Difference between revisions of "Kiosk"
(→Notes) |
|||
(23 intermediate revisions by the same user not shown) | |||
Line 12: | Line 12: | ||
After a quick search it seems that Ubuntu has been used alot for the Kiosk OS. Their are numerous lockdown guides to securing the OS for a Kiosk. It looks like Chrome, Firefox, and Opera can all be used for the browsing. | After a quick search it seems that Ubuntu has been used alot for the Kiosk OS. Their are numerous lockdown guides to securing the OS for a Kiosk. It looks like Chrome, Firefox, and Opera can all be used for the browsing. | ||
− | =Process= | + | =Manual Process= |
*Install a LTS version of Ubuntu | *Install a LTS version of Ubuntu | ||
*Update System | *Update System | ||
Line 22: | Line 22: | ||
*Install R-kiosk | *Install R-kiosk | ||
**Disable Plug-in | **Disable Plug-in | ||
+ | *Install dansguardian | ||
+ | *Install tinyproxy | ||
+ | *Install firehol | ||
+ | |||
+ | =Automated Process= | ||
+ | |||
+ | http://jacob.steelsmith.org/content/ubuntu-kiosk-based-10041 | ||
+ | |||
+ | It looks like someone has a LiveCD/InstallCD/Release of Ubuntu LTS out that has alot of the kiosk things done for you. The individual has the scripts available but not the configuration files for download on his website. But he is missing documentation/examples of what he did to the install so the scripts will run well. For example the creator distributes the scripts but not the config file directory where the scripts source from. He does not show how he editied the .xsession file to make ff start as the kiosk user. Etc. I may or may not document what I did but I am going to provide some files for downloading that have the config files and copies of the kiosk users home dir from the boot cd for the future. | ||
+ | |||
+ | It also looks like the creator has specific versions of software installed. An older but working version of firefox, etc. I tried doing an apt-get update/upgrade and it messed with system. I think one of the plugins does not work with ff. This can be easily fixed but I do not have the time. It could have been something bigger though. Something he customized that when upgraded borked the system. | ||
+ | |||
+ | |||
+ | Default itadmin password is 'changeme' | ||
+ | |||
+ | |||
+ | To edit Firefox settings edit /home/kiosk/.xsession and make FF go into safe mode. | ||
+ | |||
+ | ==Other things I did== | ||
+ | *Installed/Upgraded Java and the flashplugin: aptitude install openjdk-6-jre flashplugin-nonfree | ||
+ | *Disabled tabbed browsing in FF (Options, Tabs, Always Show Tabs): http://www22.verizon.com/residentialhelp/fiosinternet/general+support/top+questions/questionsone/121582.htm | ||
+ | *I added the Firefox extensions R-kiosk and Reset Kiosk | ||
+ | *After turning on dansguardian I could not ssh into the box. I allowed ping and ssh by editing the firehol config: | ||
+ | |||
+ | {{File|firehol.conf|<nowiki> | ||
+ | iptables -t filter -I OUTPUT -d 127.0.0.1 -p tcp --dport 3128 -m owner ! --uid-owner dansguardian -j DROP | ||
+ | |||
+ | transparent_squid 8080 "root root" | ||
+ | |||
+ | server_ssh_ports="tcp/22022" | ||
+ | |||
+ | interface any world | ||
+ | policy drop | ||
+ | protection strong | ||
+ | client all accept | ||
+ | server cups accept | ||
+ | server ssh accept | ||
+ | server ping accept | ||
+ | </nowiki> | ||
+ | }} | ||
+ | |||
+ | I disabled Caret Browsing | ||
+ | **about:config - accessibility.browsewithcaret_shortcut.enabled - false | ||
+ | **about:config - accessibility.warn_on_browsewithcaret - false | ||
+ | *I disabled the printscreen feature in gnome but putting ' xmodmap -e "keysym Print = BackSpace" ' in /home/kiosk/.xsession | ||
+ | *ctrl+alt+f4 was logging the user out or closing the window or switching sessions or something I disabled with ' xmodmap -pke | sed -n 's/ = .*VT_4.*/ = /p' | xmodmap - ' | ||
+ | |||
+ | *I wanted to be able to VNC in to a system because I was sending it out. If their where any problems I wanted to be able to see them. I can already ssh in. I want to VNC in. | ||
+ | |||
+ | aptitude install x11vnc | ||
+ | |||
+ | Ubuntu Wiki has a nice script: | ||
+ | |||
+ | #!/bin/sh | ||
+ | ssh -f -L 5900:localhost:5900 rebecca@rebeccas-pc.dyndns.org \ | ||
+ | x11vnc -safer -localhost -nopw -once -display :0 \ | ||
+ | && sleep 5 \ | ||
+ | && vncviewer localhost:0 | ||
+ | |||
+ | Seems to work fine if a user is logged in. | ||
+ | |||
+ | I want vnc to start before login just in case. | ||
+ | |||
+ | Edit /etc/gdm/Init/Default and put: | ||
+ | # Start the x11vnc Server | ||
+ | sudo /usr/bin/x11vnc -safer -localhost -once -nopw -auth /var/lib/gdm/:0.Xauth -display :0 -bg -forever | ||
+ | |||
+ | Right before exit 0 at the end of the file. You have to have -bg. If the process does not background then gdm will be stuck until that proccess exits | ||
+ | |||
+ | *I want the kiosk to save cookies. | ||
+ | **I modded the kioskfox plugin /defaults/preferences/kiosk_prefs.js and changed pref("browser.privatebrowsing.autostart",false); to true. | ||
+ | **I had to reinstall the new plugin | ||
+ | **I had to go to privacy and disable remember search and form history (we are using this for form email signups) | ||
+ | **I had to go to security and disable remember passwords for sites | ||
+ | **Though I have the locations bar hidden: privacy, location bar, nothing | ||
+ | **security, warning messages, uncheck all | ||
+ | **advanced, general, unchecked check spelling | ||
+ | **advanced, general, uncheck submit crash reports | ||
+ | **advanced, network, uncheck tell me when website wants to store offline | ||
+ | **advanced, update, unchecked add-ons, search-engines | ||
+ | **about:config | ||
+ | ***browser:session | ||
+ | ****store.max_resumed_crashes 0 | ||
+ | ****store.max_tabs_undo 0 | ||
+ | ****store.max_windows_undo 0 | ||
+ | ****history.max_entries 0 | ||
+ | ****store.resume_from_crash false | ||
+ | ****store.privacy_level 2 | ||
+ | ***I could have done a prefs.js with browser.sessionstore.resume_session_once set false on every startup I think | ||
+ | *This prolly saves cookies but it did not solve my problem :p (I am trying to get past an age block prompt) | ||
+ | **I had to add a cookie to the code | ||
+ | *Change the hostname: nano /etc/hostname | ||
+ | *Change the hostname again: nano /etc/resolv.conf | ||
+ | *./toggle-auto-shutdown disable for me | ||
+ | *I made my own /etc/gdm/custom.conf to lock the kiosk @ http://library.gnome.org/admin/gdm/stable/configuration.html.en | ||
+ | [daemon] | ||
+ | AutomaticLoginEnable=true | ||
+ | AutomaticLogin=kiosk | ||
+ | |||
+ | ==Disable Screen Blanking== | ||
+ | |||
+ | {{Note|After some testing...I think the xorg.conf is the one that really works}} | ||
+ | |||
+ | Add to: | ||
+ | {{File|xorg.conf|<nowiki> | ||
+ | Section "ServerFlags" | ||
+ | Option "blanktime" "0" | ||
+ | Option "standbytime" "0" | ||
+ | Option "suspendtime" "0" | ||
+ | Option "offtime" "0" | ||
+ | EndSection | ||
+ | </nowiki> | ||
+ | }} | ||
+ | |||
+ | Add to: | ||
+ | {{File|/home/kiosk/.gconf/apps/gnome-screenshot/%gconf.xml|<nowiki> | ||
+ | <?xml version="1.0"?> | ||
+ | <gconf> | ||
+ | <entry name="idle_activation_enabled" mtime="1312940115" type="bool" value="false"> | ||
+ | </entry> | ||
+ | <entry name="lock_enabled" mtime="1312940100" type="bool" value="true"> | ||
+ | </entry> | ||
+ | <entry name="themes" mtime="1312940023" type="list" ltype="string"> | ||
+ | </entry> | ||
+ | <entry name="mode" mtime="1312940023" type="string"> | ||
+ | <stringvalue>blank-only</stringvalue> | ||
+ | </entry> | ||
+ | <entry name="power_management_delay" mtime="1270069736" type="int" value="240"> | ||
+ | </entry> | ||
+ | </gconf> | ||
+ | </nowiki> | ||
+ | }} | ||
+ | |||
+ | Add to: | ||
+ | {{File|/home/kiosk/.xinitrc|<nowiki> | ||
+ | /home/kiosk/.xinitrc | ||
+ | </nowiki> | ||
+ | }} | ||
+ | |||
+ | ==May mess up your system== | ||
+ | |||
+ | {{Note|This below code fucks things up!}} | ||
+ | |||
+ | Other things: | ||
+ | add | ||
+ | # Disables the magic SysRq key | ||
+ | kernel.sysrq = 0 | ||
+ | to /etc/sysctl.conf | ||
+ | |||
+ | To disable SHIFT access to grub, edit /etc/grub.d/30_os-prober replace the adjust_timeout() function with: | ||
+ | |||
+ | adjust_timeout () { | ||
+ | return 0 | ||
+ | } | ||
+ | |||
+ | Edit /etc/default/grub and add: | ||
+ | |||
+ | GRUB_DISABLE_OS_PROBER=true | ||
+ | GRUB_DISABLE_LINUX_RECOVERY="true" | ||
+ | |||
+ | Run update-grub | ||
+ | |||
+ | ==Notes== | ||
+ | *http://lists.debian.org/debian-firewall/2004/11/msg00006.html | ||
+ | *http://firehol.sourceforge.net/services.html#vnc | ||
+ | *https://help.ubuntu.com/community/VNC#accessing-your-pc | ||
+ | *https://help.ubuntu.com/community/VNC?action=show&redirect=VNCOverSSH | ||
+ | *https://help.ubuntu.com/community/VNC/Servers#x11vnc-before-login | ||
+ | *http://users.telenet.be/mydotcom/howto/linuxkiosk/ubuntu01.htm | ||
+ | *http://www.perturb.org/display/812_GDM_AutoLogin.html | ||
+ | *http://upstart.ubuntu.com/getting-started.html | ||
+ | *http://superuser.com/questions/133595/running-a-script-on-startup-before-x-starts-in-ubuntu-9-10 | ||
+ | |||
+ | =Notes= | ||
+ | *Windows KIOSK | ||
+ | *http://www.horizondatasys.com/en/products_and_solutions.aspx?ProductId=18 | ||
+ | *http://www.wioski.com/index.php/productsdownloads/ | ||
+ | *http://www.steadierstate.com/ | ||
+ | *https://www.microsoft.com/en-us/download/details.aspx?id=35821 | ||
+ | |||
+ | =Bypassing Autologin= | ||
+ | Hold Shift to get Grub up | ||
+ | change the nospash and such to text | ||
+ | Boot! |
Latest revision as of 11:40, 12 March 2016
The concept is to build a Kiosk that will only allow a user to browse one website. The goal is to get the user to sign up for the newsletter.
Requirements
- Can be fixed by an admin over the internet
- User can only browse one website
- User cannot change the settings or edit other parts of the computer
Contents
Hardware
- ASUS Eee Box EB1021-B028E Desktop PC AMD Dual-Core Processor E-450(1.65GHz) 2GB DDR3 320GB HDD Capacity AMD Radeon HD 6320 Window 7 Home Premium 64-Bit
Software
After a quick search it seems that Ubuntu has been used alot for the Kiosk OS. Their are numerous lockdown guides to securing the OS for a Kiosk. It looks like Chrome, Firefox, and Opera can all be used for the browsing.
Manual Process
- Install a LTS version of Ubuntu
- Update System
- Install ubuntu-restricted-extras
- Create kiosk user account via gui
- Remove all user privileges via gui tool
- Install Firefox
- Install Reset Kiosk 0.4
- Install R-kiosk
- Disable Plug-in
- Install dansguardian
- Install tinyproxy
- Install firehol
Automated Process
http://jacob.steelsmith.org/content/ubuntu-kiosk-based-10041
It looks like someone has a LiveCD/InstallCD/Release of Ubuntu LTS out that has alot of the kiosk things done for you. The individual has the scripts available but not the configuration files for download on his website. But he is missing documentation/examples of what he did to the install so the scripts will run well. For example the creator distributes the scripts but not the config file directory where the scripts source from. He does not show how he editied the .xsession file to make ff start as the kiosk user. Etc. I may or may not document what I did but I am going to provide some files for downloading that have the config files and copies of the kiosk users home dir from the boot cd for the future.
It also looks like the creator has specific versions of software installed. An older but working version of firefox, etc. I tried doing an apt-get update/upgrade and it messed with system. I think one of the plugins does not work with ff. This can be easily fixed but I do not have the time. It could have been something bigger though. Something he customized that when upgraded borked the system.
Default itadmin password is 'changeme'
To edit Firefox settings edit /home/kiosk/.xsession and make FF go into safe mode.
Other things I did
- Installed/Upgraded Java and the flashplugin: aptitude install openjdk-6-jre flashplugin-nonfree
- Disabled tabbed browsing in FF (Options, Tabs, Always Show Tabs): http://www22.verizon.com/residentialhelp/fiosinternet/general+support/top+questions/questionsone/121582.htm
- I added the Firefox extensions R-kiosk and Reset Kiosk
- After turning on dansguardian I could not ssh into the box. I allowed ping and ssh by editing the firehol config:
firehol.conf
iptables -t filter -I OUTPUT -d 127.0.0.1 -p tcp --dport 3128 -m owner ! --uid-owner dansguardian -j DROP transparent_squid 8080 "root root" server_ssh_ports="tcp/22022" interface any world policy drop protection strong client all accept server cups accept server ssh accept server ping accept
I disabled Caret Browsing
- about:config - accessibility.browsewithcaret_shortcut.enabled - false
- about:config - accessibility.warn_on_browsewithcaret - false
- I disabled the printscreen feature in gnome but putting ' xmodmap -e "keysym Print = BackSpace" ' in /home/kiosk/.xsession
- ctrl+alt+f4 was logging the user out or closing the window or switching sessions or something I disabled with ' xmodmap -pke | sed -n 's/ = .*VT_4.*/ = /p' | xmodmap - '
- I wanted to be able to VNC in to a system because I was sending it out. If their where any problems I wanted to be able to see them. I can already ssh in. I want to VNC in.
aptitude install x11vnc
Ubuntu Wiki has a nice script:
#!/bin/sh ssh -f -L 5900:localhost:5900 rebecca@rebeccas-pc.dyndns.org \ x11vnc -safer -localhost -nopw -once -display :0 \ && sleep 5 \ && vncviewer localhost:0
Seems to work fine if a user is logged in.
I want vnc to start before login just in case.
Edit /etc/gdm/Init/Default and put:
# Start the x11vnc Server sudo /usr/bin/x11vnc -safer -localhost -once -nopw -auth /var/lib/gdm/:0.Xauth -display :0 -bg -forever
Right before exit 0 at the end of the file. You have to have -bg. If the process does not background then gdm will be stuck until that proccess exits
- I want the kiosk to save cookies.
- I modded the kioskfox plugin /defaults/preferences/kiosk_prefs.js and changed pref("browser.privatebrowsing.autostart",false); to true.
- I had to reinstall the new plugin
- I had to go to privacy and disable remember search and form history (we are using this for form email signups)
- I had to go to security and disable remember passwords for sites
- Though I have the locations bar hidden: privacy, location bar, nothing
- security, warning messages, uncheck all
- advanced, general, unchecked check spelling
- advanced, general, uncheck submit crash reports
- advanced, network, uncheck tell me when website wants to store offline
- advanced, update, unchecked add-ons, search-engines
- about:config
- browser:session
- store.max_resumed_crashes 0
- store.max_tabs_undo 0
- store.max_windows_undo 0
- history.max_entries 0
- store.resume_from_crash false
- store.privacy_level 2
- I could have done a prefs.js with browser.sessionstore.resume_session_once set false on every startup I think
- browser:session
- This prolly saves cookies but it did not solve my problem :p (I am trying to get past an age block prompt)
- I had to add a cookie to the code
- Change the hostname: nano /etc/hostname
- Change the hostname again: nano /etc/resolv.conf
- ./toggle-auto-shutdown disable for me
- I made my own /etc/gdm/custom.conf to lock the kiosk @ http://library.gnome.org/admin/gdm/stable/configuration.html.en
[daemon] AutomaticLoginEnable=true AutomaticLogin=kiosk
Disable Screen Blanking
Add to:
xorg.conf
Section "ServerFlags" Option "blanktime" "0" Option "standbytime" "0" Option "suspendtime" "0" Option "offtime" "0" EndSection
Add to:
/home/kiosk/.gconf/apps/gnome-screenshot/%gconf.xml
<?xml version="1.0"?> <gconf> <entry name="idle_activation_enabled" mtime="1312940115" type="bool" value="false"> </entry> <entry name="lock_enabled" mtime="1312940100" type="bool" value="true"> </entry> <entry name="themes" mtime="1312940023" type="list" ltype="string"> </entry> <entry name="mode" mtime="1312940023" type="string"> <stringvalue>blank-only</stringvalue> </entry> <entry name="power_management_delay" mtime="1270069736" type="int" value="240"> </entry> </gconf>
Add to:
/home/kiosk/.xinitrc
/home/kiosk/.xinitrc
May mess up your system
Other things: add
# Disables the magic SysRq key kernel.sysrq = 0
to /etc/sysctl.conf
To disable SHIFT access to grub, edit /etc/grub.d/30_os-prober replace the adjust_timeout() function with:
adjust_timeout () { return 0 }
Edit /etc/default/grub and add:
GRUB_DISABLE_OS_PROBER=true GRUB_DISABLE_LINUX_RECOVERY="true"
Run update-grub
Notes
- http://lists.debian.org/debian-firewall/2004/11/msg00006.html
- http://firehol.sourceforge.net/services.html#vnc
- https://help.ubuntu.com/community/VNC#accessing-your-pc
- https://help.ubuntu.com/community/VNC?action=show&redirect=VNCOverSSH
- https://help.ubuntu.com/community/VNC/Servers#x11vnc-before-login
- http://users.telenet.be/mydotcom/howto/linuxkiosk/ubuntu01.htm
- http://www.perturb.org/display/812_GDM_AutoLogin.html
- http://upstart.ubuntu.com/getting-started.html
- http://superuser.com/questions/133595/running-a-script-on-startup-before-x-starts-in-ubuntu-9-10
Notes
- Windows KIOSK
- http://www.horizondatasys.com/en/products_and_solutions.aspx?ProductId=18
- http://www.wioski.com/index.php/productsdownloads/
- http://www.steadierstate.com/
- https://www.microsoft.com/en-us/download/details.aspx?id=35821
Bypassing Autologin
Hold Shift to get Grub up change the nospash and such to text
Boot!