Posso colocar o Linux no status 'Party / Kiosk-Mode'?

3

Eu quero criar uma conta de usuário linux (no ubuntu ou debian ou qualquer versão que seja mais adequada para isso) que não pode fazer nada além de apenas visualizar uma página web pré-determinada. Tipo de estilo de quiosque para que o usuário possa observar o que está acontecendo a partir dessa página, mas; não pode executar ou escrever (e este bloqueio é feito preferencialmente também via GUI, ou seja, o usuário não pode minimizar ou fechar o navegador, não pode ver qualquer um dos menus iniciais) qualquer coisa na máquina. Como posso fazer isso?

    
por Cihan Keser 12.10.2009 / 10:04

2 respostas

2

Este site tem vários tutoriais sobre como configurar o Linux como você deseja. Note que pode estar um pouco desatualizado ...

Vou citar a versão "somente site" , mas verifique o site para mais informações.

This is part of an experiment to use Linux as a kiosk system. 'Kiosk System' can mean a couple of things, but here we assume that it's a computer that runs just one application - a web browser - and does not allow the user to do anything else but use that browser. That way, the computer can be left unattended, e.g. in public places (public libraries, ... )

One of the appoaches often taken to accomplish this, is to install Windows, then lock it down and present the user with a limited menu-like user interface - often with specilised software (e.g. WinU). But that feels a bit like wasting resources and money : you'd have to buy a Windows License for a computer that will hardly be used (just a browser ...), and on top of that you pay for additional software to make it run nothing but that one browser. So we looked at it from a different angle : is this something Linux could do, without all the overkill ?

What do we need ?

To run just a web browser we don't need a full-blown desktop : a minimal x-windows system will do : all we need is 1 window in which the browser can run. This approach is also used in this "minimal GUI" setup for a Linux server where we provide a web browser to take advantage of the graphical front-ends to configure the system. Building on that approach, we will set up a base Linux system (install nothing but the operating system - e.g. Debian 3) and add some x-window components so that we can run a web browser (firefox).

Assuming this computer will be unattended, we don't want users to go and play with it, and we definitly don't want users to crack it or try to get escalate their privilegues or install their own software so that the machine becomes a zombie or what not - so we deny them all access to the system. For this, we use 'Bastille'. Bastille is a program that takes you trough the motions of locking down the system. (see Bastille home)

Finally, we want everything to work more or less automaticvally, so we'll take advantage of runlevels and startup scripts.

Installing the software and basic configuration

the base setup We install nothing but a base system, then add the packages we need / want. The os used here is Debian 3.0, network installation. We add bastille, firefox, and some components from the x-windows system : just enough to create windows and provide a GUI logon for the user. We also add ssh for remote administration by root and vim to edit text files.

apt-get install x-window-system fvwm vim ssh

System requirements : any pc capable of running (text mode) linux + xwindows. Hard disk space : ... mb (system + software) + swap + room for browser cache /temporary files. Meaning : any old pc will do.

create a user We create 1 user (www) with password www. This account will be used to use the PC as a web client.

useradd -m -s /bin/false -p mkpasswd www SD www

the windows setup Setting up X-windows means you will have to provide some input (monitor, keyboard, mouse, ...). To modify the configuration : dpkg-reconfigure xserver-xfree86 , or edit the configuration file (/etc/X11/X86config-4).

The configuration of the windows environment is found in the user's home directory (~/.xinitrc), and if that is missing, the system default is used :/usr/X11R6/lib/X11/xinit/xinitrc (re. XFree86 HOWTO). (On Debian) all this xinitrc does is call /etc/X11/Xsession, which in turn refers to files in /etc/X11/Xsession.d and ~/.Xsession. In /etc/X11/Xsession.d we find a script 99xfree86-common_start with an exec $STARTUP statemenent. Assuming that this is where we can put the programs we want to run in X, we replace exec $STARTUP with 'exec firefox'. This way, Firefox will start as soon as the xserver is started, and closing Firefox will stop the xwindows session as well.

To do : read Debian documentation on how to configure window managers and find out how all these x11 files relate to each other. find a way to force height and width on Firefox. We want it fullscreen. "firefox -height 600 -width 800" should work ? Workaround : run firefox once, configure preferences and windows - it will use those settings the next time

the runlevels You may now find that your system now offers a graphical login and starts Firefox rightaway which is what we wanted anyway, except that root prefers a command prompt to set up the system firther. So we change the default runlevel to 3 (in /etc/inittab) and disable the X startup scripts in rc2.d (runlevel 2). Now, the system will boot to runlevel 3 (with GUI login for user www and Firefox started immediately) - root can boot init 2 for a command prompt and no worries.

the bonus While you have now have a GUI, why not include a screensaver ? 'The Matrix' is a nice one.

the Bastille Bastille is a program that will walk you through a large number of configuration settings to make your system more secure. Some have to do with networking, e.g. it sets up a firewall which - in the case of a web kiosk - should only allow outgoing http, and accept only replies to outgoing traffic. Another set of settings secures the system as such, by means of 'chroot', modyfing some file system permissions, and tightening the use of SUID. One feature is extremely useful for an unattended PC : setting a (root) password to runlevel 1 ('single user mode', 'root mode', 'recovery mode'; 'maintenance mode'). In single user mode, one could reset the root password and consequently log on as root - clearly a threath for an unattended computer : just pull the plug or hit the power button and you bypass all security, even with ctrl+alt+del disabled and shutdown/reboot only available to the root user.

Another point is the disabling of printers and /or give the ability to manage print jobs to root only. You'll have to figure this out depending on what this PC will be used for and whether the www user needs printing or not. In this locked down Ubunto/Gnome desktop kiosk system are some details about appropriate settings.

    
por 12.10.2009 / 10:30
1

Isso pode ser feito usando o SELinux. A política do Fedora SElinux suporta um usuário convidado especial chamado xguest

The xguest package provides a kiosk user account. This account is used to secure machines that people walk up to and use, such as those at libraries, banks, airports, information kiosks, and coffee shops. The kiosk user account is very locked down: essentially, it only allows users to log in and use Firefox to browse Internet websites. Any changes made while logged in with his account, such as creating files or changing settings, are lost when you log out.

Veja o Guia do Usuário do Fedora 11 Security Enhanced Linux.

    
por 12.10.2009 / 15:10

Tags