How can I limit or restrict access to an application?

From my own experience restricting access to computer games is one of the most challenging tasks in educating our kids. Of course we parents want them to use their computers mainly for school but this heavily conflicts with the kid's intentions. They will hate us for giving them hardware usable for school only.

And of course we also want them to learn how to use their computer in a sensible way, including how to use it not only for work but also for leisure. This includes gaming and watching videos.

Unfortunately, well maintained and working parental controls to restrict the kid's computing is almost non-available for Ubuntu. Another major issue is that as soon as they are smart kids all measures we took become in vain. They will always find ways to overcome our restrictions, in case they are really smart without us even being able to notice.

Any blocking software or PAM-restrictions running on the kid's computer will be temporary only, and may sooner or later be overcome very easily. Therefore we decided to let the password-protected router do the job, where physical access can be controlled much easier.

So what we do here to somewhat limit gaming at the moment is a combination of all of the following:

• Talk to them to educate them how and when to use computers for leisure, and when to use them for school. This is a constantly ongoing, rather tedious process leading to endless discussions and arguments. But it is what we feel is the only thing that will last in the long term.
• No administrator permissions on their account. This is a temporary thing. We do know that they will be able to put themselves in the sudo group sooner or later. The plan is that they will ask us for that rather than making this in hiding.
• Make a contract for clearly defined computing times. They need to know what for and how long they are allowed to use their machines. They need to learn how to split up this time for school and for leisure.
• Hard-block all internet during sleep hours.

To ease fulfilling the contract on computer usage for both, the kids, and us we installed the following restrictions:

• Use a password-protected router that allows restriction of internet access on a combination of a hardware (MAC) and a time-table basis. As long as they don't know about MAC-spoofing this will work quite well. It will also restrict access through their smart phones and tablets. This of course won't work if there was an open wireless network in your neighbourhood.
• Install an SSH server on the kid's computers to pull the plug in case they got lost in their own intentions. This is for emergency cases we are glad we had not needed much.
• Installed a DNS blacklist (through the router, not the computer!) which should block access to the worst.

Blocking internet access will effectively disable gaming if that game needs internet access such as Steam, Minecraft, or other gamig servers. It will however be of no effect for games running off line.

Set a time- limit on a process or application

With a small background script, you can set a time- limit on a process or application.
As long as your user does not know the administrator's password, it is not surpassed too easily.

The solution below

Is such a small background script. It limits the usage per day to a defined number of minutes, to set in the head of the script. Once set up (which is not too difficult) it runs very easy, and no additional action is needed afterwards.

The script

#!/usr/bin/python3
import subprocess
import os
import sys
import time

#--- set the time limit below (minutes)
minutes = 1
#--- set the process name to limit below
app = "gedit"

uselog = "/opt/limit/uselog"
datefile = "/opt/limit/currdate"

def read(f):
    try:
        return int(open(f).read().strip())
    except FileNotFoundError:
        pass

currday1 = read(datefile)

while True:
    time.sleep(10)
    currday2 = int(time.strftime("%d"))

    # check if the day has changed, to reset the used quantum
    if currday1 != currday2:
        open(datefile, "wt").write(str(currday2))
        try:
            os.remove(uselog)  
        except FileNotFoundError:
            pass

    try:
        # if the pid of the targeted process exists, add a "tick" to the used quantum
        pid = subprocess.check_output(["pgrep", app]).decode("utf-8").strip()
        n = read(uselog)
        n = n + 1 if n != None else 0
        # when time exceeds the permitted amount, kill the process
        if n > minutes*6: 
            subprocess.Popen(["kill", pid])
        open(uselog, "wt").write(str(n))
    except subprocess.CalledProcessError:
        pass

    currday1 = currday2

How to use

1. On your desktop (or anywhere else), create a folder named: limit
2. Copy the script into an empty file, save it as limit_use (no extension) inside the folder and make it executable

3. Edit in the head of the script the process name to limit, and the maximum number of allowed minutes. In the example:

   #--- set the time limit below (minutes)
   minutes = 1
   #--- set the process name to limit below
   app = "gedit"
   

4. Copy the folder to the directory /opt:

   cp -r /path/to/limit /opt
   

5. Now edit /etc/rc.local to make the script run it as root on startup:

   sudo -i gedit /etc/rc.local
   

   Just before the line

   exit 0
   

   another line:

   /opt/limit/limit_use &
   

That's it

When someone tries to kill the background script:

(action not allowed)

Explanation; how it works

• Once per 10 seconds, the script looks if the targeted process is running. If so, it "adds" one "point" to a total usage, to be recorded in a file (/opt/limit/uselog). If the dayly limit is reached, the script no longer allows the process to run, killing it if it exists.
• On the day change (the date is recorded in a file, so reboot won't help), the log file is deleted, allowing a new amount of usage time to build up.
• Since the script runs on boot up, from rc.local only user(s) with sudo privileges can stop the script, even then only if the user knows the process name.

Stop the script

In case you'd like to stop the script, use the command:

sudo kill "$(pgrep limit_use)"

But again, you'd need the sudo password to do so.

EDIT

Although the script above should provide a reasonably secure way of limiting an application's usage, as mentioned by @Bytecommander, it can be surpassed, although not very easily. The combination with the measure below will make it very unlikely that this will happen, unless your son knows the setup, and is quite experienced with Linux/Ubuntu.

Additional measure

A bit further from a "simple solution", but still not too difficult to set up is the additional measure below. If our suspected delinquent would find out the script is called from /etc/rc.local, would manage to become root, and remove the line in /etc/rc.local, or would be able to stop the script that way, we can confront him with the next problem: the screen blacks out after log in. Additionally, the solution checks if the background script is running after 5 minutes after restart, blacking out if not.

The extra measure is a startup- check if the line /opt/limit/limit_use & is present in /etc/rc.local, and a check after 5 minutes if the script still runs. Since the script runs from a (hidden from Startup Applications) launcher in /etc/xdg/autostart it will be quite difficult to find out what is happening, unless you know how it is done. The combination of these two measures makes it unlikely your son will find out, and if he does, probably nothing will stop him.

How to set up

Two simple steps are involved:

1. Copy the code below into an empty file, save it as blackout.desktop on your desktop:

   [Desktop Entry]
   Name=not allowed
   Exec=/bin/bash -c "sleep 15 && /usr/local/bin/blackout.py"
   Type=Application
   Terminal=false
   NoDisplay=true
   

   Copy the file to /etc/xdg/autostart:

   sudo cp /path/to/blackout.desktop /etc/xdg/autostart
   

2. Copy the script below into an empty file, save it as blackout.py on your desktop, make it executable and copy it to /usr/local/bin:

   cp /path/to/blackout.py /usr/local/bin
   

   The script

   #!/usr/bin/env python3
   import subprocess
   import time
   
   def dim_screen():
       screen = [
           l.split()[0] for l in subprocess.check_output(["xrandr"]).decode("utf-8").splitlines()\
           if " connected" in l
           ]
       for scr in screen:
           subprocess.Popen(["xrandr", "--output", scr, "--brightness", "0"])
   
   if not "/opt/limit/limit_use &" in open("/etc/rc.local").read():
       dim_screen()
   
   time.sleep(300)
   
   try:
       pid = subprocess.check_output(["pgrep", "limit_use"]).decode("utf-8").strip()
   except subprocess.CalledProcessError:
       dim_screen()
   

Explanation

Launchers in /etc/xdg/autostart will launch an application (in this case the extra security check- up) for all users. This could be overwritten locally, but you have to know the check up runs. By putting the line NoDisplay=true into our launcher, it will not appear locally in Startup Applications, so without knowing it exists, it is unlikely to be discovered.

Furthermore, your son has only 15 seconds to find out (then the screen is blacked out) so he would have a serious problem, unless he is a genious, has a lot of experience with Ubuntu and a creative mind.

This can be achieved by using shell scripts.

First script is to kill Steam as soon as it is run:

#!/bin/bash

while true
do
    pkill steam
    sleep 1
done

exit 0

Save it as /path/to/anyname.sh and add it to the list of start-up applications.

What this script will do is that it will check any open process named steam every second and if it finds any then it will kill it.

But, you need a solution where steam can be run at a specific time right so that your son can play games during that interval. To do that you have to write another script:

#!/bin/bash

    echo "pkill anyname.sh" | at 10:00

exit 0

Save it as /path/to/anyname2.sh and also add this to your list of start-up applications.

This script will kill the first script at 10:00 hrs. So, when your son runs Steam at 10:00 hrs. He will be able to play it now.

The third script is to re-initiate the first script at another point of time so that it kills Steam after a time interval and your son won't be able to play games through Steam anymore.

#!/bin/bash

    echo "bash /path/to/anyname.sh" | at 12:00

exit 0

Save it as /path/to/anyname3.sh and add it to your list of startup-applications.

Make sure to keep those paths hidden, so that your son doesn't find out.

Why not use new User Account (via System Settings). This is the only one method on Linux for "permissions".

1. New user "SteamUser" should not be in sudoers (just a limited account).
2. Then create second account called "SuperAdmin" and make it sudoers account (root access). But keep its password only with you.
3. Then remove your son's account from sudoers. (sudo group). Then this account will not have root access, it will not be able to install or remove software, change system-wide settings.
4. Login to your "SuperAdmin" account and change ownership of steam binaries and steam games folder to prevent them from running by anyone except "SteamUser". This includes removing read+write+execute access from anyone except "SteamUser"

Few notes..

• There is no abillity to leave a root access with your son's account, otherwise permissions control is bypassed easily with chown/chmod.
• Other suggestions based on background scripts are just unstable mess. This means they are not promising. However, they're easy to set up maybe.
• Folder paths to transfer to "SteamAccount" are: /home/son/.steam and of course the binary file /usr/games/steam
• To play steam, "SteamUser" password is required (you will need to login with "SteamUser" and them run steam. You can try looking for methods to expire session after some time with locking it, to prevent playing too long time. I am not sure if there are tools like that, but it's technically possible to set time limits, but for sessions, not programs.