File Access¶
Restricting write access to users home directory¶
Introduction¶
When accessing directories from CIFS and NCP servers, these are mounted
in subdirectories of the users Linux home directory. It is not possible
to place the Linux home directory on a CIFS or NCP server, since these
typically does not support the necessary POSIX file system semantics
(such as hard links). In a typical setup, applications such as Mozilla
uses the Linux home directory for settings (~/.mozilla
), while
the user saves documents in ~/MyDocuments
. In this case, it
might be desirable to restrict access to the Linux home directory:
Forbid saving arbitrary files to it. This can be solved by using a
feature of ThinLinc called homecreatefilter.
Activation¶
To activate homecreatefilter , create a symbolic link in the
xstartup.d
directory:
$ sudo ln -s /opt/thinlinc/libexec/tl-homecreatefilter.sh \
/opt/thinlinc/etc/xstartup.d/06-tl-homecreatefilter.sh
Configuration¶
The configuration file /opt/thinlinc/etc/homecreatefilter.conf
controls which files and directories are allowed. By default, all files
starting with a dot are allowed, as well as the files necessary for KDE
to start.
The configuration file is line based. A line not starting with a colon specifies a file object pattern that should be allowed. A line starting with a colon specifies a command line pattern. Processes matching this pattern will also be allowed write access, even if no file object pattern allows access.
Security Considerations and Limitations¶
The homecreatefilter feature is based on the LD_PRELOAD mechanism, which means it does not support statically linked applications. Since environment variables can be modified by the user, the user can disable the filter at will. homecreatefilter should not be regarded as a security mechanism, but rather a mechanism that prevents the user from saving documents to the Linux home directory by mistake.
In addition to the home directory, homecreatefilter restricts write
access to the ~/Desktop
directory.