6

This is a theoretical scenario that has come up as part of another question:

  • I have x Ubuntu desktops with x users.
  • Users don't have sudo privs
  • I can let them install things through the software center by editing the Policy Kit rules
  • But that would let them install anything (inc games) which is not desirable.

I'm wondering if there's a hack that would be able to limit what sorts of things a user can install.

Packages have a "section" (eg games) so I was wondering if it would be possible to force apt to ignore a whole section of packages. Or perhaps a way of setting up an Apt proxy that does this filtering. Changes can be global (eg even somebody with sudo privs won't be able to install games).

Any ideas welcome.

Before you leave a comment telling me people could just bring their own debs with them, or download tars from the Internet and run them that way, please remember this a theoretical situation.

If it means you'll focus on the question, pretend that my users aren't allowed USB mounts, can't execute things in ~/ and don't have write permissions outside their home. It's locked down. And yes, all of that can be done.

Community
  • 1
Oli
  • 293,335
  • 11.10 I assume? Also have a look at /etc/apt/preferences and /etc/apt/preferences.d/ You can pin packages here (but can not use wildcards or sections... so you would need to add them all...). http://manpages.ubuntu.com/manpages/oneiric/man5/apt_preferences.5.html – Rinzwind Dec 16 '11 at 12:58
  • 2
    finally, a user could use much software without installing by simply downloading the tarball and compiling it. So if you want the user not to USE a specific software this wont help you finally. – Michael K Dec 16 '11 at 13:36
  • To my knowledge, unless you use custom sources, there is no way to do this. – RolandiXor Dec 16 '11 at 13:49
  • @MichaelK Play along! Let's imagine that there's a super-harsh web filter in place that stops people downloading anything that isn't a straight webpage or comes from apt. And disallows USB media. – Oli Dec 16 '11 at 14:52
  • Which makes the computer very useful as the guests of your internet cafe or whatever can only surf web pages and not use their own data / usb sticks etc. A good user will always find a way to fool that. As soon as you allow me to open a secured connection I can setup a tunnel to my home computer and bypass your web filter. And if you disallow that access many websites become unusable if they require https. A friend of mine had such a problem once and we tunneled data through port 80 via my server, but as a secure connection. It worked. – Michael K Dec 16 '11 at 15:04
  • It's definitely possible - somehow. At our university, we were able to install stuff from a list of available software, but I don't know any details and it was all command line (like install --list-all, install <stuff>). It probably didn't use any repositories, though. – htorque Dec 17 '11 at 01:52
  • Does it mater the method of installation, can a different package manager be suggested? – Bruno Pereira Dec 21 '11 at 11:48
  • @BrunoPereira I would prefer this to be about apt and making standard tools behave the way you want. – Oli Dec 23 '11 at 11:36

1 Answers1

1

I think you should consider the following:

  1. Create your own custom APT Repository using info from here for example but there are a few more out there.
  2. Sync only what you want users to see
  3. Change your users desktop source lists to this repository

At this point your users should only see what you want them to see. You might also have to do some fancy footwork with firewalls to disable access to default ubuntu sources so that your users don't add them as custom sources and start downloading stuff on their own.

Karlson
  • 1,619