| Comments

Building a secure Gentoo Linux kiosk system - part 2

This is part 2 of 2 in building and setting up a secure Gentoo Linux kiosk system. Here I will configure the X system, extras and lock the system down. Part one can be followed here.




Installing and configuring the X system:

1
2
3
4
5
6
7
8
9
10
11
12

emerge xorg-server (if you get "A file is not listed in the Manifest"... do, vi /etc/make.conf and FEATURES=-strict)

env-update
source /etc/profile

/etc/init.d/hald start
rc-update add hald default

Xorg -configure

cp /root/xorg.conf.new /etc/X11/xorg.conf
rm -rf /root/xorg.conf.new

1

vi /etc/X11/xorg.conf

In the Section “Screen” add the following under Monitor:

1

DefaultDepth 24

Then in SubSection “Display”, Depth 24 add the following under Depth 24:

1

Modes "1024x768" "800x600"

Under Section “InputDevice”, replace:

1

Driver "kbd"

with

1

Driver "evdev"

and

1

Driver "mouse"

with

1

Driver "evdev"

Adding the client user:

1

useradd -m -G users,audio,wheel clientsales

Automatic login the client user:

1

vi /etc/inittab

and replace

1

c1:12345:respawn:/sbin/agetty 38400 tty1 linux

with

1
2
3
4
5

c1:12345:respawn:/sbin/mingetty --autologin clientsales --noclear tty1

#Disable ctrl+alt+delete key combination
# What to do at the "Three Finger Salute".
#ca:12345:ctrlaltdel:/sbin/shutdown -r now

1

vi /etc/sudoers

Under the “# User privilege specification” section add the following:

1

clientsales ALL=(ALL) NOPASSWD: ALL

Installaing a VNC server:

1
2
3
4
5

emerge net-misc/tigervnc
vncpasswd
su clientsales
vncpasswd
exit

1

vi /etc/X11/xorg.conf

Add the following to Section “Module”

1

        Load  "vnc"

Add the following to Section “Screen”

1

        Option     "PasswordFile"    "/home/clientsales/.vnc/passwd"

Installing sound:

1
2
3
4

emerge alsa-utils
alsamixer to configure sound levels
alsaconf
rc-update add alsasound boot

Note: Firefox 3.6 and newer does NOT work as below with the Java plugin.

Installing the Firefox browser with all dependencies:

1
2
3
4
5

emerge mozilla-firefox
emerge -C mozilla-firefox
cd /opt
wget http://mirror.atratoip.net/mozilla/firefox/releases/3.5.7/linux-i686/is/firefox-3.5.7.tar.bz2
bzip2 firefox-3.5.7.tar.bz2

Installing Adobe Flash plugin:

Download the tar.gz version from Adobe and copy the gz file to /opt/.

1

tar -zxvf install_flash_player_10_linux.tar

move the .so file to /opt/firefox/plugins/

Installing Sun Java Runtime Environment:

1

emerge -C dev-java/icedtea6-bin

Download Sun JRE bin file and install in /opt/

1
2
3

chmod +x jre-6u20-linux-i586.bin
./jre-6u20-linux-i586.bin
ln -s /opt/jre1.6.0_18/plugin/i386/ns7/libjavaplugin_oji.so /opt/firefox/plugins/libjavaplugin_oji.so

Adding environment variables for JAVA, lockdown and make X automatically start at boot for the clientsales user profile.

1

su clientsales

1

vi /home/clientsales/.bashrc (Add the following:)

1
2
3
4
5
6
7

export J2RE_HOME=/opt/jre1.6.0_18
export PATH=$J2RE_HOME/bin:$PATH
sudo /bin/stty intr undef
sudo /bin/stty kill undef
sudo /bin/stty quit undef
sudo /bin/stty susp undef
sudo startx &>/dev/null
1

exit

1

vi startx

Paste the following code and save:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137

userclientrc=$HOME/.xinitrc
sysclientrc=/etc/X11/xinit/xinitrc

userserverrc=$HOME/.xserverrc
sysserverrc=/etc/X11/xinit/xserverrc
defaultclientargs=""
defaultserverargs="-nolisten tcp -br"
clientargs=""
serverargs=""

if [ -f $userclientrc ]; then
    defaultclientargs=$userclientrc
elif [ -f $sysclientrc ]; then
    defaultclientargs=$sysclientrc

fi
if [ -f $userserverrc ]; then
    defaultserverargs=$userserverrc
elif [ -f $sysserverrc ]; then
    defaultserverargs=$sysserverrc
fi

whoseargs="client"
while [ x"$1" != x ]; do
    case "$1" in
      /''*|\.*) if [ "$whoseargs" = "client" ]; then
                  if [ "x$clientargs" = x ]; then
                      clientargs="$1"
                  else
                      clientargs="$clientargs $1"
                  fi
              else
                  if [ "x$serverargs" = x ]; then
                      serverargs="$1"
                  else
                      serverargs="$serverargs $1"
                  fi
              fi ;;
      --) whoseargs="server" ;;
      *) if [ "$whoseargs" = "client" ]; then
                  if [ "x$clientargs" = x ]; then
                      clientargs="$defaultclientargs $1"
                  else
                      clientargs="$clientargs $1"
                  fi
              else
                  case "$1" in
                      :[0-9]*) display="$1"; serverargs="$serverargs $1";;
                      *) serverargs="$serverargs $1" ;;
                  esac
              fi ;;
    esac
    shift
done

if [ x"$clientargs" = x ]; then
 clientargs="$defaultclientargs"
fi
if [ x"$serverargs" = x ]; then
 serverargs="$defaultserverargs"
fi

if [ x"$XAUTHORITY" = x ]; then
    XAUTHORITY=$HOME/.Xauthority
    export XAUTHORITY
fi

removelist=

# set up default Xauth info for this machine
case `uname` in
Linux*)
 if [ -z "`hostname --version 2>&1 | grep GNU`" ]; then
  hostname=`hostname -f`
 else
  hostname=`hostname`
 fi
 ;;
*)
 hostname=`hostname`
 ;;
esac

authdisplay=${display:-:0}
mcookie=`/usr/bin/mcookie`
dummy=0

# create a file with auth information for the server. ':0' is a dummy.
xserverauthfile=$HOME/.serverauth.$$
xauth -q -f $xserverauthfile << EOF
add :$dummy . $mcookie
EOF
serverargs=${serverargs}" -auth "${xserverauthfile}

# now add the same credentials to the client authority file
# if '$displayname' already exists don't overwrite it as another
# server man need it. Add them to the '$xserverauthfile' instead.
for displayname in $authdisplay $hostname$authdisplay; do
     authcookie=`xauth list "$displayname" \
       | sed -n "s/.*$displayname[[:space:]*].*[[:space:]*]//p"` 2>/dev/null;
    if [ "z${authcookie}" = "z" ] ; then
        xauth -q << EOF
add $displayname . $mcookie
EOF
 removelist="$displayname $removelist"
    else
        dummy=$(($dummy+1));
        xauth -q -f $xserverauthfile << EOF
add :$dummy . $authcookie
EOF
    fi
done

cleanup() {
    [ -n "$PID" ] && kill $PID > /dev/null 2>&1

if [ x"$removelist" != x ]; then
    xauth remove $removelist
fi
if [ x"$xserverauthfile" != x ]; then
    rm -f $xserverauthfile
fi

if command -v deallocvt > /dev/null 2>&1; then
    deallocvt
fi
}

trap cleanup 0

xinit $clientargs -- $serverargs -deferglyphs 16 &

PID=$!

wait $PID

unset PID

1
2

chmod +x startx
cp startx /usr/bin/startx

1

vi xinitrc

Paste the following code and save:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

userresources=$HOME/.Xresources
usermodmap=$HOME/.Xmodmap
xinitdir=/etc/X11
sysresources=$xinitdir/Xresources
sysmodmap=$xinitdir/Xmodmap

# merge in defaults and keymaps

if [ -f $sysresources ]; then
    xrdb -merge $sysresources
fi

if [ -f $sysmodmap ]; then
    xmodmap $sysmodmap
fi

if [ -f $userresources ]; then
    xrdb -merge $userresources
fi

if [ -f $usermodmap ]; then
    xmodmap $usermodmap
fi

# First try ~/.xinitrc
if [ -f "$HOME/.xinitrc" ]; then
 XINITRC="$HOME/.xinitrc"
 if [ -x $XINITRC ]; then
  # if the x bit is set on .xinitrc
  # it means the xinitrc is not a
  # shell script but something else
  exec $XINITRC
 else
  exec /bin/sh "$HOME/.xinitrc"
 fi
# If not present, try the system default
elif [ -n "`/etc/X11/chooser.sh`" ]; then
 exec "`/etc/X11/chooser.sh`"
# Failsafe
else
 # start some nice programs
        #twm &
        #xclock -geometry 50x50-1+1 &
        #xterm -geometry 80x50+494+51 &
        #xterm -geometry 80x20+494-0 &
        #exec xterm -geometry 80x66+0+0 -name login
        exec /opt/firefox/firefox
fi

1
2

chmod +x xinitrc
cp xinitrc /etc/X11/xinit/xinitrc

Adding some cron entries if needed:

1

crontab -e

Reboot the system:

1

init 6

When the system returns from boot, first set all Firefox preferences. Not saving passwords, not using cookies, exc. Set the following URL as the default homepage: file:///home/clientsales/index.html

1

vi /home/clientsales/.mozilla/firefox/THIS_WILL_BE_DIFFERENT.default/localstore.rdf

1
2
3

sizemode="maximized"
width="1024"
height="768"
1

vi /home/clientsales/.mozilla/firefox/THIS_WILL_BE_DIFFERENT.default/prefs.js

Add the following 3 lines and save:

1
2
3

user_pref("accessibility.browsewithcaret", false);
user_pref("accessibility.warn_on_browsewithcaret", false);
user_pref("browser.startup.homepage", "file:///home/clientsales/index.html");
1
2

mkdir /home/clientsales/.startpage
mkdir /home/clientsales/.startpage/images

1

vi /home/clientsales/.startpage/defaulthtml

Paste the following code and save:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
  <title>Unconfigured System!</title>
  </head>
  <body bgcolor="#000000" text="#FFFFFF" link="#FFFFFF" vlink="#FFFFFF">
    <br>
    <br>
    <br>
    <br>
    <br>
    <br>
    <center><img src="./.startpage/images/stop.png" /></center>
    <br>
    <br>
    <center><font size="3"><b>This system needs to be configured.
    <br>
    <br>
    <font size="8">
    Network problem detected!
    </font>
    <br>
    <br>
    Please contact the HELPDESK for support!</b></b></font></center>
  </body>
</html>

Save the 2 images below to /home/clientsales/.startpage/images/ with names exclam.png and stop.png

1

chown -R clientsales:clientsales /home/clientsales/

1

vi /etc/prep_default_page.sh

And paste the following code:

1
2
3
4
5
6
7
8
9
10
11

#!/bin/bash

##URL in prefs.js must be pointing to: file:////home/clientsales/index.html

ipaddr=`ifconfig |grep Bcast |sed 's/Bcast.*//' |sed 's/          inet addr://'`
if [ "$ipaddr" == "" ]
   then
      cat /home/clientsales/.startpage/defaulthtml > /home/clientsales/index.html
   else
      cat /home/clientsales/.startpage/defaulthtml |sed "s/Network problem detected!/IP Address: $ipaddr/" |sed 's/stop.png/exclam.png/' > /home/clientsales/index.html
fi

1
2

chmod +x /etc/prep_default_page.sh
chown root:root /etc/prep_default_page.sh

1

vi /etc/conf.d/local.start

Add the following line:

1

/etc/prep_default_page.sh

1

vi /etc/conf.d/rc

Make the following two changes:

1
2

RC_PARALLEL_STARTUP="yes"
RC_INTERACTIVE="no"

Cleaning up the system and make it smaller:

Purge unused locales:

1

vi /etc/locale.gen

Uncomment the following entries:

1
2

en_US ISO-8859-1
en_US.UTF-8 UTF-8
1

locale-gen

The following will remove features not needed and gain space:

NOTE: After these commands ran, kernel source, portage, man pages, exc will be removed. You will not be able to add more software to this system via emerge anymore.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

rm -rf /home/clientsales/.serverauth.*
rm -rf /usr/portage/*
rm -rf /var/tmp/portage/*
rm -rf /usr/share/man/*
rm -rf /usr/src/linux-*
rm -rf /usr/share/portage/*
rm -rf /usr/share/man/*
rm -rf /var/tmp/*
rm -rf /usr/share/doc
rm -rf /var/log/*
rm -rf /var/db/pkg/*
rm -rf /root/.mozilla
rm -rf /usr/share/locale/a*
rm -rf /usr/share/locale/b*
rm -rf /usr/share/locale/c*
rm -rf /usr/share/locale/d*
rm -rf /usr/share/locale/f*
rm -rf /usr/share/locale/g*
rm -rf /usr/share/locale/h*
rm -rf /usr/share/locale/i*
rm -rf /usr/share/locale/j*
rm -rf /usr/share/locale/k*
rm -rf /usr/share/locale/m*
rm -rf /usr/share/locale/n*
rm -rf /usr/share/locale/o*
rm -rf /usr/share/locale/p*
rm -rf /usr/share/locale/q*
rm -rf /usr/share/locale/r*
rm -rf /usr/share/locale/s*
rm -rf /usr/share/locale/t*
rm -rf /usr/share/locale/v*
rm -rf /usr/share/locale/w*
rm -rf /usr/share/locale/x*
rm -rf /usr/share/locale/y*
rm -rf /usr/share/locale/z*
rm -rf /usr/share/locale/el*
rm -rf /usr/share/locale/eo*
rm -rf /usr/share/locale/es*
rm -rf /usr/share/locale/et*
rm -rf /usr/share/locale/lg*
rm -rf /usr/share/locale/li*
rm -rf /usr/share/locale/lt*
rm -rf /usr/share/locale/lv*
rm -rf /usr/share/locale/ug*
rm -rf /usr/share/locale/ur*
rm -rf /usr/share/locale/uz*
find / \( -iname ".serverauth.*" \) -delete

Give this build a version number:

1

echo "1.000-2.6.31r6-i686" > /etc/build

Install Firefox kiosk mode plugin:

Install the Firefox r-kiosk plugin from here.

Reboot your system!

This can now be packaged into a nice self-installer CD for rapid deployment to similar hardware.

HINT: The default homepage URL can be changed in batch with scripting. The URL and all other Firefox specific settings can be altered inside /home/clientsales/.mozilla/firefox/-somenumber-/prefs.js

Comments