From b851107ffa8467bc21a0053b47aef822712e3ffd Mon Sep 17 00:00:00 2001 From: gferg <> Date: Thu, 19 Oct 2000 22:45:02 +0000 Subject: [PATCH] new entry/from updated content --- LDP/howto/linuxdoc/Public-Web-Browser.sgml | 1082 ++++++++++++++++++++ 1 file changed, 1082 insertions(+) create mode 100644 LDP/howto/linuxdoc/Public-Web-Browser.sgml diff --git a/LDP/howto/linuxdoc/Public-Web-Browser.sgml b/LDP/howto/linuxdoc/Public-Web-Browser.sgml new file mode 100644 index 00000000..c4e4d443 --- /dev/null +++ b/LDP/howto/linuxdoc/Public-Web-Browser.sgml @@ -0,0 +1,1082 @@ + +
+Linux web browser station (formerly "The Linux Public Web Browser mini-HOWTO") +<author>Anton Chuvakin, <tt> <htmlurl url="mailto:anton@chuvakin.org" name="anton@chuvakin.org"></tt> +<date>v0.0.5 10 October 2000 +<abstract> +Describes the setup of Internet kiosk-type system based on Linux to be +deployed to provide public Internet/webmail access. +</abstract> + +<!-- Table of contents --> +<toc> + +<!-- Begin the document --> +<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - --> +<sect>Introduction +<p> +The directions below will produce the RedHat (currently version 6.2 is used, +7.0 is in development) Linux system that boots into the bare (=no window +manager, like gnome, kde or fvwm2) X server and starts Netscape Navigator (not +Communicator, which includes Main and News clients). Upon exiting the browser +the X server is restarted and the new Netscape process is launched as +needed. The system is intended for Internet Kiosks and similar applications. +Security is emphasized at all the stages of the setup. +<p> +This HOWTO will be updated (maybe significantly) as long as more reports about the deployment of +such boxes will arrive. +<p> + +<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - --> +<sect1>Disclaimer +<p> + +Use the information in this document at your own risk. I disavow any +potential liability for the contents of this document. Use of the +concepts, examples, and/or other content of this document is entirely +at your own risk. + +All copyrights are owned by their owners, unless specifically noted +otherwise. Use of a term in this document should not be regarded as +affecting the validity of any trademark or service mark. + +Naming of particular products or brands should not be seen as endorsements. + +You are strongly recommended to take a backup of your system before +major installation and backups at regular intervals. + +<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - --> +<sect1>Credits +<p> + +In this version I have the pleasure of acknowledging the previous maintainer +of this HOWTO who nicely agreed to transfer it to me + +<tscreen><verb> +dmarti@????.com +</verb></tscreen> + +<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - --> + +<sect1> New versions of this document +<p> +New versions of this document can be found at + +<tt> +<htmlurl url="http://www.chuvakin.org/kiodoc" name="http://www.chuvakin.org/kiodoc"> +</tt> + +<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - --> + <sect1>Changes Fri Sep 22 14:32:32 EDT 2000 +<p> +<bf>from 0.0.4 to 0.0.3</bf> +<itemize> +<item> +Merged with old HOWTO +</itemize> +<p> +<bf>from 0.0.2 to 0.0.3</bf> +<itemize> +<item> +references added +<item> +abstract finished +</itemize> +<p> + +<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - --> + <sect1> TODO +<p> +<itemize> +<item> +Write abstract +<item> +Suggested hardware +<item> +<tt>.Xdefaults</tt> disable some keys (Alt-Ctrl-F1) +<item> +X server port 6000 attacks, do something about them +<item> +X server under root, bad +<item> +Eliminate more unneeded RPMs +<item> +Implement <bf>/etc/pam.d/limits.conf</bf> to prevent netscape bloat and system +crash (well, by causing it to crash before bloat ;-) ), see +<htmlurl url="http://linuxdoc.org/HOWTO/Security-HOWTO-5.html" name="Security HOWTO"> +<item> +Protect some files with <bf>chattr</bf> is nice +<item> +Provided CDROM booting considerations +<item> +Redo everything for RedHat 7.0 +</itemize> +<p> + +<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - --> +<sect1> Feedback +<p> +All comments, error reports, additional information (very much appreciated!!!) +and criticism of all sorts should be directed to: +<tt> +<htmlurl url="mailto:anton@chuvakin.org" name="anton@chuvakin.org"> +</tt> +<p> +<tt> +<htmlurl url="http://www.chuvakin.org/" name="http://www.chuvakin.org/"> +</tt> +<p> +My PGP key is located at <tt> +<htmlurl url="http://www.chuvakin.org/pgpkey" name="http://www.chuvakin.org/pgpkey"></tt> +<p> +<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - --> +<sect1> Copyright information +<p> +This document is copyrighted (c) 2000 Anton Chuvakin, and parts of it are +Copyright 1997 Donald B. Marti Jr. where marked as such +<p> + +<!-- +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% OLD %%%%%%%%%%%%%%%%%%%%%%%%% + --> +<sect>OLD GUIDE: The Linux Public Web Browser mini-HOWTO by Donald B. Marti Jr., +<tt>dmarti@best.com</tt> +<p> +v0.3, 5 January 1998 + +The basic idea here is to give web access to people who wander by, +while limiting their ability to mess anything up. + + +<!-- Begin the document --> + + +<sect1>Copyright and Disclaimer + +<p> +Copyright 1997 Donald B. Marti Jr. +This document may be redistributed under the terms of +the Linux Documentation Project license. +</p> + +<p> +This document currently contains information for Netscape Navigator +only, but I plan to add notes for other browsers too as I get the +necessary information. If you try this with a different browser, +please let me know. +</p> + + +<sect1>Introduction + +<p> +The basic idea here is to give web access to people who wander by, +while limiting their ability to mess anything up. +</p> + +<p> +This setup was originally intended for trade shows, but it might be +applicable other places you want to have a web browser going without +having to babysit a computer. +</p> + +<p> +Following these instructions +does <bf>not</bf> make your system bulletproof or idiot-proof. +</p> + + +<sect1>Before you begin + +<sect2>You need a graphical browser + +<p> +This document assumes that you already have a running graphical web browser, +such as Netscape Navigator, on your system. +You should have permission to use your graphical web browser. +If you want to use Netscape Navigator in a commercial setting, +you can buy a copy with appropriate license through Caldera. +</p> + + +<sect2>You need to be able to add an account + +<p> +If you don't have the right to be <bf>root</bf>, +get the system administrator to add the ``<tt>guest</tt>'' account +and give you ownership of <tt>guest</tt>'s home directory. +Skip to the ``Create or edit the following files'' step +(<ref id="CreateEditHomeGuestFiles" + name="Create or edit the following files in /home/guest">) +when he or she is done. +</p> + + +<sect2>You need <tt>httpd</tt> for a stand-alone web browsing station + +<p> +If you are setting up a web browsing station to run stand-alone, +without a network connection, +you should have <tt>httpd</tt> working and the web documents installed. +To tell if this is the case, enter: +<tscreen> +<verb> +lynx -dump http://localhost/ +</verb> +</tscreen> +You should get the text of the home page on your system. +</p> + + +<sect1>Add the guest account<label id="AddGuestAccount"> + +<p> +As <bf>root</bf>, run <tt>adduser</tt> to add a user named <tt>guest</tt>. +Then enter +<tscreen> +<verb> +passwd guest +</verb> +</tscreen> +to set the password for the <tt>guest</tt> account. +This should be something easy to remember, like ``<tt>guest</tt>''. +You will be telling people this password. +Don't make it the same as your own password. +</p> + +<p> +Then make <tt>guest</tt>'s home directory owned by you. +Enter +<tscreen> +<verb> +chown me.mygroup /home/guest +</verb> +</tscreen> +Replace ``<tt>me</tt>'' with your regular username and ``<tt>mygroup</tt>'' +with your group name. +(On Red Hat Linux, these will be the same, + since every user has his or her own group.) +</p> + +<p> +You should now exit and do the rest of the steps as yourself, +not <bf>root</bf>. +</p> + + +<sect1>Create or edit the following files in <tt>/home/guest</tt><label id="CreateEditHomeGuestFiles"> + +<sect2>File name: <tt>.bash_login</tt> + +<p> +<tscreen> +<code> +exec startx +</code> +</tscreen> +This means that when <tt>guest</tt> logs in, +the login shell will start up the X Window System right away. +</p> + + +<sect2>File name: <tt>.Xclients</tt> + +<p> +<tscreen> +<code> +netscape +</code> +</tscreen> +This means that when X starts, <tt>guest</tt> just gets the web browser, +no window manager. If you prefer another web browser, do something else. +</p> + +<p> +The file <tt>.Xclients</tt> should be executable by <tt>guest</tt>. +Enter +<tscreen> +<verb> +chmod 755 /home/guest/.Xclients +</verb> +</tscreen> +to make it so. +</p> + + +<sect2>File name: <tt>.xsession</tt> + +<p> +<tscreen> +<code> +#!/bin/sh +netscape +</code> +</tscreen> +If you use <tt>xdm</tt>(1) to log people in, +this file should make guest get the web browser +as if he or she had logged in normally. +The file <tt>.xsession</tt> should be executable by <tt>guest</tt>. +Enter +<tscreen> +<verb> +chmod 755 /home/guest/.xsession +</verb> +</tscreen> +to make it so. +</p> + + +<sect2>File name: <tt>.Xdefaults</tt> + +<p> +<tscreen> +<code> +! Disable drag-to-select. +*hysteresis: 3000 + +! Make visited and unvisited links the same color by default +*linkForeground: #0000EE +*vlinkForeground: #0000EE + +Netscape.Navigator.geometry: =NETSCAPE_GEOMETRY + +! Disable some of the keyboard commands. +*globalTranslations: + +! Mouse bindings: make all mouse buttons do the same thing. +*drawingArea.translations: #replace \ +<Btn1Down>: ArmLink() \n\ +<Btn2Down>: ArmLink() \n\ +<Btn3Down>: ArmLink() \n\ +~Shift<Btn1Up>: ActivateLink() \ + DisarmLink() \n\ +~Shift<Btn2Up>: ActivateLink() \ + DisarmLink() \n\ +~Shift<Btn3Up>: ActivateLink() \ + DisarmLink() \n\ +Shift<Btn1Up>: ActivateLink() \ + DisarmLink() \n\ +Shift<Btn2Up>: ActivateLink() \ + DisarmLink() \n\ +Shift<Btn3Up>: ActivateLink() \ + DisarmLink() \n\ +<Btn1Motion>: DisarmLinkIfMoved() \n\ +<Btn2Motion>: DisarmLinkIfMoved() \n\ +<Btn3Motion>: DisarmLinkIfMoved() \n\ +<Motion>: DescribeLink() \n\ +</code> +</tscreen> +This file disables blink tags, drag-to-select, +and some of the keyboard commands. +It also makes all mouse buttons do the same thing, +hides the menu bar, and makes visited and unvisited links the same color, +so each visitor gets nice clean blue links, +not ones that other people have been thumbing through and staining purple. +</p> + +<p> +You should replace the <tt>NETSCAPE_GEOMETRY</tt> in this file +with an X geometry that looks like this: <tt>XxY+0-0</tt>, +where <tt>X</tt> is the width of your screen and <tt>Y</tt> is the height +of your screen <tt>+ 32</tt>. +This will position the Netscape menu bar off the top of the screen, +so the user won't be distracted. +For example, if your screen is 800x600, +the geometry should be <tt>800x632+0-0</tt>. +</p> + + +<sect1>Make a <tt>.netscape</tt> directory for <tt>guest</tt> + +<p> +Enter +<tscreen> +<verb> +mkdir /home/guest/.netscape +chmod 777 /home/guest/.netscape +</verb> +</tscreen> + +to create <tt>guest</tt>'s <tt>.netscape</tt> directory and make it +world-writable. + +</p> + + +<sect1>Try it + +<p> +Log out, then log in as <tt>guest</tt>. +</p> + + +<sect1>Changing preferences + +<p> +Since you won't be able to use the menu bar as <tt>guest</tt>, +you should edit guest's preferences manually if you need to change them, +or change your own preferences to what you want <tt>guest</tt>'s to be +and copy the preferences file. +</p> + + +<!-- +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + --> +<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - --> +<sect>NEW GUIDE: Step-by-step guide +<p> +<sect1>Install RH +<p> +Install RedHat (further just RH) Linux on the box. Make sure shadow and MD5 +passwords are enabled. And have a nice long root password! Refer to +corresponding installation guides. +<sect1>Clean-up packages +<p> +<p>RH Linux was and is *really* buggy out of the box (both local and remote exploits are +discovered every day, see <htmlurl url="http://www.securityfocus.com" +name="BugTRAQ database">), and many software packages installed by default can +be used to obtain root shell from non-privileged account or in the worst cases +across the network (or just mess up the box). Thus special attention should be given to package +selection on the browser workstation. + +<itemize> +Use workstation or custom installation mode. The latter is recommended, when +selecting groups of packages, only choose <it>base-system</it>, <it>networked workstation</it>, +<it>mail/www services</it> (make sure you later replace Communicator with +Navigator) and +<it>X packages</it> and then +erase the unneeded RPMs. If using workstation mode you will have to (possibly +manually) remove about 300 packages. +<item> +When partitioning the disk follow the scheme below. The sizes are appropriate +for the 3 GB disk, scale the sizes accordingly for bigger drive but this is really +not needed for this setup as the whole Linux system is squeezed to under 200MB. +Make sure those partitions (<bf>/,/home,/var and /tmp</bf>) are present! Separate /usr +is not necessary! Remember to create a generous swap partition (at least the +size of RAM). + +<p> +Partitions mount points and sizes used for a test system: +<tscreen><verb> + +Filesystem 1k-blocks Used Available Use% Mounted on +/dev/hda1 1571528 184184 1307512 12% / +/dev/hda7 300603 309 284773 0% /home +/dev/hda6 300603 20 285062 0% /tmp +/dev/hda5 809556 4640 763792 1% /var + +</verb></tscreen> +<item> +Remove all RPMs but those (list might be shortened later and automatic RPM-removal +shell script might be written as well) + +<tscreen><verb> + +MAKEDEV-2.5.2-1 +SysVinit-2.78-5 +X11R6-contrib-3.3.2-11 +XFree86-100dpi-fonts-3.3.6-20 +XFree86-3.3.6-20 +XFree86-75dpi-fonts-3.3.6-20 +XFree86-S3-3.3.6-20 +XFree86-SVGA-3.3.6-20 +XFree86-VGA16-3.3.6-20 +XFree86-libs-3.3.6-20 +XFree86-xfs-3.3.6-20 +Xconfigurator-4.3.5-1 +apmd-3.0final-2 +ash-0.2-20 +at-3.1.7-14 +audiofile-0.1.9-3 +authconfig-3.0.3-1 +basesystem-6.0-4 +bash-1.14.7-22 +bc-1.05a-5 +bdflush-1.5-11 +binutils-2.9.5.0.22-6 +bzip2-0.9.5d-2 +chkconfig-1.1.2-1 +chkfontpath-1.7-2 +console-tools-19990829-10 +cracklib-2.7-5 +cracklib-dicts-2.7-5 +crontabs-1.7-7 +dev-2.7.18-3 +diffutils-2.7-17 +e2fsprogs-1.18-5 +ed-0.2-13 +eject-2.0.2-4 +etcskel-2.3-1 +file-3.28-2 +filesystem-1.3.5-1 +fileutils-4.0-21 +findutils-4.1-34 +freetype-1.3.1-5 +gawk-3.0.4-2 +gd-1.3-6 +gdbm-1.8.0-3 +getty_ps-2.0.7j-9 +glib-1.2.6-3 +glib10-1.0.6-6 +glibc-2.1.3-15 +gmp-2.0.2-13 +gpm-1.18.1-7 +grep-2.4-3 +groff-1.15-8 +gtk+-1.2.6-7 +gzip-1.2.4a-2 +hdparm-3.6-4 +imlib-1.9.7-3 +indexhtml-6.2-1 +info-4.0-5 +initscripts-5.00-1 +iputils-20000121-2 +isapnptools-1.21b-1 +kbdconfig-1.9.2.4-1 +kernel-2.2.14-5.0 +kernel-utils-2.2.14-5.0 +krb5-configs-1.1.1-9 +krb5-libs-1.1.1-9 +kudzu-0.36-2 +ld.so-1.9.5-13 +ldconfig-1.9.5-16 +less-346-2 +libc-5.3.12-31 +libgr-2.0.13-23 +libgr-progs-2.0.13-23 +libjpeg-6b-10 +libpng-1.0.5-3 +libstdc++-2.9.0-30 +libtermcap-2.0.8-20 +libtiff-3.5.4-5 +libungif-4.1.0-4 +libxml-1.8.6-2 +lilo-0.21-15 +logrotate-3.3.2-1 +losetup-2.10f-1 +mailcap-2.0.6-1 +man-1.5h1-1 +mingetty-0.9.4-11 +mkbootdisk-1.2.5-3 +mkinitrd-2.4.1-2 +mktemp-1.5-2 +modutils-2.3.9-6 +mount-2.10f-1 +mouseconfig-4.4-1 +ncompress-4.2.4-15 +ncurses-5.0-11 +net-tools-1.54-4 +netscape-common-4.72-6 +netscape-navigator-4.72-6 +newt-0.50.8-2 +ntsysv-1.1.2-1 +pam-0.72-6 +passwd-0.64.1-1 +pciutils-2.1.5-2 +popt-1.5-0.48 +procps-2.0.6-5 +psmisc-19-2 +pwdb-0.61-0 +raidtools-0.90-6 +rdate-1.0-1 +readline-2.2.1-6 +redhat-logos-1.1.0-2 +redhat-release-6.2-1 +rootfiles-5.2-5 +rpm-3.0.4-0.48 +rpmfind-1.4-3 +rxvt-2.6.1-8 +sash-3.4-2 +sed-3.02-6 +setup-2.1.8-1 +setuptool-1.2-5 +sh-utils-2.0-5 +shadow-utils-19990827-10 +slang-1.2.2-5 +slocate-2.1-2 +stat-1.5-12 +sysklogd-1.3.31-16 +tar-1.13.17-3 +tcl-8.0.5-35 +tcp_wrappers-7.6-10 +termcap-10.2.7-9 +textutils-2.0a-2 +time-1.7-9 +timeconfig-3.0.3-2 +tmpwatch-2.2-1 +utempter-0.5.2-2 +util-linux-2.10f-7 +vixie-cron-3.0.1-40 +which-2.9-2 +words-2-12 +xinitrc-2.9-1 +xpm-3.4k-2 +zlib-1.1.3-6 +</verb></tscreen> + +Unfortunately, some of the packages above might also be redundant and +potentially unsafe (even glibc, the main runtime Linux library, was recently +found to have locally exploitable bugs! And so was PAM module library). +More candidates for elimination +include gpm (console mouse services, had some exploit history last year) and +many others. +Xlib has a buffer overflow but can't be eliminated. Make sure the latest +version is used. +</itemize> + +<sect1>Install ssh +<p> +Install ssh-server RPM for remote administration. Do NOT use inetd daemon +mode, make sshd run standalone and use <bf>/etc/hosts.allow</bf> for access +control (ssh daemon will read the file upon startup) + +<sect1>Make a boot floppy +<p> +Make sure you create a boot floppy using a <bf>mkbootdisk</bf> command as errors +in LILO configuration might render the system unbootable. + +<sect1>Modify configs +<p> +Make the following modifications to configuration files +<itemize> +<item> +<bf>/etc/inittab</bf> +<tscreen><verb> +# +# inittab This file describes how the INIT process should set up +# the system in a certain run-level. +# +# Author: Miquel van Smoorenburg, <miquels@drinkel.nl.mugnet.org> +# Modified for RHS Linux by Marc Ewing and Donnie Barnes +#--fixed by anton for browser station + +# Default runlevel. The runlevels used by RHS are: +# 0 - halt (Do NOT set initdefault to this) +# 1 - Single user mode +# 2 - Multiuser, without NFS (The same as 3, if you do not have networking) +# 3 - Full multiuser mode +# 4 - unused +# --anton-- +# 4 - browser X +# 5 - X11 +# 6 - reboot (Do NOT set initdefault to this) +# +#id:3:initdefault: +#--anton: default runlevel now 4! other levels protected by LILO password +id:4:initdefault: + +# System initialization. +si::sysinit:/etc/rc.d/rc.sysinit + +l0:0:wait:/etc/rc.d/rc 0 +l1:1:wait:/etc/rc.d/rc 1 +l2:2:wait:/etc/rc.d/rc 2 +l3:3:wait:/etc/rc.d/rc 3 +l4:4:wait:/etc/rc.d/rc 4 +l5:5:wait:/etc/rc.d/rc 5 +l6:6:wait:/etc/rc.d/rc 6 + +# Things to run in every runlevel. +ud::once:/sbin/update + +# Trap CTRL-ALT-DELETE +#anton -- not here, disable +#ca::ctrlaltdel:/sbin/shutdown -t3 -r now + +# When our UPS tells us power has failed, assume we have a few minutes +# of power left. Schedule a shutdown for 2 minutes from now. +# This does, of course, assume you have powerd installed and your +# UPS connected and working correctly. +pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down" + +# If power was restored before the shutdown kicked in, cancel it. +pr:12345:powerokwait:/sbin/shutdown -c "Power Restored; Shutdown Cancelled" + +# Run gettys in standard runlevels +1:2345:respawn:/sbin/mingetty tty1 +#--anton -- only one is needed! comment out the rest +#2:2345:respawn:/sbin/mingetty tty2 +#3:2345:respawn:/sbin/mingetty tty3 +#4:2345:respawn:/sbin/mingetty tty4 +#5:2345:respawn:/sbin/mingetty tty5 +#6:2345:respawn:/sbin/mingetty tty6 + +# Run xdm in runlevel 5 +# xdm is now a separate service +x:5:respawn:/etc/X11/prefdm -nodaemon +</verb></tscreen> + +The file above disables Ctrl-Alt-Del combination and makes new runlevel 4 a default +runlevel. It also eliminates virtual consoles (all but 1). + +<item> +<bf>/etc/fstab</bf> +<tscreen><verb> +#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +/dev/hda1 / ext2 defaults,ro 1 1 +/dev/hda7 /home ext2 defaults,nodev,noexec,nosuid 1 2 +/dev/hda6 /tmp ext2 defaults,nodev,noexec,nosuid 1 2 +/dev/hda5 /var ext2 defaults,nodev,noexec,nosuid 1 2 + +#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +#/dev/cdrom /mnt/cdrom iso9660 noauto,owner,ro 0 0 +#/dev/fd0 /mnt/floppy auto noauto,owner 0 0 +#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +none /proc proc defaults 0 0 +none /dev/pts devpts gid=5,mode=620 0 0 +/dev/hda8 swap swap defaults 0 0 + +#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +</verb></tscreen> +Brief explanation for the options (see <it>man mount</it> for more) +<itemize> +<item> +For / : mounted read-only (<bf>ro</bf>), just to make it a little bit harder to do Bad Things +<item> +For <bf>/home, /tmp</bf> and <bf> /var</bf> : <bf>nodev,noexec,nosuid</bf> will prevent (a) +starting executable from them (download and run through netscape attack), +(b)running suid executables (well, redundant in presence of the above but nice +to have too) (c)creating devices by makedev (no faked /dev/mem for kernel +module attack) +<p> +Making <bf>/home</bf> read-only might be good idea too as no netscape is not supposed +to write anything while running. + +<item> +Remember to REMOVE floppy and CDROM physically and disable partitions +(commented out)! +</itemize> +<p> + +<item> +<bf>/etc/rc.d/</bf> directory +<p> +Create file <bf>xbrowser</bf> in <bf>/etc/rc.d/init.d</bf> and symlink + (<tt>cd /etc/rc.d/rc4.d ; ln -s /etc/rc.d/init.d/xbrowser S99xbrowser</tt>)it as +<bf>S99xbrowser</bf> in <bf>/etc/rc.d/rc4.d</bf> +so that directory <bf>/etc/rc.d/rc4.d</bf> looks like this +<tscreen><verb> + drwxrwxrwx 2 root root 4096 Sep 10 15:30 . + drwxrwxrwx 10 root root 4096 Sep 10 15:30 .. + lrwxrwxrwx 1 root root 1179 Sep 10 15:30 S05kudzu-> ../init.d/kudzu + lrwxrwxrwx 1 root root 5094 Sep 10 15:30 S10network-> ../init.d/network + lrwxrwxrwx 1 root root 1367 Sep 10 15:30 S16apmd-> ../init.d/apmd + lrwxrwxrwx 1 root root 1542 Sep 10 15:30 S20random-> ../init.d/random + lrwxrwxrwx 1 root root 3217 Sep 10 15:30 S25netfs-> ../init.d/netfs + lrwxrwxrwx 1 root root 1024 Sep 10 15:30 S30syslog-> ../init.d/syslog + lrwxrwxrwx 1 root root 989 Sep 10 15:30 S40atd-> ../init.d/atd + lrwxrwxrwx 1 root root 1031 Sep 10 15:30 S40crond-> ../init.d/crond + lrwxrwxrwx 1 root root 1203 Sep 10 15:30 S75keytable-> ../init.d/keytable + lrwxrwxrwx 1 root root 1261 Sep 10 15:30 S85gpm-> ../init.d/gpm + lrwxrwxrwx 1 root root 1956 Sep 10 15:30 S90xfs-> ../init.d/xfs + lrwxrwxrwx 1 root root 650 Sep 10 15:30 S99xbrowser-> ../init.d/xbrowser +</verb></tscreen> +This init files are run upon entering runlevel 4 (either at reboot or when +typing <bf>init 4</bf> from root prompt). Files are run in order of increasing +numbers so that our <bf>xbrowser</bf> runs in the end. +<p> +<bf>xbrowser</bf> file looks like this +<tscreen><verb> +#!/bin/bash +# --anton: Init the box into X with browser, no login script +echo "Starting standalone browser....." + +#put a mark into log +echo %%%%%%Reboot%%%%% >> /var/log/xlog + +#this file marks X startrup using out xinitrc +touch /tmp/startOK + +#--main loop, indefinite with the presence of /tmp/startOK file ------------------ +while [ -f /tmp/startOK ] ; do + +#put a mark into log +echo %%%%%%Restart%%%%% >> /var/log/xlog + +#kill stuck netscape if any (this doesnt help if it turn zombie) +killall -9 netscape >& /dev/null + +#clear netscape lock +if [ -f ~netscape/.netscape/lock ]; then + /bin/rm ~netscape/.netscape/lock +fi + +#start X windows, no winman, using the config that starts only netscape +#config is in root home dir!! +#X server runs as root, sort of BAD +/usr/X11R6/bin/xinit /root/.xinitrc -- /usr/X11R6/bin/X bc + +done +#main loop end------------------------------- +</verb></tscreen> +This file will start X server upon boot up with no prompting (after LILO +prompt). The X server will follow the directions in <it>/root/.xinitrc</it>, +below. X server config is shown below too. +<item> +Make sure <bf>/etc/sysctl.conf</bf> looks like this +<tscreen><verb> +# Disables packet forwarding +net.ipv4.ip_forward = 0 +# Enables source route verification +net.ipv4.conf.all.rp_filter = 1 +# Disables automatic defragmentation (needed for masquerading, LVS) +net.ipv4.ip_always_defrag = 0 +# Disables the magic-sysrq key +#--anton: this IS important +kernel.sysrq = 0 +</verb></tscreen> +This disable kernel interaction keys (aka Magic SysRQ keys) on startup. +<item> +<bf>/etc/X11/XF86Config</bf> +<p> +Make changes to <bf>/etc/X11/XF86Config</bf> that was automatically created +during install to look have those in: + +<tscreen><verb> +# File generated by XConfigurator. + +...whatever... + +# ********************************************************************** +# Server flags section. +# ********************************************************************** + +Section "ServerFlags" + + # Uncomment this to cause a core dump at the spot where a signal is + # received. This may leave the console in an unusable state, but may + # provide a better stack trace in the core dump to aid in debugging + #NoTrapSignals + + # Uncomment this to disable the <Ctrl><Alt><BS> server abort sequence + # This allows clients to receive this key event. +#--anton -- no X server kill +#--another option is to have a kill as a means to fight broken/stuck netscape, +#--restart will bring it back after cleanup + DontZap + + # Uncomment this to disable the <Crtl><Alt><KP_+>/<KP_-> mode switching + # sequences. This allows clients to receive these key events. +#--anton -- kinda bad too + DontZoom + +EndSection + +...whatever... + +</verb></tscreen> +Now, the <bf>DontZap</bf> is a questionable choice. The Crtl-Alt-Backspace +sequence might be the only way to kill stuck netscape or the one with some +window overlapping netscape controls (like, View Source or View Page Info) as +no automatic netscape fixing is implemented. Disabling Java and JavaScript +will decrease the likelihood of it crashing, but will not eliminate this +miserable occurrence altogether. In the current setup pressing +Crtl-Alt-Backspace if <bf>DontZap</bf> is commented out will cause X server to +restart, killing netscape and doing a lock file cleanup. + +<item> +<bf>/root/.xinitrc</bf> +<p> +Make sure that <bf>/root/.xinitrc</bf> +looks like +<tscreen><verb> + +/bin/rm -f ~netscape/.netscape/lock >& /dev/null + +#--anton: otherwise non-root netscape cant run +#--anton only allow local but from all users +#--anton the name of test box was "afc" thus the line below +xhost +afc +#--anton:starts netscape as user "netscape" and full screen!! +#make sure 1024x768 matches your monitor +su netscape -c "netscape -no-about-splash -geometry 1024x768+0+0" + +#---------------TESTING--------------------------- +#these commands were used in testing to set netscpae preferences +#same as having "netscape" uiser home dir writable for this user +#export HOME=/home/netscape +#netscape -no-about-splash -geometry 1024x768+0+0 >& /tmp/LOG +#---------------TESTING--------------------------- + +#also needed: X as user "guest" eventually + +</verb></tscreen> +See comments in file for explanation +</itemize> + +<sect1>Create user +<p> +Create user <it>netscape</it>, his home directory will be <bf>/home/netscape</bf>. +<sect1>Change Netscape settings +<p> +Start netscape and apply a restricted settings as: +<itemize> +<item>no Java (known big risks, +recently really big holes discovered in Netscape Java implementation), +<item>no +JavaScript (some risks with password stealing and web mail hijacking), +<item>no +cache (some Java bugs will access cache objects and then bypass JVM +restrictions), +<item>no cookies (might not be possible though, low risk), +<item>remove all launches of nonstandard applications (ideally-all applications) with +file types (by going to Netscape->Edit->Preferences->Navigator->Applications), +<item>history length set to 0 (next user can't see what previous was doing, +the risk is in seeing URL-encoded passwords sometimes) +</itemize> +<sect1>Chown the home directory +<p> +Do chown to root on <bf>/home/netscape</bf> (by <tt>chown -R root.root /home/netscape</tt>). +Make sure that his home directory belongs to root, there are no world-writable +files and subdirectories there and permission are at least +<tscreen><verb> +/home/netscape/: +total 9 +drwxr-xr-x 4 root root 1024 Sep 7 18:29 . +drwxr-xr-x 4 root root 1024 Sep 7 18:30 .. +-rw-r--r-- 1 root root 16 Sep 7 18:29 .bash_history +-rw-r--r-- 1 root root 24 Sep 5 08:21 .bash_logout +-rw-r--r-- 1 root root 230 Sep 5 08:21 .bash_profile +-rw-r--r-- 1 root root 124 Sep 5 08:21 .bashrc +-rw-r--r-- 1 root root 93 Sep 7 18:25 .mailcap +-rw-r--r-- 1 root root 0 Sep 7 18:25 .mime.types +drwxr-xr-x 4 root root 1024 Sep 10 08:38 .netscape +drwxr--r-- 2 root root 1024 Sep 6 00:04 .xauth + +/home/netscape/.netscape: +total 264 +drwxr-xr-x 4 root root 1024 Sep 10 08:38 . +drwxr-xr-x 4 root root 1024 Sep 7 18:29 .. +drwxr--r-- 2 root root 1024 Sep 6 00:04 archive +-rw------- 1 root root 14757 Sep 7 18:38 bookmarks.html +drwxr--r-- 3 root root 1024 Sep 7 18:24 cache +-rw-r--r-- 1 root root 188416 Sep 6 00:05 cert7.db +-rw-r--r-- 1 root root 16384 Sep 7 18:30 history.dat +-rw-r--r-- 1 root root 111 Sep 7 16:20 history.list +-rw-r--r-- 1 root root 16384 Sep 6 00:05 key3.db +-rw-r--r-- 1 root root 0 Sep 6 00:04 nswrapper.copy_defs +-rw-r--r-- 1 root root 279 Sep 10 08:38 plugin-list +-rw-r--r-- 1 root root 3398 Sep 7 18:29 preferences.js +-rw-r--r-- 1 root root 741 Sep 7 18:29 registry +-rw-r--r-- 1 root root 16384 Sep 7 18:29 secmodule.db +</verb></tscreen> + +Carefully test netscape functionality upon doing the chown to root! +At present, I have not found a way to avoid periodic Netscape complaints about +"Can't write preferences". +<p> +Another note is appropriate. Netscape is VERY buggy (last example is +<htmlurl url="http://www.redhat.com/support/errata/RHSA-2000-046-02.html" name="Red Hat Linux Security Advisory"> +presents a way to crash and exploit netscape using a specially crafted JPEG +image) +and is likely to crash periodically, +possibly producing a buffer overflow with shell access for the intruder. This +shell will have the netscape user as owner. Thus the absence of xterm and rxvt +on the system is absolutely crucial as it provides another line of defense. +Permission on the system should also be set very conservatively (no +world-writable files). Ideally, NO files should be owned by user "netscape" on +the system AT ALL (do a <bf>find / -user netscape </bf> command to confirm +this, also check for world writable files with <bf>find / -perm -2 ! -type l -ls</bf>). +<p> +<sect1>Config lilo +<p> +Modify <bf>/etc/lilo.conf</bf> +<p> +<tscreen><verb> + +boot=/dev/hda +map=/boot/map +install=/boot/boot.b +prompt +timeout=50 +default=linux + +image=/boot/vmlinuz-2.2.14-5.0 + label=linux + read-only + root=/dev/hda1 + restricted + +</verb></tscreen> +The word <it>restricted</it> will cause password prompting in order to +enter non-standard runlevel (e.g. <bf>linux init 0</bf> from LILO: prompt). +<p> +That implies using stock RH 6.2 kernel. Kernel upgrade to 2.2.16 might be a +good idea as some bugs were found in early 2.2.14 kernels (low risk). +<p> +<sect1>REMOVE binaries +<p> +<bf>REMOVE /usr/X11R6/bin/xterm xterm executable COMPLETELY!</bf> This is REALLY IMPORTANT +as shell will be much harder to obtain in this case. Make sure its clone, +rxvt, is not installed! Ideally, all programs that can spawn a shell should be +removed. +<p> +<sect1>Physical security +<p> +Some physical security +<itemize> +<item> +Secure reset button +<item> +Remove CDROM and floppy disk drive +<item> +Prevent access to the box to avoid hard drive replacement +</itemize> +<p> +<sect1>Some final touches +<p> +Some final touches (nice but not essential for system functionality) +<itemize> +<item> +Implement free disk space monitor top avoid partition overflows +<item> +Enable remote logging (preferably to some dedicated box with host-based IDS +that analyzes the logs) +</itemize> +<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - --> + <sect>Conclusion +<p> +It just might work ;-) +<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - --> + <sect>References +<p> +<enum> +<item> +<htmlurl url="http://linuxdoc.org/HOWTO/Kiosk-HOWTO.html" name="Web Kiosk +HOWTO"> + + Similar HOWTO, main differences: no keyboard, uses fvwm2 +<item> +<htmlurl url="http://linuxdoc.org/HOWTO/mini/Public-Web-Browser.html" +name="Public Web Browser HOWTO"> + + Similar HOWTO, older and less security oriented +<item> +<htmlurl url="http://linuxdoc.org/HOWTO/Security-HOWTO.html" name="Security +HOWTO"> + + Linux Security HOWTO +<item> +<htmlurl url="http://www.thinknic.com" name="NIC Site"> + +You can buy something +similar to what is described in the HOWTO for $199 (I am not affiliated with +the company in any way) +<item> +<htmlurl url="http://www.chuvakin.org/ispdoc" +name="http://www.chuvakin.org/ispdoc"> + + I also maintain a Linux ISP HOWTO. +<item> +<htmlurl url="http://www.chuvakin.org/books" +name="http://www.chuvakin.org/books"> + + I also maintain a list of computer/network security related books with +(where available) reviews and online availability. If you have a book that I don't list please use the form on the page and I will add it to the list and maybe review +it later. + +</enum> + + +</article>