weak way to do this would be to make an easy way to
> completely re-install the system (say have a disk image that you can
> restore from) and do this automatically on a regular basis.  If you
> can make it work, try making a bootable CD out of the linux
> installation you settle on, and leave the machines with no harddrive
> at all, and have them reboot with each login/logout.  (Do the machines
> have enough memory to run X and the citrix client without swapping ?)

You can still have a hard disk, just make it into one giant swap area.
Ensure you can't boot it.

What about write access to /var/log/messages ?????

Quote:

> Just a few thoughts.

Some more thoughts:
1. Because these machines are on a network, you can have a very small
disk partition that boots, wipes out a 2nd disk partition, mounts an NFS
disk somewhere, and
gunzip -c /network/somewhere/library.tar.gz | tar xvf -
into the second disk partition.

2. I think it's a good idea to HALT (NOT reboot) the system upon exit
from the ICA client, to force the next user to reboot - this will
prevent any fake screen pranks.

3. Is it possible to run the ICA startup from the boot scripts (the
script should /bin/su -c the_citrix_client  student  citrix arguments)?
Then you need a rescue system to do work on it.

--
Nick Bishop
-----
REAL! A newsgroup called alt.os.windows95.crash.crash.crash
-oOo-

Sent via Deja.com http://www.deja.com/
Before you buy.

 
 
 

1. Strange behaviour at bootup

Hi.  I'm currently working on a redhat system has a couple of strange
errors.  Everytime it boots up it displays a whole load of random characters
although it works fine.  Sort of like.

Starting Serice A... ^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~
^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~
^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~

Starting Service B...^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~
^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~^[[6~

And so on.  When it gets to login it displays about 20 lines of the above
characters and the terminal won't accept any input.  However I can do an
Alt-F2 and login fine on TTY2.  After which the system appears to run fine.
The characters I've written above are the exact ones that are printed out.  
Would anyone know what is causing this?

Thanks
--Steve

2. Replicate DB2 data

3. Matrox Mystique ands X.

4. The tighter the grip, the more that slips away!!

5. Configuring a network card by passing kernel options on bootup

6. HELP! Newbie - Modem Prob

7. COL: Why do I have to configure eth0 on bootup?

8. Using Unix DLL's (dlopen) with C++ and virtual functions

9. How to use LILO from floppy to configure harddisk bootup?

10. custom kernel hangs at "configuring modules" during floppy bootup

11. Most common bootup failures that req "Rescue Mode" bootup?

12. ./configure options explanation and behavior in general esp. PHP compilation