Scientific Linux Forum.org



  Reply to this topicStart new topicStart Poll

> Ask for review: SL6 as KIOSK
Nicram
 Posted: May 31 2014, 11:13 AM
Quote Post


SLF Junior
**

Group: Members
Posts: 35
Member No.: 1399
Joined: 23-March 12









I prepared some document about changing SL6 into KIOSK, so user are capable of going thru websites only.
After few days i also prepared shell script that do all things automatic.
I would like if someone check this if there are any errors or thing that are hard to understand.

The tutorial: http://www.marcinwilk.eu/lang/en-us/2014/05/scientific-linux-6-centos-6-kiosk/
The script: http://www.marcinwilk.eu/sl/make-kiosk.sh

Thank you.
PMUsers WebsiteAOLYahoo
^
evert
 Posted: May 31 2014, 09:11 PM
Quote Post


SLF Rookie
*

Group: Members
Posts: 21
Member No.: 2836
Joined: 2-December 13









Pretty clear. Good work. I didn't try myself though, because I don't need a kiosk. Not sure if everything is enough locked down but seems rather usable.
PMUsers Website
^
joka
 Posted: Jun 3 2014, 08:45 PM
Quote Post


SLF Geek
****

Group: Members
Posts: 172
Member No.: 107
Joined: 28-April 11









Good description and I assume it will work though I have not tried it myself.

Some remarks:
Instead of AutomaticLogin I would prefer TimedLogin to give an administrator the chance to login to his account, e.g (/etc/gdm/custom.conf).:
CODE
[daemon]
TimedLoginEnable=true
TimedLogin=xguest
TimedLoginDelay=10


I don't understand why you recommend Opera instead of Firefox in a public tutorial.
Firefox is maintained by SL/CentOS, while you have to update Opera yourself.

Fedora and EL have a special tool to create a secured kiosk user, based on SELinux: xguest
Similar to a LiveCD, a xguest session creates a temporary home directory as tmp file system in memory. If the guest/kiosk user logs out, all session data (and cookies, super cookies, changes to the browser profiles made by the user etc.) are gone. SELinux rules limit the rights compared to a standard user: internet access is allowed only for standard HTTP(s) ports.**
Execution of binaries in the home directory (downloaded from Internet by the browser, e.g. potential Kernel exploits) is disallowed.

To configure xguest, save the deskop files (e.g. your .xsession to start the browser in full screen mode) to /etc/skel instead of /home/kiosk.*


*) The author of xguest, Dan Walsh, intended and recommended the tool sabayon to configure the xguest deskop. But to my experience this never worked reliably in Fedora 8-14 and SL 6.
**) Limits are configurable by SELinux booleans
PM
^
Nicram
 Posted: Jun 6 2014, 12:29 PM
Quote Post


SLF Junior
**

Group: Members
Posts: 35
Member No.: 1399
Joined: 23-March 12









Thanks for reply!

QUOTE
Instead of AutomaticLogin I would prefer TimedLogin

I will think about changing that. I must first ask how they see it going in real life situation.

QUOTE
I don't understand why you recommend Opera instead of Firefox in a public tutorial.
Firefox is maintained by SL/CentOS, while you have to update Opera yourself.

Because Opera got built-in kiosk mode and options that helps to achieve my goals, without installing any additional plugins for web browser.

While xguest is some option, i read about it and try it, and it didn't help me at all. I can disable downloading files with Opera, and same time give possibility to browse FTP for example. Using xguest also is prepared for Firefox which isn't my choice.
When using xguest account, and trying it to use my config files, i must put them in /etc/skel like You said. It will make them used for new accounts, which i do not want.

My idea is to prepare script, that will be used by people, who do not really know Linux OS well, so it will be just easy for them, and it will do the work. Xguest need some more advanced knowledge (like what is SELinux, what is /tmp, how this account really work).
PMUsers WebsiteAOLYahoo
^
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll