I am trying to setup an account for my kid on my Fedora 38 desktop and want to try and lock down her account, disable some applications (or at least access to them). I was wondering if anyone had some good ways of locking down accounts for a kids profile.
Ya but the issue is i dont use flatpacks so i dont have the same level of security as that.
You can hide apps with alacarte, assuming that you don’t need strong restrictions.
Keep in mind that the complexity of the measures taken should be proportional to the level of knowledge of the user and his desire to bypass them, but it is still problematic to restrict a technically advanced user that has physical access to the device.
So the easiest solution really is to install Flatpak apps only, also because even when installing them systemwide, the apps are all in one directory so you dont accidentally deny permissions for curl or anything.
But afaik you could also restrict the new user account from even reading the applications executables, and needing to use Flatpaks for example. This would be easy.
OR, you manually make some apps readable and others not.
Answer in a Forum explaining different methods
If you want to “prevent an installed application from being used by other users” (other than yourself and root), just protect it 700 (or 500), as Jarmund’s answer says. This won’t stop root, but you say, “if root user will [break] it – it doesn’t matter.” I’m not clear on your position regarding “other users”. You say, “I want to prevent other users … from using an application that I have installed.” Does this mean
- You don’t want anybody else to be able to run the program. It’s OK if this is enforced by a password (which nobody but you would know).
- You want selected other users to be able to run the program. You are willing to authorize the selected users by telling them the password.
- You want selected other users to be able to run the program. You specifically want to authorize the selected users by telling them a password.
If it’s the first bullet, it’s probably easiest to just chmod the executable and live with the fact that that root will be able to bypass that protection.
If it’s the second bullet, check whether your system has ACLs. If it does, set up an access control list that allows only your chosen users to execute the file. Of course this won’t stop root either.
If it’s the third bullet — you specifically want to use a password (or if denying access to root is really important to you) — encryption is the way to go. Encrypt your executable with a password, delete the unencrypted program from the system, and tell the password to your friends.
For example, if your program is called myprog, you could do
openssl aes-256-cbc -e -in myprog -out mycode
which will ask you for an encryption password (twice) and then write an encrypted copy of your program to mycode. (You can leave out the -e (encrypt); it’s the default.) You could then write a script like this:
#!/bin/sh
clear_prog=$(mktemp)
chmod 700 "$clear_prog"
openssl aes-256-cbc -d -in /path/to/mycode -out "$clear_prog"
"$clear_prog" "$@"
rm "$clear_prog"
(using -d to decrypt.) There’s still a risk that root could make a copy of your program when somebody decrypts it.
An easy idea, just block some apps:
groupadd parent
usermod -aG parent $USER
sudo chown :parent /usr/bin/firefox /usr/bin/freetube #whatever
sudo chmod 770 /usr/bin/firefox /usr/bin/freetube #whatever
Not sure about the 770 here.
Also be clear that as long as anyone can boot a USB stick on that PC, this is easy to bypass. But maybe you want to teach your kid how to do that? XD Otherwise, lock the BIOS and boot order, prevent booting from USB. But if they cant use a flash app or DD, I dont know if this would make any sense.
you may encrypt the partitions to prevent your kid (or anybody) to access your partition from booting with USB stick, this is the guide.
1 Like
But they could still modify their account, right? Or is that also protected?
Also, tested in a VM, a new unprivileged user can install Flatpaks??? They are not in the flatpak group. Weird, this is the polkit rule:
➤ cat /usr/share/polkit-1/rules.d/org.freedesktop.Flatpak.rules
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.Flatpak.app-install" ||
action.id == "org.freedesktop.Flatpak.runtime-install"||
action.id == "org.freedesktop.Flatpak.app-uninstall" ||
action.id == "org.freedesktop.Flatpak.runtime-uninstall" ||
action.id == "org.freedesktop.Flatpak.modify-repo") &&
subject.active == true && subject.local == true &&
subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
return polkit.Result.NOT_HANDLED;
});
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.Flatpak.override-parental-controls") {
return polkit.Result.AUTH_ADMIN;
}
return polkit.Result.NOT_HANDLED;
});
no they can’t, they must decrypt the partition to access the system configurations or files in the partition, which is they need the key to decrypt it. Personally I’ve made the full disk encryption (FDE) for my laptops, in case to prevent someone stealing my data.
yes me too, on Setup. But that means they cant turn on the PCs, which is kinda weird. There is a per-user encryption going somewhere, which would fit that better, maybe.
But still, a Bios can use a password and boot order can be locked. USB boot can often be disabled. Thats the best way. Also UEFI can be enforced on many UEFI systems so the number or hacky distros you can boot is lower.
Oh sorry I forget one thing, my laptop is only me can access. When booting the system needs the key to open, means your kids know the key to decrypt the partition). You may activate the TPM to boot the system automatically without the key, I don’t have experience to do that yet.