Can I completly isolate multiple users on differnt USB drives?

fa0056 · 1 February 2026 20:06

I have a very specific need. I use mint/mate 22.4 for work. I want my kids to use the same system during non work hours. I do not want any trace of them or the apps they use/add left when they log off.

I don’t trust the older ones from downloading spyware or d/l porn that can be found by my admin at work. (yes, I’ve tried blocking installs and so called “family” settings. No, I do not have the funds to by them their own laptops!)

So here is what I’m looking for:

A simple way for them to login as if they were the only user.
On logout there is nothing left of their login (including the swap file)
No additional video lag time (I get enough “this is too slow already form the gamer) (no VMs please)
Their data on their own drive.

Bombilla · 1 February 2026 20:09

Hi, @fa0056 and welcome to the Ubuntu MATE Community!

ericmarceau · 1 February 2026 20:18

Create USB drives with child-specific partition names.

Create mount points for those drives.

Define an entry in /etc/fstab which uses the UUID of each USB to mount to that child's assigned mount point (child's name ?) automatically with full privileges for that child.

Then when you create a User ID, define the ${HOME} for each child on their USB, keeping the ${HOME} separate from a ${SHARED} below the USB's root.

Under /home, you will need to create a symlink to the actual HOME on each USB drive.

The tricky part is the need to tell systemd that the drive must be mounted before it allows that user to login.

I don't know the specifics to control that for each user individually.

Maybe a more knowledgeable user can assist with that.

Hope that helps!

Other stuff to come later regarding security and limiting access to the stuff you want protected, which is hopefully "contained" in limited locations.

Example of my own fstab entry for a USB stick:

UUID=7CB8-B781 		/media/ericthered/SLIP_USB 	vfat 	user,owner,utf8,rw,suid,dev,umask=000,relatime,codepage=347,iocharset=iso8859-1,shortname=mixed,showexec,utf8,errors=remount-ro,uhelper=udisks2,nofail,noauto 	0 	0

I have the following for my own HOME on a non-root partition, but you need something different that is AFTER login, specific to each child. For what it's worth,

system/lightdm.service.d/override.conf:RequiresMountsFor=/DB001_F2
system/lightdm.service.d/override.conf.lightdm.service.OasisMega1:RequiresMountsFor=/DB001_F2

system/sysinit.target.d/override.conf:RequiresMountsFor=/DB001_F2
system/sysinit.target.d/override.conf.sysinit.target.OasisMega1:RequiresMountsFor=/DB001_F2

ugnvs · 1 February 2026 21:26

IMO, it's virtually impossible. Look, it takes root privileges to install apps. And apps are stored in the system's part of hard drive, not in the personal home folder. No, that is not possible to give someone unrestricted root access to a system and expect they leave no trace within the system.

I think the only more or less feasible solution is to create persistent live usb installation and boot computer from it. BTW, that system should be configured to

prohibit access to computer's embedded HDD
do not provide sudo/root access for kids' accounts

Hopefully that might help.
Good luck!

fa0056 · 1 February 2026 21:59

Thanks. I’ll try that . I recall that Windoze had the ability to run an Auto-start script when a CD was inserted. I’ll look for something like that for Linux and USBs. (Anybody know of one)?

ericmarceau · 1 February 2026 23:30

As Eugene said, only you can have Admin/sudo privilege for the installed OS,

AND

you need to have password protection on you UEFI or BIOS to prevent booting from USB which could give disk access.

Regarding restricting access, there are various configuration files that limit that. Some of the related files are

/etc/security/access.conf.Oasis
/etc/pam.d/login.Oasis

In terms of raising privileges in a limited pinpoint fashion, you need to look at detailed customizing of sudo using entries like

%groupname ALL=(root) /usr/bin/command for a shared group (i.e. all children)
username ALL=(ALL) /full/path/to/command for each individual child

One other option is to have each child run in their own virtualized environment. That way, they could do anything and everything within their own "sandbox".