Locked Down Gnome

Introduction

Note: This document is barely begun: please don’t expect to read anything useful here yet…

In fact it’s now New Year’s Eve 2005 and nothing has happened here for months. I haven’t entirely forgotten this project though…

Another Note: The project of which this was part has now ceased to exist as of April 2005, so I no longer have the motivation to continue with this at the moment. I may well delete this page at some stage, unless anyone finds a use for it — if so, please add a comment to this page. — ChrisDennis

These notes are being written while setting up two (initially) PCs for use in a communal computer room at a charity-run day centre in July (eeek! it’s September already) 2005. The PCs have previously run Windows, but suffer repeatedly from:

• Viruses and adware/spyware
• Careless (or deliberate) changes to settings…
• Users installing random software downloaded from the Internet, such as dodgy music downloaders.

Debian GNU/Linux was chosen because:

• It’s free
• I’m fairly familiar with installing and maintaining this flavour of GNU/Linux
• Compared with Windows, it’s less prone to viruses and adware/spyware
• It can be maintained and administered remotely
• It’s more secure than Windows in terms of limiting what users can do.

And Gnome was chosen over KDE because:

• I like it.

I’m not going to get into a discussion about why…

Then again, maybe a different window manager would be better: something that is intuitive to use for newcomers and those used to Windows.

The standard Debian Sarge installation, however, is not suitable for the purpose out of the box. Users can still change lots of things that I don’t want them to, such as…

There are various references to ‘kiosk’ versions of Linux (e.g. 2), but I want more functionality than that.

I’m learning about this as I go along, having failed to find an exact match for what I have in mind on the Internet. Comments and suggestions to mailto:chris@chrisdennis.force9.co.uk will be more than welcome.

The Aim

• A desktop system that is easy to use for a range of users – some new to computers, some used to Windows, some would-be hackers etc.
• A system that can be kept in (or easily returned to) a usable state.
• More than just a ‘kiosk’ for web browsing: users will want to run a variety of applications, including the usual office stuff, and be able to save their work in suitable folders (they won’t be guaranteed that their files will be backed up, nor be secure from other users though, at least not at first).
• This isn’t about the usual Linux security issues, i.e. keeping the system secure from outside attacks: the PC’s are already behing a firewall (although those issues are still relevant)
• Users will be allowed to:
  • save documents
  • read and write floppy disks
  • read and write CDs
  • store browser bookmarks
• Users will *not* be allowed to:
  • change Gnome menus and panels
  • change applications’ options and settings (at least not permanently — settings will revert to defaults at every logon)
  • change the way the PC boots (BIOS or Grub settings)

The Plan

• Start with a standard Debian/Gnome installation

• Use GConf2 to help manage user settings – see 4 – using GConf2’s concept of ‘mandatory preferences’ that an oxymoron?

  • Create a ‘standard’ user: log on as ‘standard’, adjust settings using Configuration Editor etc., and store these settings for copying across to the real user whenever required.
• …

[#anchor] Summary

• Start with the target computer on a LAN, behind a firewall, to keep it safe until it’s own security measures are in place. It doesn’t have to be on the network where it will finally be installed (mine wasn’t).
• Get hold of a standard Debian Sarge 3.1 installation disk (I used a net install disk).
• Install Debian…
• …
• Files and folders to be standardised / restorable:
  • ~/.gconf/apps/gconf/
  • ~/.gconf.path
  • ~/.recently-used
  • ~/.xscreensaver
  • ~/.nautilus/
  • ~/.mozilla/ – some of the files; not the cache
  • ~/.metacity
  • ~/.gnome2/ ?
• Set up Wake On LAN if required – this is very much hardware-dependent. See below.
• Set the BIOS to prevent booting from floppy or CD or Ethernet, and password-protect the BIOS.

References

Thanks to all these sources of information, which are listed in no particular order.

• [#1][1] Desktop Adapted for Dad LinuxHints/DesktopAdaptedDad

• [#2][2] Kiosk How-to http://www.tldp.org/HOWTO/Kiosk-HOWTO.html

• [#3][3] Hardening a Linux Installation http://www.cromwell-intl.com/security/linux-hardening.html

• [#4][4] GNOME 2.6 Desktop System Administration Guide http://www.gnome.org/learn/admin-guide/latest/

• [#5][5] Wake on LAN client FAQ http://ahh.sourceforge.net/wol/faq.html

• [#6][6] Wake on LAN question http://lists.debian.org/debian-user/2001/07/msg05726.html

• [#7][7] Off And On Again http://wiki.debian.net/?[[OffAndOnAgain]]

• [#8][8] Debian Linux Boot Tips & Tricks http://panuganty.tripod.com/debiantips/boot.htm

Log

This is the blow-by-blow account of what I did. See the summary above for what I should have done.

28 July 2005

• The target PC has an 800MHz AMD processor, 128MB RAM, 20GB hard drive, CD-ROM and CD-RW.

• Installed Debian 3.1 from the standard i386 net install CD, as downloaded from http://cdimage.debian.org/debian-cd/3.1_r0a/i386/iso-cd/debian-31r0a-i386-netinst.iso.

• Used the suggested ‘desktop’ partition scheme on the 20GB hard drive, giving 5.6GB for /, 14.5GB for /home, and 385MB for swap.
• Created a user called ‘workstation’ to be the standard ‘user’. Password is also ‘workstation’ – it’s not intended to be secure: this is for effectively public access.
• Chose the ‘manual package selection’ option, and installed the following packages: gnome-desktop-environment, openoffice.bin, gimp, gdm to pull in all the X windows stuff as well.
• exim4: selected ‘smart host’ – I’ll sort that out later.
• added packages: mc, sudo, apt-show-versions, mozilla-firefox.
• installed Real Player 10 via link on bbc.co.uk site.

31 July 2005

• In the “Configuration Editor” on the main menu (i.e. the GUI to GConf2), choose ‘Lockdown’ and select ‘disable_command_line’ and ‘disable_print_setup’, leaving ‘disable_printing’ and ‘disable_save_to_disk’ unselected. These correspond to entries in .gconf/…

• Remove unwanted items from the System Tools menu: ‘Configuration Editor’, ‘Login Same Setup’, ‘New Login’, ‘OpenOffice.org Printer Administration’, ‘Run as different user’, ‘System Log’, ‘System Monitor’, ‘Terminal’, leaving just ‘Floppy Formatter’. Which file are these changes stored in?

4 August 2005

• Gnome set up: enabled assistive technology features;

• Aha! Should have read this4 before…

8 August 2005

• Installed anacron and ntp

• Looked at Firefox’s ‘Kiosk Browser’ extension — seems a bit unfinished so far. Likewise the AutoReset extension doesn’t work as advertised.

13 August 2005

• A slight aside: Wake On LAN (WoL). This will be useful for remote management of the PCs. Found various things on the net 567, which in combination made it work. The details depend on the hardware. I’ve got an MSI K7T Pro2 motherboard, with Award Modular BIOS v6.00. The LAN card is an Accton Technology Corporation SMC2-1211TX, which uses the standard RTL8139 chip and 8139too kernel module. I’m using a 2.6.8 standard Debian kernel. The crucial steps seemed to be:

  1. Enable WoL in the BIOS. I set ‘Wake Up On LAN/Ring’ and ‘PowerOn by PCI card’ to ‘Enabled’. Not sure if the second one was needed.

  2. Make sure the APM module is loaded – I added it to /etc/modules. Without it, the PC wouldn’t turn off properly — it stuck after the ‘Power Off’ message after shutdown -h 0.

  3. Tell the LAN module to use WoL. For some that’s a module parameter, e.g. options 3c59x enable_wol=1. Use modinfo to see if your LAN module has such a parameter. 8139too doesn’t, so instead I need the following line in /etc/modutils/actions (or the file of your choice in /etc/modutils) (or the equivalent in a non-Debian system):

{{{     post-install 8139too ethtool -s eth0 wol g

Replace eth0 by the relevant interface. And see the manpage for ethtool (from Debian package ethtool) for an explanation of the ‘g’ and other options. Don’t forget to run update-modules.

1. Shutdown the computer as normal: it should be as ‘off’ as ever – no fans running, but the LAN card will still have power.
2. On the remote computer, do something to wake up the target PC. I didn’t want it responding to random network events, just a deliberate request to wake up, hence the ‘g’ option above. Run etherwake with the target PC’s MAC address (etherwake is a Debian package of its own):

    etherwake -i eth1 00:11:22:33:44:55

It works for me! }}}

3 September 2005

• Securing Grub is explained at http://www.gnu.org/software/grub/manual/html_node/Security.html. So, we’ll add

{{{     password --md5 PASSWORD

to menu.lst and add a lock command to each entry except the main one.

• Write ‘FSCKFIX=yes’ in /etc/default/rcS to prevent the user getting dumped into the root console. Is this safe? See [#8].

}}}

4 September 2005

• Created scripts to make (and unmake) Gnome settings mandatory. The following command is all that is needed to remove the mandate:

{{{     gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory / --recursive-unset

and this script takes the current settings for a user (I’ll use ‘standard’ — see tomorrow’s entry) and makes them mandatory. At the moment, the selection of keys to use needs improving: using the ‘/’ key means everything — maybe that will cause problems… Anyway, this is the script:

 #!/bin/bash  # Lock GConf by making certain settings mandatory  #  i.e. copying them from the current settings for a given user  gconftool=/usr/bin/gconftool-2  user=standard  tmpfile=/tmp/lockgconf.tmp  # keys in this list must NOT end with '/' (unless it's just '/')  #mandatorylist="/apps/gnome-print-manager   #/apps/metacity-default   #/system   #/desktop   #/apps/panel"  # Until I find a reason not to, lock everything  mandatorylist="/"  for key in "$mandatorylist"  do         echo "Making $key mandatory:"         # Store current settings for given user and key in a temporary file         $gconftool --dump --config-source xml:readwrite:/home/$user/.gconf $key > $tmpfile                 rc=$?         echo rc=$rc         if [[ $rc|-eq 0 ]]         then                 # Load those settings into the system-wide mandatory settings store                 $gconftool --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory $key --load $tmpfile                 echo rc=$?         fi  done

}}}

5 September 2005

• Created ‘standard’ user for defining a standard set of gnome settings, and the following rough script for copying settings from the standard user to the real user:

 #!/bin/sh  # standardize - copy various settings files from standard user to real user  standard=standard  realuser=workstation  ## [TA] -- it's not a good idea to use "./" as relative path, since the location of this binary  ##         could change over time.  Use a location such as /usr/local/etc  stdfiles=./standard-files

 while read stdfile  do         # ignore blank lines and lines beginning with '#'         [[ "x$stdfile" == "x" || "${stdfile:0:1}" = "#" ]] && continue              # copy the file or folder to the real user, overwriting anything that's already there         echo Copying $stdfile         src="/home/$standard/$stdfile"         dest="/home/$realuser"         if [[ -d|"$src" ]]         then                 # it's a folder - delete it first                 rm -rf "$dest/$stdfile"         fi         cp -R --preserve=mode,timestamps "$src" "$dest"         chown -R "$realuser:$realuser" "$dest/$stdfile"  done < "$stdfiles"  echo All done where the standard-files file contains:  # standard-files - list of standard user's files and folders to copy to real user  #  #.bash_history  #.bash_profile  #.bashrc  Desktop  .dmrc  .gconf  .gconfd/  #.gksu.lock  .gnome  .gnome2  .gnome2_private  .gstreamer-0.8  .gtkrc-1.2-gnome2  #.ICEauthority  .mc  .metacity  .nautilus  #.recently-used  #.xsession-errors  which may be too much.  * Automate the process by calling that script from `/etc/gdm/PostLogin/Default` if the current user is the relevant one (test $LOGNAME).

Still to do

• Trim Gnome menus to remove all ‘administration’ stuff.
• Automate apt security updates
• remove boot error messages about shpchp and pciehp
• BIOS: prevent boot from floppy or CD, and add a password
• allow SSH only from selected IPs and ? use certificates instead of passwords – how?
• find out more about where Gnome/gconf settings are stored, and make a ‘standard’ copy that can be reinstated when required
• prevent access to hidden (.xxx) files and folders (there’s an option for this in Nautilus…)
• Firefox’s lockdown extension?
• Firefox’s ‘revert to standard page if idle’ extension?
• Remove from main menu: Debian Menu; Lock screen. Network servers
• Set static IP address.
• Script for wake from lan; cron job to shutdown the PC after hours.