Thanks,...
What I've decided is that the setup script needs to create a single user on each MD (named for the Moon[n] of that MD,... Like; Moon[n]_xtermuser), and give that user rights on the sudoers list on each MD so as not to interfere with any accounts currently used by the system.
I might have some prelim test script work done by the end of this weekend. Just a "hard-coded" launcher script, maybe a "hard-coded" user setup script as well... Full scripts will have to include sql queries to the database to get the necessary system information to do an automated setup. So, I have to learn that.
I don't know what to do about the tty terminals,... I think, though, that it should be a separate, optional piece to secure them... It doesn't make sense to limit user authority on a windowed xterm, and leave the the ability to get a tty as root (by default) hanging in the wind with a simple Alt-Ctrl-F[n]. It should be theoretically possible to limit local access to tty's while allowing access through ssh from the server. From what I've read, ssh-ing into a machine that's had its local tty access restricted is not affected, since authentication happens before hand, and that mechanism bypasses the normal restrictions imposed in the /etc/securetty file... but that'll be something to experiment with. If it's a separate piece to secure the tty's, it gives the admin the decision on how much to restrict the system, based on their own requirements. It would be a simple process to "undo" the tty access restriction by replacing the /etc/securetty file with the original, should someone need to reverse it. Future refinements could allow the admin to decide WHICH MDs to restrict in this way...
Otherwise, it should be simple to cause xterm to launch as a particular user. All that's left is to create a script that sets up the users on each MD (including a hybrid Core's on-screen Orbiter), sets the limited user environment, xterm configuration, sudo permissions for them, create a device profile for the "app" (script really) that launches xterm -ls, and make some sort of change to the main menu to assign/reserve it a hotkey. ... Oh, and eventually, to create a mechanism for turning this on (& configuring?!) it in the Web Admin,... Turns out getting xterm to launch in a more secure way is the easy part,... Devil's in the details...
There are two paths for user configuration that I can take,... the easier one being to require the user to set the password for the Moon[n]_xtermuser for each MD on first login with xterm... The second is to pre-define it,... but that would (eventually) require a Web Admin config screen... I think I'll take the easy road for now. If pre-configuration is desirable, that could be a ver. 2.0 thing.
One question remains,... I have a net installed 1004 system...
By default, if I drop to a tty on my Core, I'm presented with a login prompt that allows me to logins as the original user I created with the Kubuntu install. Does the DVD install create such a user,... or does it default to a password-less root like the MDs have??
Oops,... I realized I have a second question,... It came up while I was researching xterm use with ssh, and might (though unlikely) impact some aspect of how this would work...
Is ssh forwarding allowed on the LinuxMCE system by default?
