Ask for review: SL6 as KIOSK

[Nicram]

I prepared some document about changing SL6 into KIOSK, so user are capable of going thru websites only.
After few days i also prepared shell script that do all things automatic.
I would like if someone check this if there are any errors or thing that are hard to understand.

The tutorial: http://www.marcinwilk.eu/lang/en-us/2014/05/scientific-linux-6-centos-6-kiosk/
The script: http://www.marcinwilk.eu/sl/make-kiosk.sh

Thank you.

[evert]

Pretty clear. Good work. I didn't try myself though, because I don't need a kiosk. Not sure if everything is enough locked down but seems rather usable.

[joka]

Good description and I assume it will work though I have not tried it myself.

Some remarks:
Instead of AutomaticLogin I would prefer TimedLogin to give an administrator the chance to login to his account, e.g (/etc/gdm/custom.conf).:

CODE

[daemon] TimedLoginEnable=true TimedLogin=xguest TimedLoginDelay=10

I don't understand why you recommend Opera instead of Firefox in a public tutorial.
Firefox is maintained by SL/CentOS, while you have to update Opera yourself.

Fedora and EL have a special tool to create a secured kiosk user, based on SELinux: xguest
Similar to a LiveCD, a xguest session creates a temporary home directory as tmp file system in memory. If the guest/kiosk user logs out, all session data (and cookies, super cookies, changes to the browser profiles made by the user etc.) are gone. SELinux rules limit the rights compared to a standard user: internet access is allowed only for standard HTTP(s) ports.**
Execution of binaries in the home directory (downloaded from Internet by the browser, e.g. potential Kernel exploits) is disallowed.

To configure xguest, save the deskop files (e.g. your .xsession to start the browser in full screen mode) to /etc/skel instead of /home/kiosk.*


*) The author of xguest, Dan Walsh, intended and recommended the tool sabayon to configure the xguest deskop. But to my experience this never worked reliably in Fedora 8-14 and SL 6.
**) Limits are configurable by SELinux booleans

[Nicram]

Thanks for reply!

QUOTE

Instead of AutomaticLogin I would prefer TimedLogin

I will think about changing that. I must first ask how they see it going in real life situation.

QUOTE

I don't understand why you recommend Opera instead of Firefox in a public tutorial. Firefox is maintained by SL/CentOS, while you have to update Opera yourself.

Because Opera got built-in kiosk mode and options that helps to achieve my goals, without installing any additional plugins for web browser.

While xguest is some option, i read about it and try it, and it didn't help me at all. I can disable downloading files with Opera, and same time give possibility to browse FTP for example. Using xguest also is prepared for Firefox which isn't my choice.
When using xguest account, and trying it to use my config files, i must put them in /etc/skel like You said. It will make them used for new accounts, which i do not want.

My idea is to prepare script, that will be used by people, who do not really know Linux OS well, so it will be just easy for them, and it will do the work. Xguest need some more advanced knowledge (like what is SELinux, what is /tmp, how this account really work).