I am working on a small project. I have about 20 computers with Ubuntu 10.04 on them, which will be used in a computer lab for elementary, middle, high school and college kids. Some seniors and new computer-users will be using the computers.
I want to lock-down the computers for so children and people who want to play around with PC configuration can use them securely and without breaking them.
I therefore want to restrict user privileges, removing the ability to upgrade, add/install software or otherwise personalize the lab's computers.
The only uses for these computers should be:
access to school websites for access of e-text books (homework assignments)
access to learning-aid websites(such as www.math.com or webster.com)
access/restrictions to applications that are safe and appropriate for the elementary students.
For more senior users only, access to websites for completing applications for re-certifications of say food stamps, medicaid and so on.
Are there any software packages that will let me do this?
I would start by investigating whether using Ubuntu standard Guest account would suit your needs regarding preventing users from installing stuff/modifying configs etc. So your machines would have a password-protected
admin
account to install/configure things and a password-less Guest account for your users.For restricting Internet access I'd use Dans Guardian.
It sounds like you want users to share a single account. You should investigate whether you really want this. There is a large number of reasons why this usually is a very bad idea. One is that you really cannot prevent users from spying on each other, obtaining personal information like passwords to webmail. You can try to prevent that by locking down network access, but then you're setting yourself up as a ghostbuster, forever fighting loopholes.
This kind of setup is common in Windows environments because the software to provide a proper multi-user environment is so expensive. But with Ubuntu, you get everything you need without any associated costs. If I were you, I'd really examine that choice. Trying to lock down a computer system is a very time consuming task, and very, very difficult. On the other hand, setting up a proper environment where users have their own accounts, and you're able to easily revert any bad decisions, is much easier and will give you a much better result in nearly all cases.
For locking down overall operating system access I would run and configure bastille-linux on the host computer. This will walk you through a series of options and will harden the operating system based on your answers. If your not familiar with the tool you can accept the defaults and that should suffice. I would also recommend consulting the CIS Debian Benchmark document that outlines a number of procedures for locking down the operating system even further.
I'd suggest that you check out the LTSP project.
I recently heard a school Techrep discuss how he uses LTSP thin clients in his school district. By using thin clients no one but administrators actually have physical access to the expensive, maintained system.
The thin clients can be regularly refreshed since they don't store anything. The thin client hardware can likely be old computer chassis destined for the trash (but should have good displays, keyboards, and mice so they remain easy and satisfying to use). The software on the thin clients would normally be maintained from the server, saving travel if there are labs in different buildings.
Of course the servers still have to have privileged and unprivileged accounts.