Linux is great to use at home. It can be handy at work. It's a great server operating system. But there's one other place that Linux is really worth its weight in gold: public, or semi-public, computers. There's nothing quite as nerve-wracking as seeing someone on a computer you're responsible for, and wondering what exactly they're up to. Except for maybe seeing someone you're responsible for on a computer, and wondering the same thing.Public computers are pretty easy to visualize -- in places like internet cafés, libraries, or school computer labs. Semi-public computers are a little more obscure. Semi-public users can be any group from the temp workers in your office to your house guests or kids. The real function you'd want in any of these settings is control of some sort. You want the computer to stay in the condition it was in originally, at least as far as software goes. You might not want the users to have access to certain applications, or maybe they should access the internet through a proxy.
There are a number of ways to achieve this sort of set up. Before you shake your head and start wondering how exactly you're supposed to change login and desktop scripts... Relax. KDE's Kiosk is a pretty simple way to lock down a desktop.
Right now, it appears that Kiosk is still being ported to the KDE4 framework, so you'll have to stick with an older version of KDE for locked down desktops. Since most distros that feature a KDE4 desktop tend to still include KDE 3.5.x alongside it, this shouldn't be an issue.One nice thing about KDE's Kiosk is how easy it is to install. If you already have a KDE desktop, go to the K Menu, and under Settings see if there is already a menu entry for the Kiosk Admin Tool. Some distributions install it by default.
If it isn't there, fire up your package manager and search for kiosktool. Go ahead and install this package in the usual manner. Feel free to open the application (once again, under the Settings menu), but before we really get configuring we need to set up another user account. We don't want to Kiosk ourselves into a corner.
Open the Systems Settings panel and click on "User Management." We want to add a new user to our system for each Kiosk Profile we're going to create (just start with one, until you get the hang of it). Click on the Administrator mode button and enter your root password, and we'll add a user.
Click on the new button, and we can create a new user. We creatively called this one "Kiosk" and didn't worry overly about permissions (as Ubuntu seemed restrictive enough by default for a secondary account). Remember to set a password. First log in prompts for a new password via this method, so make sure that you or someone else administering the machine logs in to test the Kiosk set up. If you don't do this, and someone unauthorized changes the password, it can, of course, be reset. But who wants the aggravation?
Now we can get to the locking down bit. We open up the Kiosk Admin Tool and bask in its goodness and light. Really, there isn't too much there, so we don't bask terribly long. Besides, we're allergic to goodness and light.
Here's a hint: It's safer to never mess with the default profile. Just ignore it, and click Add New Profile instead. It's very possible to chalk up previous mistakes to our own idiocy, but Kiosk does seem to associate the user account that is administering the whole thing with "Default." Default is completely unconfigured, which equates of course to a regular old desktop session. If we edit default... We tend to mess with the fabric of the universe, and we find that even as root, or as a regular user, we can't do much of anything.
So here we've named our profile DLS. Yes, we're just bubbling with imagination. Kiosk will then tell us we need to give it permission (root password, again) to make a directory to store this little profile.
Adding the profile dumps us back to the Main Kiosk menu, and we can now set up the profile (make sure you're choosing your new profile).
Adding the profile dumps us back to the Main Kiosk menu, and we can now set up the profile (make sure you're choosing your new profile).
Here is where the hilarity ensues. If you're a total control freak, like we are (at least when it comes to computers), this is the promised land. There are lists of components, ranging from network proxies and file associations to browser behavior, menus, and desktop backgrounds that can be made to do just about anything. Or absolutely nothing, if you're a total killjoy.
Simply select a component, and click Set Up.
Simply select a component, and click Set Up.
This is the "General" component setup. Doesn't sound too exciting, but for a good locked down environment, you really want to start here and think about what you want your victims users to be able to access. Some things are pretty self-explanatory, some aren't, but Kiosk has done a pretty nice job at giving a run-down of the different functions you can (and should) disable or enable.
When we're done here, we just click finish, and once again are presented with the Kiosk component setup menu. We want to highlight some of the things that are commonly used to secure desktops.
The first is the network proxy. You may want to point your network connection through a proxy server for different reasons. Certainly one of the most common reasons is filtering. If you already have a server running filtering software, you should be able to enter the information here, and filter that Kiosk profile accordingly.
The other option is to run services and applications such as Squid/Squidguard, or DansGuardian on your machine, and direct the Kiosk profile through them.
The first is the network proxy. You may want to point your network connection through a proxy server for different reasons. Certainly one of the most common reasons is filtering. If you already have a server running filtering software, you should be able to enter the information here, and filter that Kiosk profile accordingly.
The other option is to run services and applications such as Squid/Squidguard, or DansGuardian on your machine, and direct the Kiosk profile through them.
If you're entering a network proxy, you will almost definitely want to lock down the settings. Trust us. But first, you'll need to click Setup Network Proxy and enter the appropriate network information.
Menus are also a great thing to lock down and trim so that the computer is used just for the tasks you want it used for. Be sure to disable the ability to add and remove menu items for the given profile.
If you've ever edited your own menus in KDE, the following dialog will look pretty familiar. If there are applications you want to encourage people to use, add them here (and, possibly, alternately on the Desktop Icons Component screens). Hate the idea that people will be playing Solitaire when they should be doing data entry, or homework? Remove the temptations here.
See what killjoys we are?
The customization process for a Kiosk profile can take a while, depending on what you're aiming for, but we suggest when you get it looking fairly close to where you'd like, you go ahead and log in, and take a look at the environment you've created.
The KDE Kiosk Admin Tool is useful not only to systems administrators, but also to small in-house IT operations who may or may not have heavy duty Linux skills. It can be especially handy for home users who want to open their computers to their kids or other varieties of co-habitants, but fear the technological havoc that can result.
It's easy to install and set up, and is really only time consuming due to the sheer number of things that can be locked down, opened up, or otherwise fiddled with for maximum security. And look Ma, no scripting!
It's easy to install and set up, and is really only time consuming due to the sheer number of things that can be locked down, opened up, or otherwise fiddled with for maximum security. And look Ma, no scripting!
Reader Comments (Page 1 of 1)
4-21-2008 @ 11:36PM
mtelesha said...
Very good article. I like the fact that this shows an added benifit for using Linux. Also we are going to be replacing our thin clients at my Library and I have been requesting that we use Shuttle KPCs with a locked down Linux.
Reply