Saturday, 28 May 2011

Can primary school children use Linux?

Long story abbreviated:

I have two children, 5 and 7 years old. The primary school would like them to have ready access to the school's VLE website. I happened to have two old laptops, both semi broken and under powered - but fine with a light OS and sitting on a table plugged into the wall. One laptop is a 6 year old HP, the other an Asus eeePC.

I decided on Xubuntu (Ubuntu but with the less hungry XFCE window manager), version 10.04, a Long Term Support release, maintained for 3 years.

Two base installations later, I then integrated the laptops with my home systems and locked the WIFI to my base station (ie removed NetworkManager).

Then a cursory configuration of each of their desktops - fix the fonts to be a bit bigger for small kids, clean up the "gnome style" twin task panels into a more Windows like single panel (the aim here is to allow them to feel comfortable going between my systems and the school computers). Added some media players and Flash so that the school VLE website worked correctly and defaulted Firefox to the school VLE.

The last jobs included installing the ubuntu-edu-primary metapackage, which adds lots of great education stuff like a fractions quiz, hangman, kiddie friendly paint program and lots of other stuff. Added GoogleEarth too.

My daughter (7) had a chance to further customise her desktop with verbal guidance and I fixed my son's (5) up by asking him what background colour he'd like.

It is quick and responsive, uncluttered and has a rich environment perfect for kids their age. My daughter is even learning perl programming. They know about logging out, saving files, hibernating and remembering to turn the power off.

They have few problems with the differences between Linux and MS Windows - the "Start" menu is in the same place and does similar things. Most apps have a similar menu layout (eg "File/Save", "Edit", "Help" and the more common keystrokes such as CTRL-C/V/X copy/paste/cut and CTRL-S save are the same anyway.

So overall this has proven a great success. Total cost of legitimate software: £0

So you can't run GUI tools on your MySQL server?

GUI tools bring in a lot of dependent packages which is usually undesirable on a tight linux server. MySQL server is usually configured  to listen to a local UNIX domain socket and the MySQL root user is usually only allowed by default to connect from this socket. If you have your security right, this socket should have restricted permissions and not allow everyone to connect.

So when you want to run a GUI such as MySQL Administrator as root on your server, how do you manage this?

Fortunately, the answer comes via socat which is a more modern version of netcat along with our old friend, SSH tunnels. socat and openSSH are core packages in Debian and Ubuntu, although socat may need sourcing from a third party repository for some linux distros.

Here's the magic:

# On the MySQL server, as whichever linux user can access the MySQL socket:
socat tcp-listen:13306,reuseaddr,fork,bind=127.0.0.1 unix:/var/run/mysqld/mysqld.sock
# On your PC
ssh -L3306:localhost:13306 mysql.example.com

The socat command will need the path adjusted for the location of mysqld.sock (check /etc/mysql/my.cnf - it may be in /var/lib, /var/run or /tmp). socat creates a tcp server on port 13306 accessible from 127.0.0.1 only.

The ssh command needs the host to be your MySQL server and you may login with any account that is permitted. What happens now, is ssh creates a tcp server on your PC on port 3306 bound to 127.0.0.1 only and wired through to socat on the MySQL server which is wired to the MySQL unix domain socket.

So your PC's 127.0.0.1:3306 tcp listener in now effectively wired to the heart of your remote MySQL server - clever eh?

Now run MySQL Administrator or whatever tool from the comfort of your machine! Remember to connect to 127.0.0.1, standard port of 3306. Don't try to use "localhost" as, for some reason, probably due to bad mushrooms, the MySQL developers decided that "localhost" meant "unix domain socket". Sigh...

Security implications

On the MySQL server, be aware that any other local user may now connect to the 13306 port, thus gain root access to your databases, depending on whether root has a password configured. The same applies to your PC on port 3306 - so if your "PC" happens to be a *nix multiuser server with loads of other people logged in, this would classify as a Bad Idea (TM).

Close down your ssh tunnel and socat as soon as you have finished.