Date

kubuntu.pngI help run a medium-sized scientific conference annually. We have an internet cafe / registration room where our attendees may pay for the conference or just surf the web. We used to run WinXP with the hive cleanup tool and a lockdown utility probably created by a Microsoft intern. It worked fairly well. Then Windows released SteadyState, which we tried last year. SteadyState worked as advertised on my test machine, but failed spectacularly at the conference on 80% of the kiosk machines - I’m still not sure why. So on the spot we developed a Kubuntu alternative, which turned out to be better.

STOP!

You probably want to read my new article on this topic. I will leave this article online for legacy reasons.


The following is how to create a relatively secure internet kiosk using Kubuntu. We assume we are able to relatively trust our users with the computers and the network. If you have to deal with malicious users you may want to add more precautions.

Update 2009-09-21: I can confirm this works in KDE3 and KDE4.

The methodology for this should be to perfect the kiosk as much as possible on one machine (or a VM) first, then clone that machine to all your other computers, changing hostnames where appropriate.

Step 1: Partitions

The crux of this design is ensuring that any changes to the kiosk user home directory are wiped out after the user logs out. For this we union mount a writable tmpfs on top of a read-only template. This is pretty convenient because anytime you want to change the user template, you simply mount the read-only partition as writable, make your changes, and revert the filesystem scheme. Here is my partition scheme:
Kiosk-Partitions.png
Figure 1: Kiosk Partitions
/dev/sda1 is mounted at /, and contains only system files.
/dev/sda2 is swap. Along with RAM, this is the user writable space - increase this for more user space.
/dev/sda3 is the read-only user template. This only needs to be large enough to contain your template files.

The hard drive is small because this is a VM, but you can expand your partitions to any size you like. The good thing about internet kiosks is that they typically need hardly any space. A 6GB drive would suffice for many kiosks. You don’t need to use jfs, you can use your fs of choice.

Step 2: Boot from new Kiosk, install required packages

To create a machine which be compatible with media technologies users are familiar with (certain codecs, flash), edit sources.list and make sure universe, multiverse, and restricted sources are being read. Then do a: sudo apt-get install firefox unionfs-tools timeoutd openssh-server kubuntu-restricted-extras flashplugin-nonfree

Step 3: Create the Kiosk user

sudo useradd kiosk
Set the password to something long and random, eg: Q5w?47yK&=Asa&mB4g&658tE=BZWZ$KUV2_6c+R#_J9kb462m7v7zNKvNWpe5LWj
Keep this password hidden from the users. This way they don’t have access to change their password or remotely log in.

Give kiosk user access to the cdrom, audio, and hot pluggable devices (eg thumbdrives):
sudo usermod -G plugdev,cdrom,audio kiosk

Step 4: Setup your filesystem

sudo mkdir /kiosk-ro sudo mkdir /kiosk-rw Setup your fstab, here is mine:
# /etc/fstab: static file system information.
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
# /dev/sda1
UUID=d49413fa-a1cb-4677-8ddc-1418a385102d /               jfs     defaults,errors=remount-ro 0       1
# /dev/sda3
UUID=b50fed0f-15c8-4b02-9faf-21105e2d7acd /kiosk-ro        jfs     defaults,ro        0       2
# /dev/sda2
UUID=f63af8ab-f085-4a61-b2dc-195366e60e68 none            swap    sw              0       0
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto,exec 0       0
When you are creating your template filesystem, do
sudo mount /dev/sda3 /home/kiosk
Make the changes you want (e.g. log into kde as ‘kiosk’ and set the firefox homepage, install firefox plugins, make desktop shortcuts, etc). When you are done: sudo umount /home/kiosk

Step 5: Configure KDE to behave as a kiosk

Make KDE auto-login as user kiosk - when the machine reboots it will already log in as kiosk. Edit /etc/kde4/kdm/kdmrc (/etc/kde3/kdm/kdmrc for kde3) and modify these values: AutoLoginEnable=true AutoLoginAgain=true AutoLoginUser=kiosk Next, edit /etc/kde4/kdm/Xstartup (/etc/kde3/kdm/Xstartup for kde3) and put these lines near the top: logger "mounting tmpfs at /kiosk-rw" mount -t tmpfs -o mode=777 tmpfs /kiosk-rw logger "mounting unionfs at /home/kiosk" mount -t unionfs -o dirs=/kiosk-rw=rw:/kiosk-ro=ro unionfs /home/kiosk And /etc/kde4/kdm/Xreset (/etc/kde3/kdm/Xreset for kde3): logger "unmounting /home/kiosk" umount -t unionfs -fl /home/kiosk logger "unmounting /kiosk-rw" umount -t tmpfs -fl /kiosk-rw

Step 6:Disable crontab for kiosk user

crontab access will allow a maclious kiosk user to exploit accounts of those who use the machine after her. So disable crontab for the kiosk user: echo 'kiosk' | sudo tee -a /etc/cron.deny

Step 7: Configure an automatic timeout for user kiosk

Because of the limitations of timeoutd (installed in step 1), this is the least ideal portion of the kiosk machine. If anyone has a better suggestion, I’d love to hear it.

Put this line in /etc/timeouts: Al:*:kiosk:kiosk:5:*:*:0
This line logs the kiosk user out after being idle for 5 minutes. The problem with this package is that, as far as I can tell, there’s no way to give a person the warning they will be logged out if they continue to be idle. You can specify a X minute warning, but after X minutes the user is logged out, even if they are no longer idle. Also, there is no way to customize the warning message.

Step 8: Tie the kiosk machine into your infrastructure

Install your ssh-keys into the admin account on the kiosk machine so you have instant ssh access. You could setup syslog-ng for centralized logging, cfengine/puppet for management, or all the plethora of possibilities which are possible with debian/ubuntu packages.

Step 9: Cloning your kiosk machine

This is a full block-by-block copy so it works best if you have a gigabit switch. All you have to do is boot both your master copy and target from a linux boot CD (ubuntu works fine). Turn on the ssh daemon on the target machine. From the master copy type: sudo dd if=/dev/sda | ssh -t ip.target.machine sudo dd of=/dev/sda Go read a few chapters of a book or surf the web, after several hours it will be done. You can open up “top” on the target machine to make sure progress is being made.

Step 10: Further Security Considerations

I’m pretty comfortable with how locked down this system is for largely trustable users - but malicious users will be able to find some ways around the safeguards. Perhaps more importantly, you still need to watch out for users physically installing keyloggers to capture information of later users. Keeping the workstation and its connections inside a locked cage/box is a good way to deter keylogging.

Many thanks go to Chris Adams who gave me the initial idea for this project and implementation advice. If anybody has any further suggestions, recommendations, or questions please leave a comment.


Comments

comments powered by Disqus