File Access

Restricting write access to users home directory

Introduction

When accessing directories from CIFS and NCP servers, these are mounted in subdirectories of the users Linux home directory. It is not possible to place the Linux home directory on a CIFS or NCP server, since these typically does not support the necessary POSIX file system semantics (such as hard links). In a typical setup, applications such as Mozilla uses the Linux home directory for settings (~/.mozilla), while the user saves documents in ~/MyDocuments. In this case, it might be desirable to restrict access to the Linux home directory: Forbid saving arbitrary files to it. This can be solved by using a feature of ThinLinc called homecreatefilter.

Activation

To activate homecreatefilter , create a symbolic link in the xstartup.d directory:

$ sudo ln -s /opt/thinlinc/libexec/tl-homecreatefilter.sh \
   /opt/thinlinc/etc/xstartup.d/06-tl-homecreatefilter.sh

Configuration

The configuration file /opt/thinlinc/etc/homecreatefilter.conf controls which files and directories are allowed. By default, all files starting with a dot are allowed, as well as the files necessary for KDE to start.

The configuration file is line based. A line not starting with a colon specifies a file object pattern that should be allowed. A line starting with a colon specifies a command line pattern. Processes matching this pattern will also be allowed write access, even if no file object pattern allows access.

Security Considerations and Limitations

The homecreatefilter feature is based on the LD_PRELOAD mechanism, which means it does not support statically linked applications. Since environment variables can be modified by the user, the user can disable the filter at will. homecreatefilter should not be regarded as a security mechanism, but rather a mechanism that prevents the user from saving documents to the Linux home directory by mistake.

In addition to the home directory, homecreatefilter restricts write access to the ~/Desktop directory.