The unbreakable Linux Desktop

A common need I find myself fulling is setting up a desktop that lasts forever without maintenance.  Ubuntu Linux doesn’t suffer from outside attacks generally (virus’s and such) but a 6 year old user is another story.  What we need is a desktop that limits user access while still allowing users to save documents and get work done.  The following things need done

  • Lock display appearance (theme, fonts, shortcuts, etc)
  • Filter Internet
  • Fully automatic updates

OK so obviously don’t give them root access, duh.  I’ve made a script to lock down the gnome’s appearance menu, gnome panel, desktop icons.
# Don't allow gnome appearance properties
sudo chmod 744 /usr/bin/gnome-appearance-properties
# Don't let users mess with the desktop
chmod -R -w Desktop/
# Don't let users mess with the panel
gconftool-2 --type bool --set /apps/panel/global/locked_down true

No more children changing the font size to 96pt!!  For filtering the Internet, I use Procon Latte, a firefox addon.  Procon works by looking at websites for bad words and blocking offending sites.  Now many computers need to access job sites which sometimes say something like Must be 18 years old to…  Yes that’s the same phrase used in many porn sites so it’s best to edit procon’s blacklist and remove phrases like that.  Also giving the administrator the password to procon and showing them out to put web sites on a whitelist is a must.  I try to stay away from installing wine too because of all the garbage users might attempt to install.

Ok locked down, now for updates.  Since the user doesn’t have admin rights they can run updates themselves.  The admin is too busy so forget that.  Ubuntu has an option for automatic updates, but it really means only security updates.  So I put this into cron.  At a terminal type sudo crontab -e  If you don’t know what vi or emacs are just press 3 for nano.  Now enter

0 3 * * * aptitude -y update && aptitude -y upgrade && aptitude -y dist-upgrade && aptitude -y autoclean

This runs truly automatic updates at 3am every night.  I would just disable automatic updates in software sources to keep it from annoying the user now.  Of course this only works while your ubuntu version is supported.  I suggest using LTS versions that are supported longer.  Usually an out of date configuration is the norm anyways so if you can’t come back to update, it’s probably fine.

By David

I am a supporter of free software and run Burke Software and Consulting LLC. I am always looking for contract work especially for non-profits and open source projects. Open Source Contributions I maintain a number of Django related projects including GlitchTip, Passit, and django-report-builder. You can view my work on gitlab. Academic papers Incorporating Gaming in Software Engineering Projects: Case of RMU Monopoly in the Journal of Systemics, Cybernetics and Informatics (2008)


  1. 2 quick questions:

    What’s to stop the Firefox user from running the browser in Safe Mode and thus simply uninstalling the addon?

    What’s to stop the user from simply running sudo “commandxxx+arguments etc” to modify permissions? Alternatively, it’s as simply as running “adduser username admin” to gain sudo rights in the first place since it modifies the /etc/group file.


  2. Also, gksudo kinds of defeats the purpose of locking down the user’s rights to modify, well, anything with a GUI if they don’t feel like changing the permissions. What kinds of users are you running these scripts on?


    1. That’s a good point about running firefox in safe mode, didn’t think about that. Any of those sudo commands aren’t an issue since the end user won’t know sudo password. I generally deploy machines for non profits where only the owner knows the sudo password. We could also have 2 users, one limited, but I just have one with auto-login. Adding a user also requires root access.

      My biggest fear would be that someone rm -rf’s the home folder. I’m still looking for an easy way to get around this. So far it’s never happened probably because no user I deal with knows terminal commands nor is malicious enough. Kids generally just do things they think are funny. I would be concerned however if say this was deployed in a high school.


Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: