James Barrett on 24 Oct 2009 05:56:41 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Locking down a Web browser on Ubuntu


A few questions first,

Is the kiosk going to be restricted to a single URL, or a single domain?
Is it going to be placed into a public, high-traffic area?
Is this for work, or a favor for some personal group?
Is this machine going to be used exclusively as a kiosk, or will it
also have other purposes?

Restricting the machine to a single domain is simple.  Set the
machine's iptables outbound policy to drop all communications.  Allow
outbound connections to the desired domains.  Allow outbound
connections to network services (dhcp, DNS, and so on) only when
necessary.  You could even forget DNS entirely and rely solely on
/etc/hosts.  Or, you could put a firewall in front of the kiosk to
ensure that these services will always be locked down.  (Just had an
idea... is there any squid magic that that will work with ebtables to
serve only one web page when any request is siphoned to squid?   I'm
thinking, that for no matter what is passed though a transparent
bridge on :80, ebtables will redirect it to "localhost:squid", which
will then serve only one page, being the requested domain... Has
anyone ever tried that!?)

The name of the game is restriction.  Think of all possible avenues
for a user to get a shell and remove them.  If a person gets a shell,
they can cause some damage even though they might not be able to get
root.  Every Linux system I've ever touched has perl.  Who needs a
compiler when there's perl?

Install the bare minimum number of packages as you can get away with.
No compilers, no window managers.  No ssh, no sshd.  Seriously
consider running this entire system from a LiveCD.  If it must be run
from a hard drive, then consider removing all upgrade capabilities
(remove wget, apt-get, et al) and do upgrades via a LiveCD or LiveUSB.
 Forget gnome and KDE.  Assuming that this is a standalone
single-purpose kiosk, you won't even need a window manager.  You could
add firefox to ~/.xinitrc and ensure that it opens full-screen.  I
made a ton of hacks to a firefox configuration (firefox 2) years ago,
and I still have them somewhere.  I can dig them up if you would like.
 IIRC, I added a "while true ; do ..." endless loop to ~/.xinitrc to
make sure that firefox would restart if it ever exited.

OTOH, if the machine is just going to display the weather, or news
headlines or something, and not have a public keyboard or mouse, then
you'll most likely be okay as long as you don't expose any USB
ports... :)

James Barrett

On Fri, Oct 23, 2009 at 2:42 PM, Adam Zion <azion1995@gmail.com> wrote:
> I have been asked to set up a linux workstation as a Web kiosk of
> sorts, restricted to a single URL. How would I go about doing this?
> Thx,
> -Z
> --
> Adam+Zion, MCSE+I, Registered Linux User #471910
> Don't look back. Something might be gaining on you. * Satchel Paige
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug