2 Ways To Restrict Access To Student Computers in Ubuntu

Published by Stephan on

For more than a year we have been using the free school solution linuxmuster.net in our school. In addition to the computers in the computer lab, we also have computers in some of the classrooms, e. g. in the rooms with a fixed projector or in the primary school classrooms. On some of these computers we wanted to restrict access for the following reasons:

  • Students should not be able to log in to a teacher’s compute
  • Some rooms are more or less free of charge for students in the afternoon. In these rooms, students should only be able to log in at class time.

Under Ubuntu (which we only use on the affected computers) you can restrict the access to a computer with PAM modules. In our case, these are the modules pam_access and pam_time.

Restrict Student Access to Teacher Hosts

So that only teachers and staff can log on to a certain computer, the following files have to be adapted. In the file /etc/security/access.conf you define who has access to which services. At the end of the file we have therefore added the following entry:

ALL EXCEPT root linuxadmin (teachers) (staff): ALL

This line means that no one has access to all services except the root, linuxadmin and teachers and staff groups.

In order for PAM to check this file at logon, the following line must be entered at the beginning of the file /etc/pam.d/common-auth:

account required pam_access. so.

Now only teachers and staff should be able to register.

Provide access to students only during class hours

Unfortunately, this kind of access restriction was not as easy to implement as the first one. PAM supports a time-based login, but unfortunately only single users and no groups can be specified in this module. Therefore, each user must be registered in the PAM module, so that the access restriction works. So that you don’t have to enter each user name individually, I wrote a script that excludes the user names and created a suitable template for the file /etc/security/time.conf.

import csv
from subprocess import call

classes = {}
out = ""
user = ""

#creates updated csv in /var/lib/sophomorix/print-data/all.csv
call(["sophomorix-print", "-a"])

with open('/var/lib/sophomorix/print-data/all.csv', 'rU') as exemplarfile:
    reader = csv.reader(exemplarfile, delimiter=';')
    i = 0
    #get all classes and put the user in the right class
    for row in reader:
        if row[1] != "teachers":
            if row[1] not in classes:
                classes[row[1]] = []

#create the strings for /etc/security/time.conf
    for grade in classes:
        user = "* ; * ; "
        for i in range(0, len(classes[grade])):
            if i == 0:
                user += classes[grade][i]
                user += "|" + classes[grade][i]
        out += "\n" + user + "; Wk0730-1330"


The script first generates a list of all user names and then reads them and creates the following line (s):

* ; * ; user1|user2|user3 ; Wk0730–1330

This means that users1, user2 and user3 have access to all services (the two “*” at the beginning), but only on weekdays between 7:30 and 13:30 hours (Wk0730–1330).

You just have to copy the output of the script to /etc/security/time.conf and add this line to /etc/pam.d/common-auth:

account required pam_time.so


With PAM you have many possibilities to restrict the access to a Ubuntu computer and to determine exactly who has access to which computer and when. Thanks to postsync (besides LINBO the killer feature of linuxmuster.net) you can specify which computers get this configuration without having to maintain different images.

(CC by Adelson Raimundo Reis Amaral)


I'm a teacher and IT system administrator in an international school. I love open source software and I used it over a decade in my private and work life. My passion is to solve problems with open source software!


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *