Skip to the content of the web site.

Linux | SystemLockdown

At this point the system will boot by default into runlevel 5 start firefox and icewm and go to the page set as its homepage. Firefox will start in fullscreen mode and the single window extension will cause almost all windows to be opened in tabs. However, without a window-manager to catch X events Firefox's menus do not behave correctly, which is why a window manager is run. This way in case a user manages to open a new window it will have decorations and they will be able to easily switch back and forth between it and the main window.

Further measures have been taken to improve security, xscreensaver is run and will blank the screen after 5 minutes of inactivity. One minute after the screen has been blanked the script inactivity.sh will kill X causing the copy of guest's home directory to be copied over from /usr/share/booth and reset the kiosk to it's original pristine state. This is accomplished with the InactivityScript that calls xscreensaver-command -watch.

Permissions on the system are of course checked. This is quite simple to do. Basically there should be no uneccessary world writable files. Certain files int /etc, /boot and /root should not be readable etc... The default setup on the DSL livecd is acceptable.

In the event that some security exploit was used or a user manages to run some code locally no harm could be done to the system. The worst case scenario would be that the directory /home/guest is deleted. This is fine because a copy will be kept in /usr/share/booth. Whenever the kiosk is rebooted, X is restarted, or the session becomes inactive the original copy of the home directory will recreated in the home directory. Thus if the user has managed to make any changes they will be erased when either X or the system is restarted. The user can and should initiate a refresh when finished with the system. CTRL-ALT-Backspace, or closing the browser window both cause X to restart. We disable CTRL-ALT-DEL restart of the system.

-- DavidCollie - 30 Sep 2004