Building a secure Gentoo Linux kiosk system - part 2
This is part 2 of 2 in building and setting up a secure Gentoo Linux kiosk system. Here I will configure the X system, extras and lock the system down. Part one can be followed here.
Installing and configuring the X system:
123456789101112
emerge xorg-server (if you get "A file is not listed in the Manifest"... do, vi /etc/make.conf and FEATURES=-strict)env-update
source /etc/profile
/etc/init.d/hald start
rc-update add hald default
Xorg -configure
cp /root/xorg.conf.new /etc/X11/xorg.conf
rm -rf /root/xorg.conf.new
1
vi /etc/X11/xorg.conf
In the Section “Screen” add the following under Monitor:
1
DefaultDepth 24
Then in SubSection “Display”, Depth 24 add the following under Depth 24:
1
Modes "1024x768""800x600"
Under Section “InputDevice”, replace:
1
Driver "kbd"
with
1
Driver "evdev"
and
1
Driver "mouse"
with
1
Driver "evdev"
Adding the client user:
1
useradd -m -G users,audio,wheel clientsales
Automatic login the client user:
1
vi /etc/inittab
and replace
1
c1:12345:respawn:/sbin/agetty 38400 tty1 linux
with
12345
c1:12345:respawn:/sbin/mingetty --autologin clientsales --noclear tty1
#Disable ctrl+alt+delete key combination# What to do at the "Three Finger Salute".#ca:12345:ctrlaltdel:/sbin/shutdown -r now
1
vi /etc/sudoers
Under the “# User privilege specification” section add the following:
1
clientsales ALL=(ALL) NOPASSWD: ALL
Installaing a VNC server:
12345
emerge net-misc/tigervnc
vncpasswd
su clientsales
vncpasswd
exit
userclientrc=$HOME/.xinitrc
sysclientrc=/etc/X11/xinit/xinitrc
userserverrc=$HOME/.xserverrc
sysserverrc=/etc/X11/xinit/xserverrc
defaultclientargs=""defaultserverargs="-nolisten tcp -br"clientargs=""serverargs=""if[ -f $userclientrc]; thendefaultclientargs=$userclientrcelif[ -f $sysclientrc]; thendefaultclientargs=$sysclientrcfiif[ -f $userserverrc]; thendefaultserverargs=$userserverrcelif[ -f $sysserverrc]; thendefaultserverargs=$sysserverrcfiwhoseargs="client"while[ x"$1" != x ]; do case"$1" in
/''*|\.*)if["$whoseargs"="client"]; then if["x$clientargs"= x ]; thenclientargs="$1"elseclientargs="$clientargs $1"fi else if["x$serverargs"= x ]; thenserverargs="$1"elseserverargs="$serverargs $1"fi fi ;;
--)whoseargs="server" ;;
*)if["$whoseargs"="client"]; then if["x$clientargs"= x ]; thenclientargs="$defaultclientargs $1"elseclientargs="$clientargs $1"fi else case"$1" in
:[0-9]*)display="$1"; serverargs="$serverargs $1";;
*)serverargs="$serverargs $1" ;;
esac fi ;;
esacshiftdoneif[ x"$clientargs"= x ]; thenclientargs="$defaultclientargs"fiif[ x"$serverargs"= x ]; thenserverargs="$defaultserverargs"fiif[ x"$XAUTHORITY"= x ]; thenXAUTHORITY=$HOME/.Xauthority
export XAUTHORITY
firemovelist=# set up default Xauth info for this machinecase`uname` in
Linux*)if[ -z "`hostname --version 2>&1 | grep GNU`"]; thenhostname=`hostname -f`elsehostname=`hostname`fi ;;
*)hostname=`hostname` ;;
esacauthdisplay=${display:-:0}mcookie=`/usr/bin/mcookie`dummy=0
# create a file with auth information for the server. ':0' is a dummy.xserverauthfile=$HOME/.serverauth.$$xauth -q -f $xserverauthfile<< EOFadd :$dummy . $mcookieEOFserverargs=${serverargs}" -auth "${xserverauthfile}# now add the same credentials to the client authority file# if '$displayname' already exists don't overwrite it as another# server man need it. Add them to the '$xserverauthfile' instead.for displayname in $authdisplay$hostname$authdisplay; doauthcookie=`xauth list "$displayname"\ | sed -n "s/.*$displayname[[:space:]*].*[[:space:]*]//p"` 2>/dev/null;
if["z${authcookie}"="z"] ; thenxauth -q << EOFadd $displayname . $mcookieEOFremovelist="$displayname $removelist"elsedummy=$(($dummy+1));
xauth -q -f $xserverauthfile<< EOFadd :$dummy . $authcookieEOFfidonecleanup(){[ -n "$PID"]&&kill$PID > /dev/null 2>&1
if[ x"$removelist" != x ]; thenxauth remove $removelistfiif[ x"$xserverauthfile" != x ]; thenrm -f $xserverauthfilefiif command -v deallocvt > /dev/null 2>&1; thendeallocvt
fi}trap cleanup 0
xinit $clientargs -- $serverargs -deferglyphs 16 &
PID=$!wait$PIDunset PID
userresources=$HOME/.Xresources
usermodmap=$HOME/.Xmodmap
xinitdir=/etc/X11
sysresources=$xinitdir/Xresources
sysmodmap=$xinitdir/Xmodmap
# merge in defaults and keymapsif[ -f $sysresources]; thenxrdb -merge $sysresourcesfiif[ -f $sysmodmap]; thenxmodmap $sysmodmapfiif[ -f $userresources]; thenxrdb -merge $userresourcesfiif[ -f $usermodmap]; thenxmodmap $usermodmapfi# First try ~/.xinitrcif[ -f "$HOME/.xinitrc"]; thenXINITRC="$HOME/.xinitrc"if[ -x $XINITRC]; then# if the x bit is set on .xinitrc# it means the xinitrc is not a# shell script but something elseexec$XINITRCelseexec /bin/sh "$HOME/.xinitrc"fi# If not present, try the system defaultelif[ -n "`/etc/X11/chooser.sh`"]; thenexec"`/etc/X11/chooser.sh`"# Failsafeelse# start some nice programs#twm lock -geometry 50x50-1+1 &#xterm -geometry 80x50+494+51 &#xterm -geometry 80x20+494-0 &#exec xterm -geometry 80x66+0+0 -name loginexec /opt/firefox/firefox
fi
When the system returns from boot, first set all Firefox preferences. Not saving passwords, not using cookies, exc. Set the following URL as the default homepage: file:///home/clientsales/index.html
1
vi /home/clientsales/.mozilla/firefox/THIS_WILL_BE_DIFFERENT.default/localstore.rdf
123
sizemode="maximized"
width="1024"
height="768"
1
vi /home/clientsales/.mozilla/firefox/THIS_WILL_BE_DIFFERENT.default/prefs.js
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Unconfigured System!</title></head><bodybgcolor="#000000"text="#FFFFFF"link="#FFFFFF"vlink="#FFFFFF"><br><br><br><br><br><br><center><imgsrc="./.startpage/images/stop.png"/></center><br><br><center><fontsize="3"><b>This system needs to be configured.
<br><br><fontsize="8"> Network problem detected!
</font><br><br> Please contact the HELPDESK for support!</b></b></font></center></body></html>
Save the 2 images below to /home/clientsales/.startpage/images/ with names exclam.png and stop.png
The following will remove features not needed and gain space:
NOTE: After these commands ran, kernel source, portage, man pages, exc will be removed. You will not be able to add more software to this system via emerge anymore.
This can now be packaged into a nice self-installer CD for rapid deployment to similar hardware.
HINT: The default homepage URL can be changed in batch with scripting. The URL and all other Firefox specific settings can be altered inside /home/clientsales/.mozilla/firefox/-somenumber-/prefs.js