Forgot your password?
typodupeerror
Java Ubuntu Linux

Ask Slashdot: Ubuntu Lockdown Options? 387

Posted by samzenpus
from the no-internet-for-you dept.
First time accepted submitter clava writes "We have a desktop Java testing application that is going to be administering tests to students on lab computers running Ubuntu 10.x. These computers are used by the students for other purposes and we're not allowed to create special users or change the OS configuration. When the testing app is launched, we need to restrict users from exiting the app so they can't do things like search the internet for answers or use other applications. Is there a good way to put an Ubuntu machine in kiosk mode or something via our application and have exiting kiosk mode be password protected? Any ideas are appreciated."
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Ubuntu Lockdown Options?

Comments Filter:
  • by Anonymous Coward on Wednesday December 07, 2011 @07:29PM (#38297014)

    I'm afraid if you want it actually locked-down, you're pretty screwed. You can't really disable things like switching to a tty with ctrl-alt-f1 without "changing the OS configuration."

    • by Anonymous Coward on Wednesday December 07, 2011 @07:38PM (#38297134)

      Just use the default Unity desktop bundled with recent Ubuntu releases. It's so fucking unusable in every respect that malicious and benign users alike will want nothing to do with it. They'll use only the Java testing application solely to avoid having to deal with Unity.

      You'll never have to worry about them using Facebook, or adding additional users, or installing their own software. Even long-time Unity users have a whole fuck of a lot of trouble doing those things. Many just learn to accept that they never be able to.

    • by adamdoyle (1665063) on Wednesday December 07, 2011 @08:10PM (#38297514)

      If you ask me, you don't really need to prevent users from doing those things. You just need to tell they're not allowed to, and then have your java app detect if those things have occurred and then take action from there. By "take action," I mean that you could either (a) make some kind of notation in the database so that you can penalize them, or (b) send an SMS message or email or something to the test administrator to alert them of the situation so that they can walk over and determine if the student is attempting to cheat.

      • oops, left out a word:

        *You just need to tell them they're not allowed to.

      • by adamdoyle (1665063) on Wednesday December 07, 2011 @09:45PM (#38298428)

        Or if you're feeling extra clever, you could straight up disable the keyboard [stackexchange.com] and rely on the mouse for selecting answers. It would have to be enabled at the beginning for the user to enter his or her credentials, but then you could disable it during the actual test (there's no way to exit fullscreen with only a mouse), and then re-enable it upon completion. The site I linked to explains how to both enable and disable the entire keyboard programmatically. The linked site produces a shell script... In Java, you could run that shell script with: Process.Start(@"./scriptname.sh").

        • by tepples (727027) <tepples AT gmail DOT com> on Wednesday December 07, 2011 @11:37PM (#38299218) Homepage Journal

          you could straight up disable the keyboard and rely on the mouse for selecting answers.

          Which doesn't help in cases of 1. answers that aren't multiple choice, or 2. having to accommodate people with mobility impairments where limitation to a mouse imposes an undue hardship.

          • by ktappe (747125) on Thursday December 08, 2011 @01:17AM (#38299792)

            you could straight up disable the keyboard and rely on the mouse for selecting answers.

            Which doesn't help in cases of 1. answers that aren't multiple choice, or 2. having to accommodate people with mobility impairments where limitation to a mouse imposes an undue hardship.

            Be fair, the restrictions on the implementation are severe: No OS mods one can kind of understand but you also can't create even a "testtaker" user account? As an OS deployment engineer I appreciate the former but I can't think of any justification for the latter.

            Anyway, given these handcuffs, a multiple-choice test will just have to do I think. And believe me, you can make some pretty darn hard multiple-choice exams. Go try to get MS or Apple certified some time. 80 adaptive multiple choice questions that nobody is going to do well at unless they studied hard and/or know their stuff.

      • here's another ridiculous idea:
        watch them..
        from behind!

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      This can be done.

      1. Insert a Windows 7 CD, format the drive, install the Windows 7 operating system. Via group policies and TweakUI, disable all settings and applications that you don't want users to access.

      2. Take the Ubuntu CD and place it on the desk next the computer.

      3. Place hot beverage of choice on Ubuntu CD, which will now be reffered to as the "coaster".

      4. Proceed with Java tests.

      • Hmmm... installing a whole 'nother OS is a neat way of sidestepping the 'not changing OS configuration.' Oh, wait! Troll sensor peaking.
      • by mirix (1649853)

        That would violate the 'no new user accounts or OS configuration' rule. troll harder.

    • by lorenlal (164133)

      I can think of one way without changing the OS configuration, setup the DNS for those systems to only return the addresses you want, and remove the root hints during the exam.

    • by c++0xFF (1758032) on Wednesday December 07, 2011 @08:47PM (#38297954)

      Disabling TTY switching is a pretty simple change, though, and won't affect the general use of the system.

      In fact, you might as well use this to your advantage: start up a new X server instance, but don't start up the window manager. Run your java app in this server.

      Now all a student can do is take the test -- there's no way to do anything besides take the test unless they can switch using ctrl-alt-F*, which has been disabled.

      That's as near to a "kiosk mode" as I can figure.

      • Seriously, this is the best answer I have read here so far. It is simple and elegant. No booting custom images, whitelisting sites, or any of that.

        Also, gotta love that half of the answers are: just give a different test, who cares about cheating, just install a different operating system, just fail anyone who cheats, yada yada yada. Why do so many Slashdotters always feel like the best answer to a question is "you're doing it wrong"? Sheesh.

        • by pavon (30274) on Wednesday December 07, 2011 @10:20PM (#38298684)

          This is exactly the solution I would have proposed, except it goes against the users requirements.

          Disabling TTY access requires changes to the OS configuration which he is not allowed to make. Furthermore in Ubuntu, you can't just kill the current X session and start a new one from the command line with the application as the window manager, because it will helpfully restart X when it crashes (or is intentionally killed). You would either need to create a special user whose default WM is the application you want to run, or you would need to reconfigure the OS graphical login settings, neither of which he is allowed to do.

          User applications are intentionally prevented from locking down a machine, otherwise any old piece of malware could do so. The only way to really lock it down to modify the OS configuration. That is why all the other answers are suggesting round-about ways to achieve the same goal. IMHO adamdoyle [slashdot.org]'s is the best.

          • by jrumney (197329) on Thursday December 08, 2011 @01:42AM (#38299890) Homepage

            Furthermore in Ubuntu, you can't just kill the current X session and start a new one from the command line with the application as the window manager.

            Why not?

            sudo service gdm stop; Xorg -sp security.policy & kiosk-mode-test-program

            Probably if you spend more than the two seconds I did thinking about this you can find a more robust version perhaps involving a custom gdm configuration that can restart the X server if the user logs out prematurely etc.

        • Re:MOD PARENT UP (Score:5, Insightful)

          by germansausage (682057) on Wednesday December 07, 2011 @10:29PM (#38298740)
          "Why do so many Slashdotters always feel like the best answer to a question is "you're doing it wrong"?"

          This happens everywhere on the internets where you ask a question. Ask a Microsoft support website how to do something that "should" be possible, but isn't. (Can't think of an example now) You'll get 10 answers telling you how to "work around" what you asked, and another 20 answers questioning why you or any one else would want to do this thing. What you will never ever get is even 1 person saying "Our product cannot do this thing".
      • by Vairon (17314)

        On most distributions, for security reasons, an unprivileged user cannot run an X server that uses video hardware. For example X servers that use nvidia drivers need to read and write to /dev/nvidia0 which is usually only readable and writable by root and users in the video group. He would need to place his users in the video group (not allowed) or make the X binary suid (not allowed) in order to do what you describe.

        When you install distro X at home it probably installed your 1 local non-root user in the a

      • by Windowser (191974) on Wednesday December 07, 2011 @11:26PM (#38299116)
        Not sure about Ubuntu, but this is the way to do it in Debian :
        Disable gdm
        # update-rc.d -f gdm remove

        modify /etc/rc.local, add these lines just before "exit 0"
        ** rc.local - BEGIN
        su - username -c startx
        reboot
        ** rc.local - END

        add the file /home/username/.xsession
        ** .xsession - BEGIN
        #!/bin/sh
        /path/to/script/that/start/yourapp
        ** .xsession - END

        make the .xsession executable
        # chmod u+x /home/username/.xsession
    • by ksd1337 (1029386) on Thursday December 08, 2011 @12:30AM (#38299570)
      Why not just edit the initrc and remove all the geTTYs that aren't for X?
  • Why? (Score:4, Insightful)

    by Anonymous Coward on Wednesday December 07, 2011 @07:30PM (#38297032)

    Why not let them use resources? Similar to what they will have available to them in the workforce.

    • Re:Why? (Score:4, Insightful)

      by bonch (38532) on Wednesday December 07, 2011 @07:32PM (#38297046)

      Because they're supposed to learn and internalize the concepts, not learn how to type search terms into Google or trade answers via IM.

      • Yes but why are they supposed to do that, what value does that give. Knowing how to get the information you need to accurately understand and answer the question is a very important skill to learn. If you use it regularly then you will remember it, if you don't use it regularly then you can't being able to quickly research and understand things is a very important skill.
        • Re: (Score:2, Insightful)

          by Anonymous Coward

          Because somebody needs to provide those answers you find via Google. They don't just appear out of nowhere.

      • can pass the test and have no idea on how to use the concepts?

        • Yep, that's the idea. That's how you get so many idiot grads of top-tier schools who cram (or cheat) through ultra-hard tests but still can't use apostrophes correctly while experienced tech-level (Associate's or Military/trade school) employees are cadding complex drawings, using layout software to design and build boards, breadboarding, running Matlab simulations, writing software, and otherwise finding all of the problems that engineering should have found in the design phase.

          And from what I've seen,
    • Re:Why? (Score:5, Insightful)

      by pmgarvey (2497652) on Wednesday December 07, 2011 @07:40PM (#38297140)

      Firstly the submitter didn't say if this was a programming exam, or what it was. It could be a test on memorising the capitals of African countries.

      But more importantly is that allowing access to the internet doesn't just allow things like documentation, and other resources I might have in the workplace, but might allow me to ask my friend to email the entire solution, or even send the question to a guy in India and get the solution back for a fee. It's a comprimise between testing some memorisation and in the cases of some students, testing nothing at all.

    • Re:Why? (Score:5, Insightful)

      by LurkerXXX (667952) on Wednesday December 07, 2011 @08:13PM (#38297560)

      I guess you want that EMT to show up at your car crash to just google how to patch you up if he didn't pay attention in class. Better hope he doesn't lose signal to his cell phone.

      • Re: (Score:3, Informative)

        by Anonymous Coward

        As an EMT, it's rarely the "patching up" that requires reference - after all, cardiology can be explained thusly - "air goes in and out; blood goes round and round; variations are bad."

        The trickier aspect is typically pharmacology - drugs people have been prescribed, known toxicity manifestations, drug interactions (polypharmacy and drug potentiation are a crapshoot when most of the public fails to understand that "diabetes" and "the sugar" are the same disorder and that, no, you cannot double a dose to mak

    • by cupantae (1304123)

      As a student with a test tomorrow, I would love if my lecturers would do this, because my tech skills would mean I'd get an advantage over most of my peers, so my score would be better.

      But really, I'm not sure if it's all its cracked up to be. I certainly don't think 60 minutes, heads down, writing furiously (which I'll have tomorrow) is the best. Especially for a maths exam. However, I know that there is a lot to be said for the ability to easily recall a lot, and to know concepts and definitions back-to-f

    • Re:Why? (Score:5, Insightful)

      by Mr. Freeman (933986) on Wednesday December 07, 2011 @10:43PM (#38298832)
      Some of my professors gave open-book exams. This allowed you to look up equations, material properties, etc. If you understood how to do all the work but were unsure of whether the last coefficient in a particular equation was positive or negative, this helped a lot. If you had no idea what you were doing then the book didn't help you at all. Brilliant exam, because in the real world you will have reference materials and you will sometimes forget things like the naiver-stokes equation.

      However, the professors wouldn't in a million years consider making these tests open-internet. The internet allows answers to be shared, which doesn't allow for testing of individual students. In addition, the internet has a lot more information than in a textbook. A student may be able to find problems almost identical to those on the exam and simply copy the answer verbatim.

      There's also a difference between being able to do your work with the assistance of a reference manual, and only being able to do your job if you have access to the internet.
  • by hawguy (1600213) on Wednesday December 07, 2011 @07:30PM (#38297034)

    Create your own custom locked down kiosk boot image and require users to boot from that? Keep in mind that users might take the boot media home with them so they'll have a copy of the test app if you store it locally (as opposed to retrieving it from a website)

    Here's an example:

    http://jacob.steelsmith.org/content/ubuntu-kiosk-based-910 [steelsmith.org]

    (I'm not vouching for this particular implementation, I just found it through a quick google search).

    • by phoenix_rizzen (256998) on Wednesday December 07, 2011 @08:23PM (#38297692)

      That's what we do. All our Linux stations boot off the network and use NFS mounts for everything. For government exams, teachers reboot the stations into "Exam Mode" which disables everything possible, launches a bare-bones X11 session with Firefox as the "WM", with all settings locked in, including an add-on that let's you specify a list of sites that are accessible, blocking access to everything else.

      Took a few iterations to get the configuration locked down completely, but there's really no better way to find the holes than watch a class of students try to break it. :)

      It's not bullet-proof, but we've made it hard enough that it's very obvious when a student is trying to break out of the box that anyone watching the lab will notice. :)

      If you can't change the OS config, you can't lock it down.

    • by qeraser (587974)
      I have this installed on 20 laptops which are locked down to only my companies web sites for credit card payments. Jacob did a great job on this.
  • LiveCD? (Score:5, Informative)

    by grahamsaa (1287732) on Wednesday December 07, 2011 @07:32PM (#38297050)
    Not sure how hard this would be to do, but it seems like it would be fairly easy to boot from a livecd/usb key. If you remove packages you don't want the end user to have access to (it's hard to browse the web for test answers if there's no browser installed) that should address at least some of your concerns. An added bonus is that if you need to repurpose the machine, or if it doesn't need to be in test mode all the time, a simple reboot could restore it to a vanilla version of the OS.
  • Chortle! (Score:5, Insightful)

    by MrBandersnatch (544818) on Wednesday December 07, 2011 @07:34PM (#38297068)

    Pull out the Ethernet connection. TADA!

    • or turn the power off to the switch. turn it back on when the test is over to upload the results. or lock down the users accounts via the internet proxy for the time the test is running. You'll then be able to see who tried to cheat by looking at the proxy logs
    • Re:Chortle! (Score:5, Informative)

      by wierd_w (1375923) on Wednesday December 07, 2011 @07:48PM (#38297248)

      Or simply don't expose it to the internet.

      Or, if it really needs to talk to the internet for some very special reason, put it behind a very configurable gateway.

      Block all traffic types except port 80 http, and then restrict which ip addresses inbound packets can come from. Tada. Can't use google. Instant 404 error.

      This won't stop them from playing uhrkan masters using the .deb they smuggled in, assuming they have the user rights to install. (Failing that they could smuggle in a binary blob version) but it would help prevent cheating.

      What I had always considered to be ideal for a kiosk system where you don't want users pwning your workstations is to use a minimalist boot kernel on a usb stick, have the workstation tftp a system image to ram, then boot that.

      This would make maintenance as easy as turning the system off, and on again, and would centralize maintenance of the system image.

      Initial bootup network activity would spike with all the clients pulling the ramdisk volumes, but you could make the actual kiosk as naked as you wanted that way. No internal hdd to hide stuff on, no optical drive, and only 1 usb port that needs the key inserted because it is the boot volume.

      If you go a bit further, and make sure the ctrl alt f1 seq can't be pressed at the hardware level from the kiosk, even better.

    • by syousef (465911)

      Pull out the Ethernet connection. TADA!

      Yep first thing I thought of was disconnect the Internet connection. Pulling each ethernet cable won't do it especially if you have LAN logins, but making the Internet unreachable should be trivial.

    • 1st result is for Ubuntu 7.4, might be irrelevant by now.
      2nd rseults starts with "modify the BIOS? then install from scratch", which he/she cleary rules out
      3rd results is about tweaking menus in gnome, which is not even Ubuntu's desktop anymore.

      Unluckily, the exams in question will probably not all be about Linux, so Google might actually be able to find relevant info ^^

  • by alsuren (947167) on Wednesday December 07, 2011 @07:44PM (#38297184)
    I'd suggest having a whitelist of allowed process names that are allowed to be running during the test as that user. If any other programs are running when the program starts, it should not allow the test to be started until those programs are shut down (add a "kill all" button for newbie users). It should also have a watchdog that polls to make sure that the system is still clean. If it finds any unwanted programs, it should give the user 10 seconds to kill them or fail the test (or require a password to ignore this process). If you can do this in the same thread as the testing program, and in such a way that you can't just attach gdb and pause execution while you google the answers, you're onto a winner.
  • Dont try to stay in one application and prevent access by this . Use iptables and apparmor to prevent everything you dont want the pupils to do. If they find a way to crash the app they are using, it will be no problem.

  • Don't try to block internet access at the local level, they'll work around it. At the firewall level whitelist specific sites and block everything else. Then even if they fire up a web browser it'll be useless.

    And simply uninstall or use user permissions to block access to unwanted applications.

    • Whoops, never mind.

      Best to inform whoever gave you the restrictions that with those restrictions you would fully expect students to work around any solutions you put in place. The restrictions themselves will give the students loopholes.

      • by muphin (842524)
        you need a tiered security structure.
        disable UI elements
        restrict permissions
        internet through proxy
        logging
  • Social Solution (Score:5, Interesting)

    by RedLeg (22564) on Wednesday December 07, 2011 @07:50PM (#38297264) Journal

    No Technology required:

    1. Announce anyone caught cheating WILL fail the course.

    2. Post exactly ONE proctor at the rear of the room. His job is to catch the FIRST cheat.

    3. The first cheat should be escorted from the room, and given the following choice: become the proctor and catch another cheat, or fail. If you catch a cheat, you may retake the test and the cheat becomes the proctor with the same choice.

    Lather, Rinse, Repeat.

    I recommend you film for future entertainment value.

    Red

    • by geekoid (135745)

      that cost more money and time. It also relies on a person being able to detect any cheat.

    • This post is full of WIN!

      • Finally - PROFIT. (Score:4, Insightful)

        by tomhudson (43916) <barbara.hudson@D ... com minus painte> on Wednesday December 07, 2011 @08:16PM (#38297590) Journal
        1. Take bribes from other students to be the first one to cheat.
        2. Blatantly cheat and get caught.
        3. Become the proctor, and ignore everyone now cheating.
        • I'm sure it was satirical. ;)

          OTOH, if you really want to pull this off, I'm sure it will work only the first time. You can also profit by giving your customers the info they need on the exam.

          Btw, is it Tom, Barbara, or both?

          • by RedLeg (22564)

            I'm sure it was satirical. ;)

            Actually, it was not.

            It's a modified version of a time honored traditional technique I learned while serving in the US Army.

            If an instructor caught you nodding off in a class, he would wake you up, put a tear gas grenade in your hand and pull the pin. Your primary mission at that point became catching another troop going to sleep so you could pass the grenade.

            Amazing what a live grenade in your hand will do to to keep you alert and focused......

            Red

    • Each person caught cheating would have incentive to dob someone else in whether or not they cheat. You would HAVE to tape it just to prove the person actually cheated. It would also be a huge distraction to have people pulled out of the test. If the lab is designed correctly, it should be trivial to make the Internet unreachable. If not, fix it and you're good to go for all future exams.

      However all this is a waste of time - all you're testing here is memorisation skills. If that's what you need to test, fin

  • by Krishnoid (984597) * on Wednesday December 07, 2011 @07:51PM (#38297270) Journal
    KDE has had a kiosk mode [kde.org] for quite a while, leading me to believe it's quite mature by now. It even has a GUI setup tool.
  • by drinkypoo (153816) <martin.espinoza@gmail.com> on Wednesday December 07, 2011 @07:52PM (#38297288) Homepage Journal

    LTSP has support for some lockdown options, and Ubuntu has support for LTSP. It's meant for running classrooms. You can netboot the clients into LTSP when you want to do an exam, and they can run their own install the rest of the time.

  • "Lockdown" or "Kiosk" or any of the other terms are simply shorthand ways of referring to sets of system modifications. If you can't modify the OS configuration, or even create new limited users, about the worst you can do is have your application do something annoying like constantly re-grabbing focus if it detects that it has lost focus, or other horrid little WM-nuisance tricks...

    You pretty much have two options:

    1. Lean on/buy beer for/be real nice to/go over the heads of/whatever it takes the IT s
  • the network drivers.
    disable the network in the bios.
    log everything moving through the network.

    I mean, really.

    • Remove the network cables, or remove access at the firewall.

      That is the ONLY way to remove their internet access without changing the OS configuration that will work. By the way, have I said that it is a stupid requirement to change the way the OS works without changing the OS configuration?

  • If you're not going to supervise them, then it doesn't matter how tightly you lock down their computers since they'll just use google/IM from their phones instead.

    If you're supervising them closely enough to know that they aren't typing on a phone on their lap, then you should be able to see if they are running a web browser.

  • by Red Storm (4772) on Wednesday December 07, 2011 @08:10PM (#38297518)

    If you're worried about a user jumping out of your app and then searching the Internet, and you're in a a testing setting, you should be looking at a wholistic approach.

    Your students will break your application, it's only a matter of time. Use other approaches to make this a useless option.

    1) Don't allow any Internet access from the network layer, at all, this includes DNS servers. Ideally your systems should be on a completely disconnected network, meaning there are absolutely no external network connections.

    2) Use SELinux to lock down your system. SELinux uses a mandatory permissions model, meaning you *must* be granted permission to be able to do anything.

    3) Lock down alternative means of cheating. Cell phones, paper notes and so forth.

    4) Follow through with punishing cheating in an appropriate manner.

    5) Listen to the feedback of your users (Instructors and Students). This may seem counter intuitive, but it can help you build a better system.

  • Why don't you setup a VM on each machine that is locked down?

    • by hawguy (1600213)

      Why don't you setup a VM on each machine that is locked down?

      Even if the VM itself is perfectly locked down, what's to stop the test taker from escaping back to the host operating system and running a browser there?

      • by c++0xFF (1758032)

        You run the VM in another VM, of course.

        VMception, it's VM's all the way down, and all that.

  • Fundamentally, you're trying for the impossible: you are trying to use the app to control the window manager.
    This is a bit like google trying to stop you closing a browser window!

    BUT: If your test happens to be multiple-choice, you could consider making the app run full-screen maximised (windowless), and then unplugging the keyboard. That would work.

    [My dept has some computer systems designed for tracking who is present in the buidling; they solve the lockdown problem with a special keyboard that has only a

    • Actually, an easier way to fix this (that will go away on reboot) is:
      1. Student logs in as normal, opens the test app.
      2. You SSH in and kill -9 the window-manager.
      3. Result: your test app is running full-screen, and there is no way to exit.

      To restart the WM, you would need a shell, or Alt-F2 [and the latter is usually a feature of the WM]. There is a neater way to make this all happen if you write a shell-script. Create a desktop startup script that does something like:
      #!/bin/bash

  • by Cobble (1116971) on Wednesday December 07, 2011 @08:24PM (#38297706)
    You're looking for a technological solution to a pedagogical problem. Redesign the questions and let them have all the Internet access they want.
  • I had to take a drivers ed course a while back.. I decided to do it online.. what they did that worked pretty well.. they allowed 3 warnings..warnings went off when the window lost focus and between that and random questions like what was the color of the car in the last section(another warning) they pretty much locked down the test.

    You could maximize the window and tell them if they lose focus on the window (do anything else, open any other programs, surf the web, etc..) they fail the test. Have the app
  • keep track of the window and the time and tell the students it's being tracked. If they switch tasks or change the windows size during the test at any time, it will be logged and they'll lose 10% for each minute of the infraction.

    Another option is to disable the network(ipdown?) for the duration of the test and test for it during the exam. if it comes up at any time, shut it down and log it and the processes running to see if a browser or some user action caused it.

    LoB
  • by B5_geek (638928) on Wednesday December 07, 2011 @08:45PM (#38297932)

    0) install Fluxbox
    1) edit the keys file and remove the right-click option (disable the other hotkeys too)
    2) have firefox set to launch at startup
    3) use the firefox addon 'Kiosk mode' and edit settings

    That should protect you against most undesired activity.

  • by SJ2000 (1128057)
    This Ask Slashdot is a good illustration of what I said later on in this comment [slashdot.org]
  • Install the KDE Desktop (Kubuntu) then use the Kiosk Admin Tool [kde.org].

  • by KeithIrwin (243301) on Thursday December 08, 2011 @12:47AM (#38299656)

    Someone asked a very similar question on Stack Overflow. It's here [stackoverflow.com]. The short version is: if you're running KDE and can change the window manager configuration, no problem. If you can change which window manager, then sure. (Also, the previous "yank the ethernet cable" or "boot off of live CD/USB" suggestions are quite reasonable. However, it is possible to handle most of it in the application using JNI to write X-Windows code which will capture most all keystrokes. It doesn't get ctrl-alt-backspace, but it appears to get prevent most of the rest.

  • by PhilipJLewis (104782) on Thursday December 08, 2011 @05:15AM (#38300702)

    I worked on this project for a Primary school. It's worked well for >2 years for 120 pupils.
    http://linuxcentre.net/wiki/ [linuxcentre.net]
    The parts about automatically resetting the homedir after reboot is probably of interest to you.
    http://linuxcentre.net/wiki/index.php/Detailed_Maverick_Meerkat_OS_Netbook_Customisation [linuxcentre.net] below Home_Directory_Synchronisation

To err is human -- to blame it on a computer is even more so.

Working...