Linux Kiosk

an Ubuntu / Gnome lockdown scenario


This is part of an exercise to use Linux as a kiosk system. 'Kiosk System' can mean a couple of things. The setup here is based on Ubuntu 6.06 Desktop (a.k.a. Dapper Drake). Ubuntu is a fork of Debian's unstable branch, but with a selection of packages oriented towards the creation of (in this case) a stable, easy to use desktop system. Ubuntu is therefore a reasonable choice : the required packages for our kiosk system are pre-selected by Ubuntu, and Ubuntu's approach towards users and their privileges also suits our kiosk requirements.

A customized Ubuntu Desktop may thus well be reasonable alternative to the Web only kiosk computer. It is, in concept, quite close to the Multimedia Internet Computer, but takes advantage of the desktop and window manager configuration already present in the Ubuntu Dapper Drake desktop while avoiding the lockdown hassle of the KDE Kiosktool.


Goal

This kiosk setup is aimed towards the creation of public workstations, e.g. in internet cafes, public libraries and so on. We want to allow users internet access (www, chat, multimedia, ...), give them a chance to download files from the internet, and provide applications to open them (word doc, spreadsheets, (PowerPoint) presentations, pdf files, ...). Not all of these can be covered with plug-ins and add-ons. One could argue that information on the web should be in a 'browser-compatible' format - but that's in that ideal world far, far away from here - and probably in a parallel universe anyway. The Web I know is littered with Word documents, Microsoft Excel Spreadsheets, PowerPoint Presentations ... Sure, OpenOffice can handle those no problem - but then the web kiosk pc should have OpenOffice installed.

Also - as our kiosk is an internet pc in a public library, we may want to allow the users to print information, or save it to (usb) disks etc. So we'll have to provide access to printers and to media, to auto-mounted devices, ... So what we're looking for here is a rather complete desktop system, maybe also including games or educational programs, but with such configuration that the user can not modify the system, and can not abuse the system (eg. scan, enumerate or access a local network), and so on.

Our solution : a Ubuntu desktop with some modifications, a Gnome desktop lockdown, system lockdown (possibly with the Bastillehardening script), and some alterations to the Linux configuration.


BIOS

Although we'll give access to media such as USB-storage, CD-ROM and DVD, we do not want users to boot from these media, as this would allow them to boot into an operating system (live CD's, setup media, ...) that completely circumvents the lockdown we will describe here. We do not prevent the user from rebooting per se : if we did that, they may be tempted to just pull the plug to shutdown and reboot, possibly damaging the filesystem.

In stead, set the BIOS so that the system can only boot from the hard disk, and protect access to the bios with a password.

set up ubuntu

get an Ubuntu Desktop install CD or iso image and install it. It is best not to use a 'live CD' installation but do a "server" installation (possibly but not necessarily in "expert mode"). This allows to install Ubuntu Desktop without its default applications that you may not need or want. Better start from a bare desktop and add only the applications you need. This procedure is described in this custom ubuntu 6.06 setup. Add community maintained packages (universe) to the software sources so that you have access to some tools that or not in the core Ubuntu repositories. For some packages, you may need multiverse or backport repository as well.

If you're going to roll out multiple identical or quasi-identical kiosk systems, an unattended setup may be of interest. Ubuntu unattended setup can be accomplished similar to Debian unattended setup. Your goal is a baseline desktop that you can then 'harden' into a kiosk system. The following is based on Ubuntu Dapper Drake custom setup.

To turn a minimal ubuntu system into a GUI Desktop system with Ubuntu's look and feel, run

	apt-get install x-window-system-core gnome-session gnome-panel gdm metacity ubuntu-artwork	
	

To setup multiple kiosks, using apt-proxy might be a good idea.

Interesting applications, depending on the purpose of your kiosk system, could be

When you take the Edubuntu approach, you may also want to include the educational programs, and turn the kiosks in to workstations for students or people who don't have a computer at home.

manage your users

We plan for 3 types of users : the system administrator, the staff (privileged users) and the kiosk users. Users can be edited in system : administration : users and groups

the sys admin

Ubuntu abandons the concept of a 'root' user and uses 'sudo' for all system administration tasks. During Ubuntu setup, you create 1 user that will have the right to sudo and be able to administer the system. When you setup in expert mode, you can still choose to do your system administration as root.

kiosk user(s)

For the kiosk users, we'll create just 1 account. A customer will be allowed to log in with that account, and should then be able to use those applications we've allowed, and nothing else. The Gnome Desktop Lockdown will thus be applied to this account only. Furthermore, we'll want to prevent this account to elevate its priviliges or circumvent the restrictions imposed by the desktop lockdown, e.g. by using alternative methods to start applications (from a shell / terminal, by browsing the filesystem or the internet, open/execute scripts or commands from the file manager or the browser, by writing OpenOffice macros that might open a shell or an other application, etc)

We create 1 user account ('kioskuser') for the customers. In the "Advanced" and "Priviliges" tabs we reduce the priviligues for the kiosuser and set its shell to '/usr/bin/screen'. This forces the kioskuser to use a graphical login and won't let him open a shell. These are the first step in our lockdown process. user properties

priviliged users

These users should not have access to system administration (no sudo), but should be able to run normal user applications without too many restrictions. The 'desktop lockdown' should not apply to them.

We create a group "employees" and accounts for all the staff (privileged users), and add the user accounts for our staff to it.

If you're looking to automate this or just like command lines you can do somethinh like this. You'll need the 'whois' package because it provides "mkpasswd'.


	# create a kioskuser account
	KIOSKUSER="kioskuser"
	echo "creating an account for the kioskuser"

	groupadd $KIOSKUSER
	useradd --shell /usr/bin/screen  -m -g $KIOSKUSER -p $(mkpasswd "$KIOSKPSWD") $KIOSKUSER
	

	# optionally create user accounts for staff
	echo creating additional user accounts in group employees, with default password. 
	groupadd employees
	for i in $(cat ./users.list); do
		useradd -m -G employees -p $(mkpasswd $i) $i
	done
	

add software

Select what software you need to offer to the suer and install it. Also install the tools you may need for the rest of this configuration. You can use command lines like these:

	INST_PKGS="bastille rsync whois"
	INSTL_TOOLS="gconf-editor gconftool alacarte pessulus sabayon xnest"
	INST_APPS="firefox gimp gaim openoffice.org-writer "

	# install packages
	apt-get -y update
	apt-get -y install $INST_PKGS $INST_TOOLS INST_APPS
	apt-get -y upgrade
	

There's a list of packages at Ubuntu Dapper Drake custom setup.

lock down the Gnome desktop

Locking down the desktop means that the system administrator will configure the desktop so that it offers only that functionality to the user that is deemed necessary for the computers purpose (a kiosk system), then lock it down so users kan not modify the desktop, to prevent them from saving their preferences or re-enabling the features we don't want them to use. Obviously, this will include removing menu-items that would allow users to open a shell or start certain applications.

The Gnome desctop configuration is managed by GConf, consisting of a GConf daemon, a GConf client tool, and the GConf database, a collection of configuration settings stored in xml and text files. There are many CLI and GUI front-ends that can be used to edit the gnome configuration : gconftool-2, gconf-editor, pessulus ("LockDown Editor"), AlaCarte (menu editor), Sabayon, ..., and if all else fails, you can even rewrite the xml files with any text-editor.

So, we have a highly customisable desktop. On top of that, following the Open Desktop specification, Gnome makes an effort to save configuration settings for applications in Gconf. So far, this is supported for Firefox and partially for Open Office. This means that preferences and configuration settings for these applications can be managed as an integrated part of the desktop management (and lockdown). That surely sounds great. The downside is that, for Gnome to handle all that in an organised way that is flexible enough the incorporate (future) other applications, it needs to maintain a heap of configuration files, with, on top of that, a distinction between mandatory settings and preferred (but user-changeable) settings, and multiple locations for configuration sources to distinguish between system-wide settings and (multiple) user preferences. That makes it rather complex.

To get a handle on this configuration task, there are multiple front-ends. Some tools, such as pessulus (lockdown editor) and sabayon (desktop configuration frontend) are not included in a standard ubuntu setup and need to be installed separately. gconftool-2 seems to most complete, but it's a command line tool and requires quite some insight in the structure of the gnome configuration files. Sabayon seems to be a very complete GUI front-end, that also allows the creation of profiles (sets of mandatory and preferred settings) and apply them to specific users. Although clearly not finished (see further), it looks very promising.

sabayon

To handle this complecity, Sabayon seems to have to most suitable approach : In Sabayon, you can create user profiles, then for each profile create a customized desktop (including applications ). Sabayon starts a simulation (nested xwindows session, xnest) of a desktop that you can configure using the standard Gnome customization, select which of these you want to be mandatory (not changebale by the user), then assign users to this profile.

So, we'll use sabayon to create a 'kiosk' profile, customize the desktop, lock it down, and assign the kioskuser to it. For Sabayon to work, it looks like you have to install Pessulus (Lockdown Editor) as well.

Customize applications

To customize application preferences and settings, you can run them inside sabayon, and use each application's edit-preferences option to configure it. These will be saved in Gnome GConfd repository and applied to the application next time it starts. You'll probably need an extensive checklist to get this right. Things to look for include :

Modifying the menus

To edit menus, you can run AlaCarte inside Sabayon. We modify the menus so that they only show the applications and tools we want the kioskuser to use. It does not remove (uninstall) applications, it only removes menu entries. You will probably want to make invisible the following items

gnome lockdown

Next, from the Sabayon Edit menu, you can use 'set mandatory' and 'lock down' to enter lockdown settings for the kiosk profile :

Advanced

For those settings that are not accessible in a GUI front end (Sabayon, Alacarte, Pessulus, ...) you can manually edit configuration files. So it should be possible to modify e.g. the Firefox menus and toolbars and make the changes mandatory, because the firefox configuration gets integrated in the Gnome desktop configuration. The configuration files are highly organised in trees of xml files, and i suppose it is easy to screw this up if you don't know what you're doing ...

The Sabayon profiles are saved in etc/desktop/profiles and each profile consists of a tarbal with a collection of gnome config files in it. They can be implemented on other machines : when applied, the config files are copied to the appropriete user's home directory and serve as a user-specific gnome / gdm configuration. So sabayon profiles can be implemented on other machines by copying the profile and apply it, or by copying the appropriate files into a user home by hand (and setting the correct permissions and ownership for them to work).

Check documentation on the gnome site, Sabayon project

In short: If you're starting from a minimal desktop (i.e. the server convert to desktop scenario), there is not so much to remove or lockdown : the user has limited rights already, and the only availabe software is what you installed. Like, although there's a button for 'browsing windows networks', it won't work because you did not install an smbclient ....
Just run Sabayon, and modify the desktop untill it looks the way you want it to look to your kiosk user. Then just save it.

If you are looking to run Sabayon from a script, you can try something like this:


	echo "starting sabayon profile editor"

        if test "$(ps -e |grep -o Xorg)nok" = "nok";then
                # we are not running X so we start it to run sabayon
                startx -e sabayon
        else
                sabayon
        fi
	

That will run sabayon so you can create profiles

To aplly profiles, it is less clear : a sabayon profile is a collection of (user-specific) gnome settings (Gconf xml files) that end up in the user home directory, so if they are there, they constitute the user's gnome profile, whether they're created with sabayon or not. The profile also exiists a tar archive in /ertc/desktop-profiles, which, I think, is were profiles are kept to be applied in future. You may have to run /usr/sbin/apply-sabayon for changes / profiles to become effective. Maybe run it as a startup scrupt or a Gnome logon script.

TODO: Here is some additional information on Gnome Lockdown :
Gnome Administrators Manual - Lockdown and preconfiguration
Locking Down the GNOME Desktop - Novell CoolSolutionsWiki .

references

More advanced desktop customization / lockdown features will require some study of the extensive, well organized gnome configuration files : anything and everything is configurable and can be set as a 'mandatory' setting, but it is rather hard to find your way through it.

put away your tools

You've denied the kioskuser access to a shell, you've taken away the menu items that give access to configuration tools, etc. but better save than sorry : it may be a good idea to clean up after yourself and remove these tools alltogether :

downside : you may have to re-install them should you ever need them again yourself ...

lock down the system

A locked down desktop is only a first step. Although 80% of the users may be helpless if they don't have anything to click on, that other 20% might well be capable of circumventing the limitations of the locked down desktop. So the system will have to be hardened at the underlying levels as well

Bastille is a program that will walk you through a large number of configuration settings to help you harden the system, i.e. change the default general purpose configuration into a configuration specific to the role you've assigned to the computer, in this case a kiosk system. See also the web client kiosk.

To install and setup bastille for the first time :

	
	sudo apt-get install bastille
	sudo bastille -c
	

Of course you will have to consider exactly how you want to harden your kiosk in order to make the right choices : Bastille is just a handy tool to help you implement these choices (and a very usefull checklist). Here are some usefull settings and considerations for a Bastille Linux Kiosk. You do need to test if everything still works as expected after you've applied them.

you can undo the changes by running RevertBastille or bastille -r

With our without Bastille, it makes sense to have a closer look at user (group, world) permissions on the system. The following command lists files that are "world writable" - i.e. any user can change them. If you find any, you may ask yourseld if that is actually a good idea.

 	find /bin /etc /lib /opt /root /srv /var /boot /sbin /usr /sys  -type f -perm -0002 -exec ls -l {} \;

	

Likewise, this commands lists files that are "world readable" - any user can read them :

	 find /bin /etc /lib /opt /root /srv /var /boot /sbin /usr /sys  -type f -perm -0001 -exec ls -l {} \;
	

You'd be surprised ...

This is a nice expose on < href="http://www.linuxsecurity.com/content/view/119415/49/">file permissions and ownership on Linux, worth a read if you install nautilus so your kioskuser can browse the filesystem.

Close the backdoors

We've already discussed password-protecting the BIOS to rule out alternative boot media that will circumvent the lockdown. Also consider :

secure the boot menu
GRUB can be used to pass boot parameters that would allow the user to boot in maintenance mode or switch to a runlevel where the GUI lockdown is not active. Setting a password on GRUB prevents this. The password does NOT, however, prevent any user to select 'recovery mode' (=root access) from the menu.
modify the boot menu
You could choose to remove the recovery mode from the boot menu or lock all menu items accept the default (so a password will be required to choose anything but the default entry), and/or set the time-out to 0 seconds. This prevents any user to boot anything else than the default system.

When locking the boot menu like this, be aware that you can't get to maintenance mode either - not even after a regular GUI login (see further). So you're options are
  1. never troubleshoot; only re-install
  2. boot from a rescue cd, after unlocking the BIOS to allow booting from a CD
  3. provide ssh access so you can get a remote console, either for toubleshooting or for changing the boot menu back to something that will allow you a maintenance console
su
don't log in as root; log in with a user account and su, or stick with Ybuntu's sudo-policy. Nonetyheless, set a password for root so you can get in maintenance mood if you ever need to.
force GUI logins
After setting up Gnome, the system will start in GUI mode. (if not, set the default runlevel so that it does). You can further set up AutoLogin or TimedAutoLogin so that 'kioskuser' logs in automatically.
Don't let users drop out of the GUI, and don't provide terminals or shells
When a user logs out, gdm will offer a GUI login again, and possibly log in the kioskuser again so that there is no way to drop out to a console. We did not install xterm, so the user can't get a terminal inside the GUI either. No way to run any command other than the applications from the menus.The user might be able to create a script and make it executable, but there's nothing to run it. The user can create "Launchers" on the desktop, but has insufficient access to programs to execute anything.

In case you wonder why this is necessary : what would you do when you forgot your root password ? Why would that be different for someone who never knew that password to begin with ?

GRUB passwords, timeouts and menu-items can be set in /boot/grub/menu.lst (sometimes /boot/grub/grub.conf), and are documented there. Encrypted passwords can be generated with grub-md5-crypt or inside de grub shell.

Setting a runlevel 1 password is done in /etc/initab, by adding 'su:S:wait:/sbin/sulogin /dev/console' following the line 'si::wait:/etc/rc.d/rc.sysinit' - should you need it : Ubuntu apparently takes care of this when you reset the root password.

Deep Freeze

DeepFreeze is a commercial product to restore a computer's configuration to a predefined state, i.e. you configure a system, 'deep freeze' it, and then at every system startup, that state is restored no matter what happened during the previous session. It's a Windows thing, but a guy named lukeprog found a way to mimic DeepFreeze on Linux.

Basically, what we do is backup a preconfigured /home/$USER directory to a tarbal (preserving file permissions !), then restore it so all previous changes (including changes to the user-specific hidden config files) get undone by the clean original.

Linux DeepFreeze emulation


Reproduce it ?

Given that we want to create a number of kiosk pc's, we will want to reproduce this configuration without room for human error so we'll have to look for a way to automate this. In order to do so, you'd begin with applying the setup described in this page to a clean system that will serve as your "baseline image" or "model". We will not clone the disks so that we can reproduce the kiosk configuration on different hardware, kind of : a completely different hard disk configuration / partitioning scheme or an incompatible processor architecture may still screw things up. Therefore, this write-up focuses on an i386 type processor and install everything in 1 partition - and hopefully the hardware detection and recognition will handle the rest. :-)

>> Ubuntu Kiosk - Automatic setup


Koen Noens
July 2006

ubuntu logo gnome footprint logo linux tux Secured - Bastille Hardening Linux Questions