The following pages outline the process taken to create a secure web kiosk installation of Linux. The kiosk runs a minimal installation of Linux and immediately starts a web browser.
The booth packages and a livecd can be found at the sourceforge website.
This kiosk is essentially a web browsing appliance. The beauty of Linux is
that the OS can be customized to do that one task, leaving out all
unnecessary network services and software. The system can also be locked
down very tightly to prevent a regular user from running anything else or
making any modifications. Physical security (BIOS password and locked
enclosure) is the final defense protecting the software configuration.
The kiosk boots up into a full-screen browser (Mozilla Firefox) started by
the unprivileged "guest" account. The guest account has no shell access,
and no log-in password. No other account exists, except the root account,
which is password-protected, even in single-user mode. Firefox is
configured so as not to allow the guest user access to the file system,
nor to store passwords, nor to cache anything, etc. If the user closes the
browser, X is restarted and a fresh guest home directory is recreated. The
kiosk also resets itself using the same procedure one minute after the
screen saver kicks in, following 5 minutes of inactivity.
Details of the boot process are these. System logging and a two-way
firewall (netfilter) are activated on boot-up. The system auto-boots into
run level 5, then inittab runs a script that cleans up the guest account
and starts X as the guest user. Guest's xsession file launches the screen
saver and the inactivity monitoring script, followed by the Metacity
window manager (required to allow Firefox's menus to work properly), then
finally Firefox itself. If X is killed, it is re-spawned by inittab as just
described. The user cannot initiate a reboot, but can manually restart X
by closing the browser or by the Ctrl-Alt-Backspace key sequence.
David Collie, a co-op student with Engineering Computing, developed the
kiosk under the supervision of Stephen Carr, IST. It is based on the
Damn Small Linux (DSL) distribution (which is based on the Knoppix live CD distribution, which is based on Debian
GNU/Linux). It is open-source software released through www.sourceforge.net. This project is a fairly
straight forward modification of the well-supported and actively developed
DSL project. DSL was modified and re-mastered.The "dsl" user was removed, and several scripts
were added to control the boot and cleanup functions. The Firefox browser
was configured for security and user privacy. The modifications involved
are documented here.
The kiosk may be built and run in several modes. It may be run as a "live
CD", that is, booted and run from a CD, so that the OS cannot be tampered
with at all. In that case, changes and updates must be done by re-mastering
the live CD image. It may also be installed onto the hard disk, then
managed from there using Debian's update tool (apt-get). In this case the
kiosk may be configured as required with a default home page and white
list of accessible sites. Finally, it may be PXE-booted and run diskless
(an option if many such devices are to be managed conveniently). The SSH
service is running on the machine in its current configuration (the only
exposed service) to allow remote monitoring and maintenance. We plan to
enable logging to a remote server, at which point we will be able to
remove SSH.
We believe that the web kiosk is sufficiently secure to allow users to
access the Internet anonymously (without authenticating via an Network
Authentication Appliance, as is done on UW's
wireless subnet). This Linux-based kiosk is not vulnerable to Windows
exploits and malware and the user has no permissions to download or run
applications in any case. In its final version it will expose no services
to the network. It is running the last version of the stable 2.4 kernel
for which there are no known exploits. The kernel and Firefox browser will
be updated as required. All deployed kiosks will be monitored to ensure
that they remain secure.
-- Stephen Carr - 13 Mar 2006
--
DavidCollie - 27 Sep 2004
