I help run a medium-sized scientific conference annually. We have an internet cafe / registration room where our attendees may pay for the conference or just surf the web. We used to run WinXP with the hive cleanup tool and a lockdown utility probably created by a Microsoft intern. It worked fairly well. Then Windows released SteadyState, which we tried last year. SteadyState worked as advertised on my test machine, but failed spectacularly at the conference on 80% of the kiosk machines - I'm still not sure why. So on the spot we developed a Kubuntu alternative, which turned out to be better.
You probably want to read my new article on this topic. I will leave this article online for legacy reasons.
The following is how to create a relatively secure internet kiosk using Kubuntu. We assume we are able to relatively trust our users with the computers and the network. If you have to deal with malicious users you may want to add more precautions.
Update 2009-09-21: I can confirm this works in KDE3 and KDE4.
The methodology for this should be to perfect the kiosk as much as possible on one machine (or a VM) first, then clone that machine to all your other computers, changing hostnames where appropriate.
Step 1: PartitionsThe crux of this design is ensuring that any changes to the kiosk user home directory are wiped out after the user logs out. For this we union mount a writable tmpfs on top of a read-only template. This is pretty convenient because anytime you want to change the user template, you simply mount the read-only partition as writable, make your changes, and revert the filesystem scheme. Here is my partition scheme:
Figure 1: Kiosk Partitions
/dev/sda1 is mounted at /, and contains only system files.
/dev/sda2 is swap. Along with RAM, this is the user writable space - increase this for more user space.
/dev/sda3 is the read-only user template. This only needs to be large enough to contain your template files.
The hard drive is small because this is a VM, but you can expand your partitions to any size you like. The good thing about internet kiosks is that they typically need hardly any space. A 6GB drive would suffice for many kiosks. You don't need to use jfs, you can use your fs of choice.
Step 2: Boot from new Kiosk, install required packagesTo create a machine which be compatible with media technologies users are familiar with (certain codecs, flash), edit sources.list and make sure universe, multiverse, and restricted sources are being read. Then do a:
sudo apt-get install firefox unionfs-tools timeoutd openssh-server kubuntu-restricted-extras flashplugin-nonfree
Step 3: Create the Kiosk user
sudo useradd kiosk
Set the password to something long and random, eg: Q5w?47yK&=Asa&mB4g&658tE=BZWZ$KUV2_6c+R#_J9kb462m7v7zNKvNWpe5LWj
Keep this password hidden from the users. This way they don't have access to change their password or remotely log in.
Give kiosk user access to the cdrom, audio, and hot pluggable devices (eg thumbdrives):
sudo usermod -G plugdev,cdrom,audio kiosk
Step 4: Setup your filesystem
sudo mkdir /kiosk-ro sudo mkdir /kiosk-rwSetup your fstab, here is mine:
# /etc/fstab: static file system information. # # <file system> <mount point> <type> <options> <dump> <pass> proc /proc proc defaults 0 0 # /dev/sda1 UUID=d49413fa-a1cb-4677-8ddc-1418a385102d / jfs defaults,errors=remount-ro 0 1 # /dev/sda3 UUID=b50fed0f-15c8-4b02-9faf-21105e2d7acd /kiosk-ro jfs defaults,ro 0 2 # /dev/sda2 UUID=f63af8ab-f085-4a61-b2dc-195366e60e68 none swap sw 0 0 /dev/scd0 /media/cdrom0 udf,iso9660 user,noauto,exec 0 0When you are creating your template filesystem, do
sudo mount /dev/sda3 /home/kiosk
Make the changes you want (e.g. log into kde as 'kiosk' and set the firefox homepage, install firefox plugins, make desktop shortcuts, etc). When you are done:
sudo umount /home/kiosk
Step 5: Configure KDE to behave as a kioskMake KDE auto-login as user kiosk - when the machine reboots it will already log in as kiosk. Edit /etc/kde4/kdm/kdmrc (/etc/kde3/kdm/kdmrc for kde3) and modify these values:
AutoLoginEnable=true AutoLoginAgain=true AutoLoginUser=kioskNext, edit /etc/kde4/kdm/Xstartup (/etc/kde3/kdm/Xstartup for kde3) and put these lines near the top:
logger "mounting tmpfs at /kiosk-rw" mount -t tmpfs -o mode=777 tmpfs /kiosk-rw logger "mounting unionfs at /home/kiosk" mount -t unionfs -o dirs=/kiosk-rw=rw:/kiosk-ro=ro unionfs /home/kioskAnd /etc/kde4/kdm/Xreset (/etc/kde3/kdm/Xreset for kde3):
logger "unmounting /home/kiosk" umount -t unionfs -fl /home/kiosk logger "unmounting /kiosk-rw" umount -t tmpfs -fl /kiosk-rw
Step 6:Disable crontab for kiosk usercrontab access will allow a maclious kiosk user to exploit accounts of those who use the machine after her. So disable crontab for the kiosk user:
echo 'kiosk' | sudo tee -a /etc/cron.deny
Step 7: Configure an automatic timeout for user kioskBecause of the limitations of timeoutd (installed in step 1), this is the least ideal portion of the kiosk machine. If anyone has a better suggestion, I'd love to hear it.
Put this line in /etc/timeouts:
This line logs the kiosk user out after being idle for 5 minutes. The problem with this package is that, as far as I can tell, there's no way to give a person the warning they will be logged out if they continue to be idle. You can specify a X minute warning, but after X minutes the user is logged out, even if they are no longer idle. Also, there is no way to customize the warning message.
Step 8: Tie the kiosk machine into your infrastructureInstall your ssh-keys into the admin account on the kiosk machine so you have instant ssh access. You could setup syslog-ng for centralized logging, cfengine/puppet for management, or all the plethora of possibilities which are possible with debian/ubuntu packages.
Step 9: Cloning your kiosk machineThis is a full block-by-block copy so it works best if you have a gigabit switch. All you have to do is boot both your master copy and target from a linux boot CD (ubuntu works fine). Turn on the ssh daemon on the target machine. From the master copy type:
sudo dd if=/dev/sda | ssh -t ip.target.machine sudo dd of=/dev/sdaGo read a few chapters of a book or surf the web, after several hours it will be done. You can open up "top" on the target machine to make sure progress is being made.
Step 10: Further Security Considerations
I'm pretty comfortable with how locked down this system is for largely trustable users - but malicious users will be able to find some ways around the safeguards. Perhaps more importantly, you still need to watch out for users physically installing keyloggers to capture information of later users. Keeping the workstation and its connections inside a locked cage/box is a good way to deter keylogging.
Many thanks go to Chris Adams who gave me the initial idea for this project and implementation advice. If anybody has any further suggestions, recommendations, or questions please leave a comment.