This article is an udpated version of my previous article on the same topic. The reason being because Ubuntu/Kubuntu changed enough recently, the old configuration no longer worked and this warranted a new write-up. This howto was tested in Kubuntu 10.04 (lucid).
The following are the major cause for changes from the previous article.
The following is how to create a relatively secure internet kiosk using Kubuntu. We assume we are able to relatively trust our users with the computers and the network. If you have to deal with malicious users you may want to add more precautions. I am not a security expert so likely have not considered all the avenues for abuse.
The methodology should be to perfect the kiosk as much as possible on one machine (or a VM) first, then clone that machine to all your other computers, changing hostnames where appropriate.
The hard drive is small because this is a VM, but you can expand your partitions to any size you like. The good thing about internet kiosks is that they typically need hardly any space. A 10GB drive would suffice for many kiosks. You don't need to use jfs; you can use your fs of choice.
To create a machine which is compatible with media technologies users are familiar with (certain codecs, flash), edit sources.list and make sure universe, multiverse, and restricted sources are being read. Then do a:
sudo apt-get install firefox openssh-server kubuntu-restricted-extras flashplugin-nonfree ntp openoffice.org unionfs-fuse xautolock
I'd also recommend installing Google Chrome. Install any other applications you or your users want.
sudo useradd kiosk
Set the password to something long and random, eg:
Keep this password hidden from the users. This way they don't have access to change their password or remotely log in.
Give kiosk user access to the cdrom, audio, and hot pluggable devices (eg thumbdrives):
sudo usermod -G plugdev,cdrom,audio kiosk
sudo mkdir /kiosk-ro sudo mkdir /kiosk-rw
Setup your fstab, here is mine:
# /etc/fstab: static file system information. # # <file system> <mount point> <type> <options> <dump> <pass> proc /proc proc defaults 0 0 # /dev/sda1 UUID=d49413fa-a1cb-4677-8ddc-1418a385102d / jfs defaults,errors=remount-ro 0 1 # /dev/sda2 UUID=b50fed0f-15c8-4b02-9faf-21105e2d7acd /kiosk-ro jfs defaults,ro 0 2 # /dev/sda3 UUID=f63af8ab-f085-4a61-b2dc-195366e60e68 none swap sw 0 0 /dev/scd0 /media/cdrom0 udf,iso9660 user,noauto,exec 0 0
sudo umount /kiosk-ro sudo mount /dev/sda2 /home/kiosk
Login as the kiosk user. Setup the menu, wallpaper, screen saver, auto-start programs, install firefox add-ons, make desktop shortcuts, etc. When the kiosk user logs out, the settings will always revert to how you've set them in this step.
When you are done
sudo umount /home/kiosk sudo mount /kiosk-ro
You can always return to this step later if you want to make changes to your read-only template. You might have to temporarily disable some of the configuration in step 6 if you do, though.
AutoLoginEnable=true AutoLoginAgain=true AutoLoginUser=kioskNext, edit /etc/kde4/kdm/Xstartup and put these lines near the top:
logger "mounting tmpfs at /kiosk-rw" mount -t tmpfs -o uid=kiosk,mode=755 tmpfs /kiosk-rw logger "mounting unionfs at /home/kiosk" unionfs-fuse -o default_permissions,cow,max_files=32768,allow_other,use_ino,nonempty /kiosk-rw=RW:/kiosk-ro=RO /home/kioskAnd this near the bottom, where in this example there is a 5 minute idle logout, and a 1 minute warning before logout:
xautolock -secure -time 5 -locker "logger \"Idle auto-logout triggered\" && killall -u kiosk" -notify 60 -notifier "logger \"Notifying user of impending auto-logout\" && xmessage -center -timeout 60 'IDLE WARNING: Auto logout in 1 minute. Do anything to cancel auto-logout.'" &And /etc/kde4/kdm/Xreset:
logger "unmounting /home/kiosk" fusermount -uz /home/kiosk logger "unmounting /kiosk-rw" umount -fl /kiosk-rw killall xautolock find /tmp -user kiosk -deleteTowards the top of /etc/kde4/kdm/Xsession:
xhost +local:rootThis allows root to attach X programs to the kiosk user's display without worrying about X authentication. This is important for how we are using xautolock and xmessage.
Users will be able to exploit alternative logins (ie anything that spawns new processes) to exploit accounts of following users. Two of which will be vulnerable by default are crontab and ssh. Leave a comment if I've forgotten any. Remember, if you're installing additional packages you may have to secure those too.
crontab access will allow a malicious kiosk user to exploit accounts of those who use the machine after her. So disable crontab for the kiosk user:
echo 'kiosk' | sudo tee -a /etc/cron.deny
Disallow the user to ssh in with a public key they've set or any other authentication method by disabling logins from them entirely
Edit /etc/ssh/sshd_config and add this line:
While you're in there, disable root logins too:
sudo dd if=/dev/sda | ssh -t $destinationIp sudo dd of=/dev/sda
Go read a few chapters of a book or surf the web, after several hours it will be done. You can open up "top" on the target machine to make sure progress is being made.
If you don't need ssh encryption you can use a much faster option to bypass ssh encryption overhead. Run linux boot CDs on both your source (original kiosk) and target (destination kiosk) machines.
On the target machine run:
sudo su #become root
nc -l 9999 > /dev/sda
On the source machine run:
sudo dd if=/dev/sda | nc $destinationIp 9999
I'm pretty comfortable with how locked down this system is for largely trustable users - but malicious users will be able to find some ways around the safeguards. Perhaps more importantly, you still need to watch out for users physically installing keyloggers to capture information of later users. Keeping the workstation and its connections inside a locked cage/box is a good way to deter keylogging.
As with any system, keep your software up-to-date. I recommend unattended upgrades.
Update: 10-14-2010 SANS ISC has a great diary entry about securing kiosk machines