Lee Marzke on 24 Oct 2009 19:49:01 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Locking down a Web browser on Ubuntu

In addition to locking things down, what I did recently did for a Kiosk
on Ubuntu was:

- Auto login to guest on startup
- guest is severely restricted, so most sysadmin functions don't
   work from the GUI,  and you don't have to lock them out.
- each night I delete /home/guest,  and replace it from a tarred archive
  and reboot.

So any config settings to the desktop,  etc that a user did make would
be refreshed
the next day.   And any cookies, browsing history, etc. are wiped out
each night.

The machine has no CD drive so Knoppix attacks are out as well.

This Kiosk is for public Internet Weather access,  and I don't care if
other sites
are visited, just as long the the unit is back to original configuration
each day.


James Barrett wrote:
> Adam,
> A few questions first,
> Is the kiosk going to be restricted to a single URL, or a single domain?
> Is it going to be placed into a public, high-traffic area?
> Is this for work, or a favor for some personal group?
> Is this machine going to be used exclusively as a kiosk, or will it
> also have other purposes?
> Restricting the machine to a single domain is simple.  Set the
> machine's iptables outbound policy to drop all communications.  Allow
> outbound connections to the desired domains.  Allow outbound
> connections to network services (dhcp, DNS, and so on) only when
> necessary.  You could even forget DNS entirely and rely solely on
> /etc/hosts.  Or, you could put a firewall in front of the kiosk to
> ensure that these services will always be locked down.  (Just had an
> idea... is there any squid magic that that will work with ebtables to
> serve only one web page when any request is siphoned to squid?   I'm
> thinking, that for no matter what is passed though a transparent
> bridge on :80, ebtables will redirect it to "localhost:squid", which
> will then serve only one page, being the requested domain... Has
> anyone ever tried that!?)
> The name of the game is restriction.  Think of all possible avenues
> for a user to get a shell and remove them.  If a person gets a shell,
> they can cause some damage even though they might not be able to get
> root.  Every Linux system I've ever touched has perl.  Who needs a
> compiler when there's perl?
> Install the bare minimum number of packages as you can get away with.
> No compilers, no window managers.  No ssh, no sshd.  Seriously
> consider running this entire system from a LiveCD.  If it must be run
> from a hard drive, then consider removing all upgrade capabilities
> (remove wget, apt-get, et al) and do upgrades via a LiveCD or LiveUSB.
>  Forget gnome and KDE.  Assuming that this is a standalone
> single-purpose kiosk, you won't even need a window manager.  You could
> add firefox to ~/.xinitrc and ensure that it opens full-screen.  I
> made a ton of hacks to a firefox configuration (firefox 2) years ago,
> and I still have them somewhere.  I can dig them up if you would like.
>  IIRC, I added a "while true ; do ..." endless loop to ~/.xinitrc to
> make sure that firefox would restart if it ever exited.
> OTOH, if the machine is just going to display the weather, or news
> headlines or something, and not have a public keyboard or mouse, then
> you'll most likely be okay as long as you don't expose any USB
> ports... :)
> --
> James Barrett
> On Fri, Oct 23, 2009 at 2:42 PM, Adam Zion <azion1995@gmail.com> wrote:
>> I have been asked to set up a linux workstation as a Web kiosk of
>> sorts, restricted to a single URL. How would I go about doing this?
>> Thx,
>> -Z
>> --
>> Adam+Zion, MCSE+I, Registered Linux User #471910

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug