kioskFluxbox

Differences between revisions 10 and 11
Revision 10 as of 2009-12-10 19:57:53
Size: 962
Editor: a91-152-167-106
Comment:
Revision 11 as of 2009-12-10 21:03:38
Size: 15043
Editor: a91-152-167-106
Comment:
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:
= Here is a full list of instuructions to install and setup Fluxbox to kiosk-mode =
Old and slow laptops are suitable to be used more or less public kiosk-computers. Old computers are best with suited with lightweight window manager to make user experience more pleasant. This guide is aimed to users with some experience installing and managing linux, but may be enough for less experienced users as well. 
= Ubuntu Fluxbox to kiosk-mode on old laptop =
Old and slow laptops are usually fast enough to be used as more or less public kiosk-computers. Older computers are best with suited with lightweight window manager to make user experience more pleasant. This guide is aimed to users with some experience installing and managing linux, but may be enough for less experienced users as well.

It consist of installing light Ubuntu, Fluxbox desktop environment, Firefox, OpenOffice.org and VLC for users to use.
Line 6: Line 8:
Download Ubuntu Dapper server edition [http://archive.ubuntu.com/ubuntu/dists/dapper/main/installer-i386/current/images/netboot/mini.iso] and burn it to CD.  Download Ubuntu Dapper server edition http://archive.ubuntu.com/ubuntu/dists/dapper/main/installer-i386/current/images/netboot/mini.iso and burn it to CD.
Line 8: Line 10:
== Install miniman Ubuntu ==
Install mini-Dapper and do not install graphical user interface or any x-window-manager. 
== Install basic Ubuntu ==
Install mini-Dapper and without desktop environment (per these instructions) or any x-window-manager.
Line 11: Line 13:
=== Minimal installation ===
You may install Dapper through wizard by starting boot with (it should be the first thing you type in):
||boot: server-expert debian-installer/framebuffer=false||;
You may install Dapper through wizard by starting boot with (it should be the first thing you type in):<<BR>>
'''''boot:'' server-expert debian-installer/framebuffer=false'''

If you have problems with display size, you may also add ''screen=800x600'' at the end (use your own display dimensions).<<BR>>
'''''boot:'' server-expert debian-installer/framebuffer=false screen=800x600'''

With debian-installer -option installer asks lots of questions which means you have control over installation process. Basically it just gives you lighter system, you may leave it out here if you like. Here are some instructions how to pass through all the multiple phases of installation.

After a few seconds after starting installation you'll see an installer menu. Basically you just go through it from top to bottom. Menu gets longer on the way, so go from top top bottom all parts in order. There are also a couple of important security settings here (bold text), please make note of them.

=== Installation menu ===

'''Choose language''' - switch language if you like and select your location (country) also. Locale is based on your language, but you may choose more locales to install here.<<BR>>
'''Select a keyboard layout''' -&gt; choose correct keyboard layout<<BR>>
'''Detect network hardware''' -&gt; automatic detection should be fine (you perhaps do not need PCMCIA-services - no to that question).<<BR>>
'''Configure the network''' -&gt; use DHCP if possible<<BR>>
'''Choose mirror of the Ubuntu archive''' -&gt; choose protocol (http is fine), and country to get packages near you. Repository-url should be XX.archive.ubuntu.org (XX=your country). If it is not - no worries. Basically any suggested country-prefix should be fine, server is just a bit further away.<<BR>>
'''Download installer components''' -&gt; you should not need to choose any of these, but you may wish to go through that list. Accept defaults and installer downloads some more packages - and, magically, new stuff appears in installer menu.<<BR>>
'''Detect discs''' -&gt; choose to detected your hardware. You would probably want to choose all offered modules to make sure system works in all cases. Do not touch module parameters unless you really know what you're doing.<<BR>>
'''Partition disks''' -&gt; Options "Erase entire disk" -&gt; "All files in one partition" -&gt; "Yes" should be fine unless you have other OS on board - which is unlikely on kiosk-laptop. This is the point where your previous OS or data on hard-drive will be destroyed.<<BR>>
'''Configure timezone''' -&gt; choose correct one<<BR>>
'''Configure the clock''' -&gt; UTC is probably fine if you do not have Windows beside the kiosk-installation on board.<<BR>>
'''Set up users and passwords''' -&gt; use shadow passwords for security. '''SECURITY NOTE: Do not allow to login as root''' (login as your other administrative, usually your first created user and do root-stuff with sudo). Setup your admin-user. '''SECURITY NOTE: the more unexpected username and longer password you use, the better'''. Password should be at least 10 characters long and be "complex". We create "''dude''" as our admin-user, you better use another (more complex) string instead.<<BR>>
'''Install base system''' -&gt; installs system and takes some or some more time according to your network capability. Packets ie. pieces of software are downloaded during this phase. '''NOTE''': During this period you need to choose kernel to install. If in doubt, simply choose the one installer chose for you. You may upgrade it later, though, so you may to choose a bit older (lesser in version number) if in doubt. Also do not add any software here - you may add software later. Installer asks you what kind of repos you'd like to use, only truly free software and a like. You may choose all of the repositories if in doubt - no harm done.<<BR>>
'''Build LTSP chroot''' -&gt; go through this as well<<BR>>
'''Configure the package manager''' -&gt; choose YES to all suggested repositories so you do not need to alter repo's list later
Select and install software -&gt; select and wait for a moment...<<BR>>
'''Copy remaining packages to hard disk''' -&gt; choose this<<BR>>
'''Install the GRUB boot loader on a hard disk''' -&gt; install boot loader to the master boot record -&gt; Yes (unless you know what to do). GRUB is usually a must, since this is the first thing your computer loads to get directions how to start OS(OS'es). Use default. DO NOT SKIP.<<BR>>
'''SECURITY NOTE: Do give GRUB a password''' to prevent kiosk-users to override GRUB-settings (security).<<BR>>
'''Finish installation''' -&gt; system will reboot.

Remove your CD and login as ''dude'' (your admin-user).

=== Login and setup system ===

Login with you admin-user account (''dude''). Now, there is no graphical environment - good. We install light desktop environment (graphical front-end) instead of typical ones in Ubuntu. Take a deep breath and go. If you did allow login as root you may leave all sudo-strings away (instead "sudo apt-get update" use "apt-get update").

==== 1. Update your repositories cache and upgrade your distro to the latest ====

'''''dude@flux:$'' sudo apt-get update'''<<BR>>
'''''dude@flux:$'' sudo apt-get upgrade'''<<BR>>
'''''dude@flux:$'' sudo apt-get clean'''<<BR>>
'''''dude@flux:$'' sudo apt-get update'''

==== 2. Install fluxbox-desktop-environment (and some requirements) ====

'''''dude@flux:$'' sudo apt-get -y install xserver-xorg x-window-system-core xterm xdm fluxbox '''

==== 3. Install software you need ====

Here we install OpenOffice, Firefox, Flash-plugin, Java and VLC-mediaplayer.<<BR>>
'''''dude@flux:$'' sudo apt-get -y install openoffice.org vlc firefox flashplugin-nonfree sun-java5-jre sun-java5-plugin'''

It may take some time, especially openoffice.org and java have huge packages. And wait for some time for these packages (and lots of dependencies) to get installed.<<BR>>
Reboot.

==== 4. Lock down kiosk-account ====

Login into GUI-fluxbox as ''dude''! Nice! Then just reconfigure your system to prevent users altering configurations.<<BR>>
'''''dude@flux:$'' sudo reboot'''<<BR>>
to reboot and login as ''dude''. You should see only small bar on bottom and no applications -menu. This menu appears by clicking second mouse button.

Run shell from the menu: '''Apps''' -&gt; '''Shells''' -&gt; '''Bash''' to get to shell.

In bash, add a new user, which will be the kiosk-mode user (we create here account user called fellow):<<BR>>
'''''dude@flux:$'' sudo adduser fellow'''

and answer some questions (fullname, password and some others). Exit (through menu) and login as your new user ''fellow''.

Open again '''shell''' and switch back to your main user.<<BR>>
'''''fellow@flux:$'' su dude'''<<BR>>
'''''dude@flux:$'''''

Now you do have two proper and functioning user accounts, one for maintain (''dude'') and other for kiosk-usage (''fellow''). Next we restrict fellow enough to keep the system and configurations safe and at the same time give access to whatever software we choose to.

You may also restrict options to all new accounts if you create directory '''/etc/skel''' and create all needed (modified) configuration files there. Contents of '''/etc/skel''' is copied to new user account during adduser-process.

First open '''Xresources''' to modify login-window slightly.<<BR>>
'''''dude@flux:$'' sudo nano /etc/X11/xdm/Xresources '''

Modify these lines ('''xlogin*greeting''' and '''xlogin*logiFileName''') as you like:<<BR>>
'''xlogin*greeting: Kiosk netbook for fellow - Fluxbox on Ubuntu (GNU/Linux)'''<<BR>>
'''xlogin*logoFileName: /etc/kiosk/UbuntuLogo.xpm #login image if you wish to use another'''

Edit fluxbox configuration and strip user menu as you like. I did install beforehand some apps (firefox etc) since I wanted kiosk-user to be able to use those programs. Therefore there are some more apps in the menu than you may wisht to do. I also stripped down most of other stuff to make usage of kiosk-computer simpler.<<BR>>
'''''dude@flux:$'' sudo cp /home/fellow/.fluxbox/menu /home/fellow/.fluxbox/menu.orig'''<<BR>>
'''''dude@flux:$'' sudo nano /home/fellow/.fluxbox/menu'''

Change as necessary, I use a special menu-file for kiosk-use. If you add more users and wish to keep same settings for them, this is a easy way to do it.<<BR>>
'''[begin] (Fluxbox) <<BR>>
[include] (/etc/X11/fluxbox/fluxbox-menu-kiosk)<<BR>>
[end]'''

Save (ctrl+o) and exit (ctrl+x).

Change number of workspaces down to one:<<BR>>
dude@flux:$ sudo nano /home/fellow/.fluxbox/init

Find a line with "session.screen().worskpaces" and change the number after it:<<BR>>
'''''session.screen().workspaces: 1'''''

Save (ctrl+o) and exit (ctrl+x).

Protect contents changing ownership and file access permission (fellow may still read contents of file)<<BR>>
'''''dude@flux:$'' sudo chown -R dude:dude /home/fellow/.fluxbox/'''
'''''dude@flux:$'' sudo chmod 0644 /home/fellow/.fluxbox/*'''
'''''dude@flux:$'' sudo chmod 0755 /home/fellow/.fluxbox'''

If you loose user-menu, make sure your user has read permissions on files and execute -permission on directories all the way from root. And re-login if necessary, I noticed sometimes fluxbox menu-system does not re-read permissions if you remove them by mistake.

Now fellow may not make any permanent changes to theme, bar size or position or alike. User may still change any settings after login for that session, but altered settings will not be saved (due to settings-file can't be written).

Next copy original fluxbox-menu -file <<BR>>
'''''dude@flux:$'' sudo cp /etc/X11/fluxbox/fluxbox-menu /etc/X11/fluxbox/fluxbox-menu-kiosk'''
'''''dude@flux:$'' sudo nano /etc/X11/fluxbox/fluxbox-menu-kiosk'''

Alter this new kiosk-menu-file as needed. Here is a short example (which I use) with previously mentioned apps (very short list). Do not ADD anything, just remove extra lines. <<BR>>
'''[begin] (Fluxbox)<<BR>>
    [exec] (Firefox web browser) {firefox} &lt;&gt;<<BR>>
    [exec] (OpenOffice.org Writer) {/usr/bin/oowriter} &lt;&gt;<<BR>>
    [exec] (OpenOffice.org Calc {/usr/bin/oocalc} &lt;&gt;<<BR>>
    [exec] (OpenOffice.org Impress) {/usr/bin/ooimpress} &lt;&gt;<<BR>>
    [exec] (VLC videoplayer) {vlc} &lt;&gt;<<BR>>
    [restart] (Restart computer)<<BR>>
    [exit] (Logout)<<BR>>
[end]
'''

You may delete line you're on with ctrl + k, there are probably quite a few lines to delete. Again, save changes and exit editor.

Then, just in case fellow could somehow drop into shell, we disable account shell-access from fellow. Edit '''/etc/passwd'''-file:<<BR>>
'''''dude@flux:$'' sudo nano /etc/passwd'''

Now, '''be very careful'''. Messing up this file locks you out. There are one user-accout each row. Find your ''fellow'' user-account (probably at the end of file), and alter the end of line from <<BR>>
'''/bin/bash''' --&gt; '''/bin/false''', my example here:

'''fellow:x:1001:1001:Kiosk user,,,:/home/fellow:''/bin/bash'''''<<BR>>
to <<BR>>
'''fellow:x:1001:1001:Kiosk user,,,:/home/fellow:''/bin/false'''''<<BR>>

This way there is no shell access and user can not do any shell modifications. Do not alter it any other way. Save and exit editor.

Now your computer should be quite safe. Our user may logout and reboot computer. User may shutdown computer using power-button. GRUB is safe (behind password).

== Prevent user from killing X-window ==

There is a couple of more things you ''may'' wish to do. Preventing users from killing X-window with key-combination ''Ctrl'' + ''Alt'' + ''Backspace'' reduces rebooting and hassle.

Edit ''xorg.conf''-file (first backup original):<<BR>>
'''''dude@flux:$'' sudo cp -p /etc/X11/xorg.conf /etc/X11/xorg.conf.orig '''<<BR>>
'''''dude@flux:$'' sudo nano /etc/X11/xorg.conf'''

Add this at the end:<<BR>>
'''Section "ServerFlags"<<BR>>
    Option "DontZap" "true"<<BR>>
EndSection'''

Save and exit editor. Now ''Ctrl'' + ''Alt'' + ''Backspace'' won't restart x-window and user does not get locked out (especially good since user can not login into shell).

Note, that user may still wonder around file-system, but as usually in *nix -systems he/she can not make any harm. Every *nix system should be pretty safe even when user could ''see'' the filesystem and not ''write'' anywhere but only in certain places outside homedir ''~/''. If you really need to stop ''kiosk-user'' to read filesystem you may alter file permissions on top of user home-dir (/ and /home) and remove world-readable permission - this way user can not simply explore around filesystem with OpenOffice.org Writer or VLC. This is '''not''' a complete method limiting user access around system, though.

== Protect computer boot-order ==

You probably had to change boot-order through BIOS before linux-install on computer to make it boot from CD. Did or did not, find your to BIOS setup. How - it varies, but usually you can do this with selecting F10/Esc/Delete-button right after boot-up (before OS boot or even GRUB to show up).

Fix boot-order and setup adminstrator password to BIOS. If you do not, anybody can stick a live-cd into your kiosk-computer and do whatever he/she likes (ie. break your system or wipe it away). There are some old laptops though, which can not be fully locked against altering boot order.


== Privacy and other settings on public computer ==

Login into your ''fellow'' -account and start Firefox. Open ''Edit'' -&gt; ''Preferences'' -&gt; ''Privacy'' -&gt; ''Settings''-button and tick all boxes including ''"Clear private data when closing Firefox"''. Firefox will as every time it is closed if user wants to delete private data.

Also I tweked '''Google Docs -link''' to make sure our users may use it. GoogleDocs rejects old Firefox by default but you may use it anyway (in case of trouble you're on your own, though). In URL there is an option to pass browser-validity-check: http://docs.google.com/?browserok=true. GoogleDocs seems to function on Firefox 2 without problems.

Ubuntu Fluxbox to kiosk-mode on old laptop

Old and slow laptops are usually fast enough to be used as more or less public kiosk-computers. Older computers are best with suited with lightweight window manager to make user experience more pleasant. This guide is aimed to users with some experience installing and managing linux, but may be enough for less experienced users as well.

It consist of installing light Ubuntu, Fluxbox desktop environment, Firefox, OpenOffice.org and VLC for users to use.

Download and burn distro

Download Ubuntu Dapper server edition http://archive.ubuntu.com/ubuntu/dists/dapper/main/installer-i386/current/images/netboot/mini.iso and burn it to CD.

Install basic Ubuntu

Install mini-Dapper and without desktop environment (per these instructions) or any x-window-manager.

You may install Dapper through wizard by starting boot with (it should be the first thing you type in):
boot: server-expert debian-installer/framebuffer=false

If you have problems with display size, you may also add screen=800x600 at the end (use your own display dimensions).
boot: server-expert debian-installer/framebuffer=false screen=800x600

With debian-installer -option installer asks lots of questions which means you have control over installation process. Basically it just gives you lighter system, you may leave it out here if you like. Here are some instructions how to pass through all the multiple phases of installation.

After a few seconds after starting installation you'll see an installer menu. Basically you just go through it from top to bottom. Menu gets longer on the way, so go from top top bottom all parts in order. There are also a couple of important security settings here (bold text), please make note of them.

Installation menu

Choose language - switch language if you like and select your location (country) also. Locale is based on your language, but you may choose more locales to install here.
Select a keyboard layout -> choose correct keyboard layout
Detect network hardware -> automatic detection should be fine (you perhaps do not need PCMCIA-services - no to that question).
Configure the network -> use DHCP if possible
Choose mirror of the Ubuntu archive -> choose protocol (http is fine), and country to get packages near you. Repository-url should be XX.archive.ubuntu.org (XX=your country). If it is not - no worries. Basically any suggested country-prefix should be fine, server is just a bit further away.
Download installer components -> you should not need to choose any of these, but you may wish to go through that list. Accept defaults and installer downloads some more packages - and, magically, new stuff appears in installer menu.
Detect discs -> choose to detected your hardware. You would probably want to choose all offered modules to make sure system works in all cases. Do not touch module parameters unless you really know what you're doing.
Partition disks -> Options "Erase entire disk" -> "All files in one partition" -> "Yes" should be fine unless you have other OS on board - which is unlikely on kiosk-laptop. This is the point where your previous OS or data on hard-drive will be destroyed.
Configure timezone -> choose correct one
Configure the clock -> UTC is probably fine if you do not have Windows beside the kiosk-installation on board.
Set up users and passwords -> use shadow passwords for security. SECURITY NOTE: Do not allow to login as root (login as your other administrative, usually your first created user and do root-stuff with sudo). Setup your admin-user. SECURITY NOTE: the more unexpected username and longer password you use, the better. Password should be at least 10 characters long and be "complex". We create "dude" as our admin-user, you better use another (more complex) string instead.
Install base system -> installs system and takes some or some more time according to your network capability. Packets ie. pieces of software are downloaded during this phase. NOTE: During this period you need to choose kernel to install. If in doubt, simply choose the one installer chose for you. You may upgrade it later, though, so you may to choose a bit older (lesser in version number) if in doubt. Also do not add any software here - you may add software later. Installer asks you what kind of repos you'd like to use, only truly free software and a like. You may choose all of the repositories if in doubt - no harm done.
Build LTSP chroot -> go through this as well
Configure the package manager -> choose YES to all suggested repositories so you do not need to alter repo's list later Select and install software -> select and wait for a moment...
Copy remaining packages to hard disk -> choose this
Install the GRUB boot loader on a hard disk -> install boot loader to the master boot record -> Yes (unless you know what to do). GRUB is usually a must, since this is the first thing your computer loads to get directions how to start OS(OS'es). Use default. DO NOT SKIP.
SECURITY NOTE: Do give GRUB a password to prevent kiosk-users to override GRUB-settings (security).
Finish installation -> system will reboot.

Remove your CD and login as dude (your admin-user).

Login and setup system

Login with you admin-user account (dude). Now, there is no graphical environment - good. We install light desktop environment (graphical front-end) instead of typical ones in Ubuntu. Take a deep breath and go. If you did allow login as root you may leave all sudo-strings away (instead "sudo apt-get update" use "apt-get update").

1. Update your repositories cache and upgrade your distro to the latest

dude@flux:$ sudo apt-get update
dude@flux:$ sudo apt-get upgrade
dude@flux:$ sudo apt-get clean
dude@flux:$ sudo apt-get update

2. Install fluxbox-desktop-environment (and some requirements)

dude@flux:$ sudo apt-get -y install xserver-xorg x-window-system-core xterm xdm fluxbox

3. Install software you need

Here we install OpenOffice, Firefox, Flash-plugin, Java and VLC-mediaplayer.
dude@flux:$ sudo apt-get -y install openoffice.org vlc firefox flashplugin-nonfree sun-java5-jre sun-java5-plugin

It may take some time, especially openoffice.org and java have huge packages. And wait for some time for these packages (and lots of dependencies) to get installed.
Reboot.

4. Lock down kiosk-account

Login into GUI-fluxbox as dude! Nice! Then just reconfigure your system to prevent users altering configurations.
dude@flux:$ sudo reboot
to reboot and login as dude. You should see only small bar on bottom and no applications -menu. This menu appears by clicking second mouse button.

Run shell from the menu: Apps -> Shells -> Bash to get to shell.

In bash, add a new user, which will be the kiosk-mode user (we create here account user called fellow):
dude@flux:$ sudo adduser fellow

and answer some questions (fullname, password and some others). Exit (through menu) and login as your new user fellow.

Open again shell and switch back to your main user.
fellow@flux:$ su dude
dude@flux:$

Now you do have two proper and functioning user accounts, one for maintain (dude) and other for kiosk-usage (fellow). Next we restrict fellow enough to keep the system and configurations safe and at the same time give access to whatever software we choose to.

You may also restrict options to all new accounts if you create directory /etc/skel and create all needed (modified) configuration files there. Contents of /etc/skel is copied to new user account during adduser-process.

First open Xresources to modify login-window slightly.
dude@flux:$ sudo nano /etc/X11/xdm/Xresources

Modify these lines (xlogin*greeting and xlogin*logiFileName) as you like:
xlogin*greeting: Kiosk netbook for fellow - Fluxbox on Ubuntu (GNU/Linux)
xlogin*logoFileName: /etc/kiosk/UbuntuLogo.xpm #login image if you wish to use another

Edit fluxbox configuration and strip user menu as you like. I did install beforehand some apps (firefox etc) since I wanted kiosk-user to be able to use those programs. Therefore there are some more apps in the menu than you may wisht to do. I also stripped down most of other stuff to make usage of kiosk-computer simpler.
dude@flux:$ sudo cp /home/fellow/.fluxbox/menu /home/fellow/.fluxbox/menu.orig
dude@flux:$ sudo nano /home/fellow/.fluxbox/menu

Change as necessary, I use a special menu-file for kiosk-use. If you add more users and wish to keep same settings for them, this is a easy way to do it.
[begin] (Fluxbox)
[include] (/etc/X11/fluxbox/fluxbox-menu-kiosk)
[end]

Save (ctrl+o) and exit (ctrl+x).

Change number of workspaces down to one:
dude@flux:$ sudo nano /home/fellow/.fluxbox/init

Find a line with "session.screen().worskpaces" and change the number after it:
session.screen().workspaces: 1

Save (ctrl+o) and exit (ctrl+x).

Protect contents changing ownership and file access permission (fellow may still read contents of file)
dude@flux:$ sudo chown -R dude:dude /home/fellow/.fluxbox/ dude@flux:$ sudo chmod 0644 /home/fellow/.fluxbox/* dude@flux:$ sudo chmod 0755 /home/fellow/.fluxbox

If you loose user-menu, make sure your user has read permissions on files and execute -permission on directories all the way from root. And re-login if necessary, I noticed sometimes fluxbox menu-system does not re-read permissions if you remove them by mistake.

Now fellow may not make any permanent changes to theme, bar size or position or alike. User may still change any settings after login for that session, but altered settings will not be saved (due to settings-file can't be written).

Next copy original fluxbox-menu -file
dude@flux:$ sudo cp /etc/X11/fluxbox/fluxbox-menu /etc/X11/fluxbox/fluxbox-menu-kiosk dude@flux:$ sudo nano /etc/X11/fluxbox/fluxbox-menu-kiosk

Alter this new kiosk-menu-file as needed. Here is a short example (which I use) with previously mentioned apps (very short list). Do not ADD anything, just remove extra lines.
[begin] (Fluxbox)

  • [exec] (Firefox web browser) {firefox} <>
    [exec] (OpenOffice.org Writer) {/usr/bin/oowriter} <>
    [exec] (OpenOffice.org Calc {/usr/bin/oocalc} <>
    [exec] (OpenOffice.org Impress) {/usr/bin/ooimpress} <>
    [exec] (VLC videoplayer) {vlc} <>
    [restart] (Restart computer)
    [exit] (Logout)

[end]

You may delete line you're on with ctrl + k, there are probably quite a few lines to delete. Again, save changes and exit editor.

Then, just in case fellow could somehow drop into shell, we disable account shell-access from fellow. Edit /etc/passwd-file:<<BR>> dude@flux:$ sudo nano /etc/passwd

Now, be very careful. Messing up this file locks you out. There are one user-accout each row. Find your fellow user-account (probably at the end of file), and alter the end of line from
/bin/bash --> /bin/false, my example here:

fellow:x:1001:1001:Kiosk user,,,:/home/fellow:/bin/bash
to
fellow:x:1001:1001:Kiosk user,,,:/home/fellow:/bin/false

This way there is no shell access and user can not do any shell modifications. Do not alter it any other way. Save and exit editor.

Now your computer should be quite safe. Our user may logout and reboot computer. User may shutdown computer using power-button. GRUB is safe (behind password).

Prevent user from killing X-window

There is a couple of more things you may wish to do. Preventing users from killing X-window with key-combination Ctrl + Alt + Backspace reduces rebooting and hassle.

Edit xorg.conf-file (first backup original):
dude@flux:$ sudo cp -p /etc/X11/xorg.conf /etc/X11/xorg.conf.orig
dude@flux:$ sudo nano /etc/X11/xorg.conf

Add this at the end:
Section "ServerFlags"

EndSection

Save and exit editor. Now Ctrl + Alt + Backspace won't restart x-window and user does not get locked out (especially good since user can not login into shell).

Note, that user may still wonder around file-system, but as usually in *nix -systems he/she can not make any harm. Every *nix system should be pretty safe even when user could see the filesystem and not write anywhere but only in certain places outside homedir ~/. If you really need to stop kiosk-user to read filesystem you may alter file permissions on top of user home-dir (/ and /home) and remove world-readable permission - this way user can not simply explore around filesystem with OpenOffice.org Writer or VLC. This is not a complete method limiting user access around system, though.

Protect computer boot-order

You probably had to change boot-order through BIOS before linux-install on computer to make it boot from CD. Did or did not, find your to BIOS setup. How - it varies, but usually you can do this with selecting F10/Esc/Delete-button right after boot-up (before OS boot or even GRUB to show up).

Fix boot-order and setup adminstrator password to BIOS. If you do not, anybody can stick a live-cd into your kiosk-computer and do whatever he/she likes (ie. break your system or wipe it away). There are some old laptops though, which can not be fully locked against altering boot order.

Privacy and other settings on public computer

Login into your fellow -account and start Firefox. Open Edit -> Preferences -> Privacy -> Settings-button and tick all boxes including "Clear private data when closing Firefox". Firefox will as every time it is closed if user wants to delete private data.

Also I tweked Google Docs -link to make sure our users may use it. GoogleDocs rejects old Firefox by default but you may use it anyway (in case of trouble you're on your own, though). In URL there is an option to pass browser-validity-check: http://docs.google.com/?browserok=true. GoogleDocs seems to function on Firefox 2 without problems.

kioskFluxbox (last edited 2009-12-10 21:07:15 by a91-152-167-106)