LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity
LDP/LDP/howto/linuxdoc/Public-Web-Browser.sgml

1083 lines
34 KiB
Plaintext
Raw Permalink Blame History

<!doctype linuxdoc system>
<article>
<title>Linux web browser station (formerly "The Linux Public Web Browser mini-HOWTO")
<author>Anton Chuvakin, <tt> <htmlurl url="mailto:anton@chuvakin.org" name="anton@chuvakin.org"></tt>
<date>v0.0.5 10 October 2000
<abstract>
Describes the setup of Internet kiosk-type system based on Linux to be
deployed to provide public Internet/webmail access.
</abstract>
<!-- Table of contents -->
<toc>
<!-- Begin the document -->
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect>Introduction
<p>
The directions below will produce the RedHat (currently version 6.2 is used,
7.0 is in development) Linux system that boots into the bare (=no window
manager, like gnome, kde or fvwm2) X server and starts Netscape Navigator (not
Communicator, which includes Main and News clients). Upon exiting the browser
the X server is restarted and the new Netscape process is launched as
needed. The system is intended for Internet Kiosks and similar applications.
Security is emphasized at all the stages of the setup.
<p>
This HOWTO will be updated (maybe significantly) as long as more reports about the deployment of
such boxes will arrive.
<p>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1>Disclaimer
<p>
Use the information in this document at your own risk. I disavow any
potential liability for the contents of this document. Use of the
concepts, examples, and/or other content of this document is entirely
at your own risk.
All copyrights are owned by their owners, unless specifically noted
otherwise. Use of a term in this document should not be regarded as
affecting the validity of any trademark or service mark.
Naming of particular products or brands should not be seen as endorsements.
You are strongly recommended to take a backup of your system before
major installation and backups at regular intervals.
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1>Credits
<p>
In this version I have the pleasure of acknowledging the previous maintainer
of this HOWTO who nicely agreed to transfer it to me
<tscreen><verb>
dmarti@????.com
</verb></tscreen>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1> New versions of this document
<p>
New versions of this document can be found at
<tt>
<htmlurl url="http://www.chuvakin.org/kiodoc" name="http://www.chuvakin.org/kiodoc">
</tt>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1>Changes Fri Sep 22 14:32:32 EDT 2000
<p>
<bf>from 0.0.4 to 0.0.3</bf>
<itemize>
<item>
Merged with old HOWTO
</itemize>
<p>
<bf>from 0.0.2 to 0.0.3</bf>
<itemize>
<item>
references added
<item>
abstract finished
</itemize>
<p>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1> TODO
<p>
<itemize>
<item>
Write abstract
<item>
Suggested hardware
<item>
<tt>.Xdefaults</tt> disable some keys (Alt-Ctrl-F1)
<item>
X server port 6000 attacks, do something about them
<item>
X server under root, bad
<item>
Eliminate more unneeded RPMs
<item>
Implement <bf>/etc/pam.d/limits.conf</bf> to prevent netscape bloat and system
crash (well, by causing it to crash before bloat ;-) ), see
<htmlurl url="http://linuxdoc.org/HOWTO/Security-HOWTO-5.html" name="Security HOWTO">
<item>
Protect some files with <bf>chattr</bf> is nice
<item>
Provided CDROM booting considerations
<item>
Redo everything for RedHat 7.0
</itemize>
<p>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1> Feedback
<p>
All comments, error reports, additional information (very much appreciated!!!)
and criticism of all sorts should be directed to:
<tt>
<htmlurl url="mailto:anton@chuvakin.org" name="anton@chuvakin.org">
</tt>
<p>
<tt>
<htmlurl url="http://www.chuvakin.org/" name="http://www.chuvakin.org/">
</tt>
<p>
My PGP key is located at <tt>
<htmlurl url="http://www.chuvakin.org/pgpkey" name="http://www.chuvakin.org/pgpkey"></tt>
<p>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1> Copyright information
<p>
This document is copyrighted (c) 2000 Anton Chuvakin, and parts of it are
Copyright 1997 Donald B. Marti Jr. where marked as such
<p>
<!--
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% OLD %%%%%%%%%%%%%%%%%%%%%%%%%
-->
<sect>OLD GUIDE: The Linux Public Web Browser mini-HOWTO by Donald B. Marti Jr.,
<tt>dmarti@best.com</tt>
<p>
v0.3, 5 January 1998
The basic idea here is to give web access to people who wander by,
while limiting their ability to mess anything up.
<!-- Begin the document -->
<sect1>Copyright and Disclaimer
<p>
Copyright 1997 Donald B. Marti Jr.
This document may be redistributed under the terms of
the Linux Documentation Project license.
</p>
<p>
This document currently contains information for Netscape Navigator
only, but I plan to add notes for other browsers too as I get the
necessary information. If you try this with a different browser,
please let me know.
</p>
<sect1>Introduction
<p>
The basic idea here is to give web access to people who wander by,
while limiting their ability to mess anything up.
</p>
<p>
This setup was originally intended for trade shows, but it might be
applicable other places you want to have a web browser going without
having to babysit a computer.
</p>
<p>
Following these instructions
does <bf>not</bf> make your system bulletproof or idiot-proof.
</p>
<sect1>Before you begin
<sect2>You need a graphical browser
<p>
This document assumes that you already have a running graphical web browser,
such as Netscape Navigator, on your system.
You should have permission to use your graphical web browser.
If you want to use Netscape Navigator in a commercial setting,
you can buy a copy with appropriate license through Caldera.
</p>
<sect2>You need to be able to add an account
<p>
If you don't have the right to be <bf>root</bf>,
get the system administrator to add the ``<tt>guest</tt>'' account
and give you ownership of <tt>guest</tt>'s home directory.
Skip to the ``Create or edit the following files'' step
(<ref id="CreateEditHomeGuestFiles"
name="Create or edit the following files in /home/guest">)
when he or she is done.
</p>
<sect2>You need <tt>httpd</tt> for a stand-alone web browsing station
<p>
If you are setting up a web browsing station to run stand-alone,
without a network connection,
you should have <tt>httpd</tt> working and the web documents installed.
To tell if this is the case, enter:
<tscreen>
<verb>
lynx -dump http://localhost/
</verb>
</tscreen>
You should get the text of the home page on your system.
</p>
<sect1>Add the guest account<label id="AddGuestAccount">
<p>
As <bf>root</bf>, run <tt>adduser</tt> to add a user named <tt>guest</tt>.
Then enter
<tscreen>
<verb>
passwd guest
</verb>
</tscreen>
to set the password for the <tt>guest</tt> account.
This should be something easy to remember, like ``<tt>guest</tt>''.
You will be telling people this password.
Don't make it the same as your own password.
</p>
<p>
Then make <tt>guest</tt>'s home directory owned by you.
Enter
<tscreen>
<verb>
chown me.mygroup /home/guest
</verb>
</tscreen>
Replace ``<tt>me</tt>'' with your regular username and ``<tt>mygroup</tt>''
with your group name.
(On Red Hat Linux, these will be the same,
since every user has his or her own group.)
</p>
<p>
You should now exit and do the rest of the steps as yourself,
not <bf>root</bf>.
</p>
<sect1>Create or edit the following files in <tt>/home/guest</tt><label id="CreateEditHomeGuestFiles">
<sect2>File name: <tt>.bash&lowbar;login</tt>
<p>
<tscreen>
<code>
exec startx
</code>
</tscreen>
This means that when <tt>guest</tt> logs in,
the login shell will start up the X Window System right away.
</p>
<sect2>File name: <tt>.Xclients</tt>
<p>
<tscreen>
<code>
netscape
</code>
</tscreen>
This means that when X starts, <tt>guest</tt> just gets the web browser,
no window manager. If you prefer another web browser, do something else.
</p>
<p>
The file <tt>.Xclients</tt> should be executable by <tt>guest</tt>.
Enter
<tscreen>
<verb>
chmod 755 /home/guest/.Xclients
</verb>
</tscreen>
to make it so.
</p>
<sect2>File name: <tt>.xsession</tt>
<p>
<tscreen>
<code>
#!/bin/sh
netscape
</code>
</tscreen>
If you use <tt>xdm</tt>(1) to log people in,
this file should make guest get the web browser
as if he or she had logged in normally.
The file <tt>.xsession</tt> should be executable by <tt>guest</tt>.
Enter
<tscreen>
<verb>
chmod 755 /home/guest/.xsession
</verb>
</tscreen>
to make it so.
</p>
<sect2>File name: <tt>.Xdefaults</tt>
<p>
<tscreen>
<code>
! Disable drag-to-select.
*hysteresis: 3000
! Make visited and unvisited links the same color by default
*linkForeground: #0000EE
*vlinkForeground: #0000EE
Netscape.Navigator.geometry: =NETSCAPE_GEOMETRY
! Disable some of the keyboard commands.
*globalTranslations:
! Mouse bindings: make all mouse buttons do the same thing.
*drawingArea.translations: #replace \
<Btn1Down>: ArmLink() \n\
<Btn2Down>: ArmLink() \n\
<Btn3Down>: ArmLink() \n\
~Shift<Btn1Up>: ActivateLink() \
DisarmLink() \n\
~Shift<Btn2Up>: ActivateLink() \
DisarmLink() \n\
~Shift<Btn3Up>: ActivateLink() \
DisarmLink() \n\
Shift<Btn1Up>: ActivateLink() \
DisarmLink() \n\
Shift<Btn2Up>: ActivateLink() \
DisarmLink() \n\
Shift<Btn3Up>: ActivateLink() \
DisarmLink() \n\
<Btn1Motion>: DisarmLinkIfMoved() \n\
<Btn2Motion>: DisarmLinkIfMoved() \n\
<Btn3Motion>: DisarmLinkIfMoved() \n\
<Motion>: DescribeLink() \n\
</code>
</tscreen>
This file disables blink tags, drag-to-select,
and some of the keyboard commands.
It also makes all mouse buttons do the same thing,
hides the menu bar, and makes visited and unvisited links the same color,
so each visitor gets nice clean blue links,
not ones that other people have been thumbing through and staining purple.
</p>
<p>
You should replace the <tt>NETSCAPE&lowbar;GEOMETRY</tt> in this file
with an X geometry that looks like this: <tt>XxY+0-0</tt>,
where <tt>X</tt> is the width of your screen and <tt>Y</tt> is the height
of your screen <tt>+ 32</tt>.
This will position the Netscape menu bar off the top of the screen,
so the user won't be distracted.
For example, if your screen is 800x600,
the geometry should be <tt>800x632+0-0</tt>.
</p>
<sect1>Make a <tt>.netscape</tt> directory for <tt>guest</tt>
<p>
Enter
<tscreen>
<verb>
mkdir /home/guest/.netscape
chmod 777 /home/guest/.netscape
</verb>
</tscreen>
to create <tt>guest</tt>'s <tt>.netscape</tt> directory and make it
world-writable.
</p>
<sect1>Try it
<p>
Log out, then log in as <tt>guest</tt>.
</p>
<sect1>Changing preferences
<p>
Since you won't be able to use the menu bar as <tt>guest</tt>,
you should edit guest's preferences manually if you need to change them,
or change your own preferences to what you want <tt>guest</tt>'s to be
and copy the preferences file.
</p>
<!--
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-->
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect>NEW GUIDE: Step-by-step guide
<p>
<sect1>Install RH
<p>
Install RedHat (further just RH) Linux on the box. Make sure shadow and MD5
passwords are enabled. And have a nice long root password! Refer to
corresponding installation guides.
<sect1>Clean-up packages
<p>
<p>RH Linux was and is *really* buggy out of the box (both local and remote exploits are
discovered every day, see <htmlurl url="http://www.securityfocus.com"
name="BugTRAQ database">), and many software packages installed by default can
be used to obtain root shell from non-privileged account or in the worst cases
across the network (or just mess up the box). Thus special attention should be given to package
selection on the browser workstation.
<itemize>
Use workstation or custom installation mode. The latter is recommended, when
selecting groups of packages, only choose <it>base-system</it>, <it>networked workstation</it>,
<it>mail/www services</it> (make sure you later replace Communicator with
Navigator) and
<it>X packages</it> and then
erase the unneeded RPMs. If using workstation mode you will have to (possibly
manually) remove about 300 packages.
<item>
When partitioning the disk follow the scheme below. The sizes are appropriate
for the 3 GB disk, scale the sizes accordingly for bigger drive but this is really
not needed for this setup as the whole Linux system is squeezed to under 200MB.
Make sure those partitions (<bf>/,/home,/var and /tmp</bf>) are present! Separate /usr
is not necessary! Remember to create a generous swap partition (at least the
size of RAM).
<p>
Partitions mount points and sizes used for a test system:
<tscreen><verb>
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/hda1 1571528 184184 1307512 12% /
/dev/hda7 300603 309 284773 0% /home
/dev/hda6 300603 20 285062 0% /tmp
/dev/hda5 809556 4640 763792 1% /var
</verb></tscreen>
<item>
Remove all RPMs but those (list might be shortened later and automatic RPM-removal
shell script might be written as well)
<tscreen><verb>
MAKEDEV-2.5.2-1
SysVinit-2.78-5
X11R6-contrib-3.3.2-11
XFree86-100dpi-fonts-3.3.6-20
XFree86-3.3.6-20
XFree86-75dpi-fonts-3.3.6-20
XFree86-S3-3.3.6-20
XFree86-SVGA-3.3.6-20
XFree86-VGA16-3.3.6-20
XFree86-libs-3.3.6-20
XFree86-xfs-3.3.6-20
Xconfigurator-4.3.5-1
apmd-3.0final-2
ash-0.2-20
at-3.1.7-14
audiofile-0.1.9-3
authconfig-3.0.3-1
basesystem-6.0-4
bash-1.14.7-22
bc-1.05a-5
bdflush-1.5-11
binutils-2.9.5.0.22-6
bzip2-0.9.5d-2
chkconfig-1.1.2-1
chkfontpath-1.7-2
console-tools-19990829-10
cracklib-2.7-5
cracklib-dicts-2.7-5
crontabs-1.7-7
dev-2.7.18-3
diffutils-2.7-17
e2fsprogs-1.18-5
ed-0.2-13
eject-2.0.2-4
etcskel-2.3-1
file-3.28-2
filesystem-1.3.5-1
fileutils-4.0-21
findutils-4.1-34
freetype-1.3.1-5
gawk-3.0.4-2
gd-1.3-6
gdbm-1.8.0-3
getty_ps-2.0.7j-9
glib-1.2.6-3
glib10-1.0.6-6
glibc-2.1.3-15
gmp-2.0.2-13
gpm-1.18.1-7
grep-2.4-3
groff-1.15-8
gtk+-1.2.6-7
gzip-1.2.4a-2
hdparm-3.6-4
imlib-1.9.7-3
indexhtml-6.2-1
info-4.0-5
initscripts-5.00-1
iputils-20000121-2
isapnptools-1.21b-1
kbdconfig-1.9.2.4-1
kernel-2.2.14-5.0
kernel-utils-2.2.14-5.0
krb5-configs-1.1.1-9
krb5-libs-1.1.1-9
kudzu-0.36-2
ld.so-1.9.5-13
ldconfig-1.9.5-16
less-346-2
libc-5.3.12-31
libgr-2.0.13-23
libgr-progs-2.0.13-23
libjpeg-6b-10
libpng-1.0.5-3
libstdc++-2.9.0-30
libtermcap-2.0.8-20
libtiff-3.5.4-5
libungif-4.1.0-4
libxml-1.8.6-2
lilo-0.21-15
logrotate-3.3.2-1
losetup-2.10f-1
mailcap-2.0.6-1
man-1.5h1-1
mingetty-0.9.4-11
mkbootdisk-1.2.5-3
mkinitrd-2.4.1-2
mktemp-1.5-2
modutils-2.3.9-6
mount-2.10f-1
mouseconfig-4.4-1
ncompress-4.2.4-15
ncurses-5.0-11
net-tools-1.54-4
netscape-common-4.72-6
netscape-navigator-4.72-6
newt-0.50.8-2
ntsysv-1.1.2-1
pam-0.72-6
passwd-0.64.1-1
pciutils-2.1.5-2
popt-1.5-0.48
procps-2.0.6-5
psmisc-19-2
pwdb-0.61-0
raidtools-0.90-6
rdate-1.0-1
readline-2.2.1-6
redhat-logos-1.1.0-2
redhat-release-6.2-1
rootfiles-5.2-5
rpm-3.0.4-0.48
rpmfind-1.4-3
rxvt-2.6.1-8
sash-3.4-2
sed-3.02-6
setup-2.1.8-1
setuptool-1.2-5
sh-utils-2.0-5
shadow-utils-19990827-10
slang-1.2.2-5
slocate-2.1-2
stat-1.5-12
sysklogd-1.3.31-16
tar-1.13.17-3
tcl-8.0.5-35
tcp_wrappers-7.6-10
termcap-10.2.7-9
textutils-2.0a-2
time-1.7-9
timeconfig-3.0.3-2
tmpwatch-2.2-1
utempter-0.5.2-2
util-linux-2.10f-7
vixie-cron-3.0.1-40
which-2.9-2
words-2-12
xinitrc-2.9-1
xpm-3.4k-2
zlib-1.1.3-6
</verb></tscreen>
Unfortunately, some of the packages above might also be redundant and
potentially unsafe (even glibc, the main runtime Linux library, was recently
found to have locally exploitable bugs! And so was PAM module library).
More candidates for elimination
include gpm (console mouse services, had some exploit history last year) and
many others.
Xlib has a buffer overflow but can't be eliminated. Make sure the latest
version is used.
</itemize>
<sect1>Install ssh
<p>
Install ssh-server RPM for remote administration. Do NOT use inetd daemon
mode, make sshd run standalone and use <bf>/etc/hosts.allow</bf> for access
control (ssh daemon will read the file upon startup)
<sect1>Make a boot floppy
<p>
Make sure you create a boot floppy using a <bf>mkbootdisk</bf> command as errors
in LILO configuration might render the system unbootable.
<sect1>Modify configs
<p>
Make the following modifications to configuration files
<itemize>
<item>
<bf>/etc/inittab</bf>
<tscreen><verb>
#
# inittab This file describes how the INIT process should set up
# the system in a certain run-level.
#
# Author: Miquel van Smoorenburg, <miquels@drinkel.nl.mugnet.org>
# Modified for RHS Linux by Marc Ewing and Donnie Barnes
#--fixed by anton for browser station
# Default runlevel. The runlevels used by RHS are:
# 0 - halt (Do NOT set initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS (The same as 3, if you do not have networking)
# 3 - Full multiuser mode
# 4 - unused
# --anton--
# 4 - browser X
# 5 - X11
# 6 - reboot (Do NOT set initdefault to this)
#
#id:3:initdefault:
#--anton: default runlevel now 4! other levels protected by LILO password
id:4:initdefault:
# System initialization.
si::sysinit:/etc/rc.d/rc.sysinit
l0:0:wait:/etc/rc.d/rc 0
l1:1:wait:/etc/rc.d/rc 1
l2:2:wait:/etc/rc.d/rc 2
l3:3:wait:/etc/rc.d/rc 3
l4:4:wait:/etc/rc.d/rc 4
l5:5:wait:/etc/rc.d/rc 5
l6:6:wait:/etc/rc.d/rc 6
# Things to run in every runlevel.
ud::once:/sbin/update
# Trap CTRL-ALT-DELETE
#anton -- not here, disable
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
# When our UPS tells us power has failed, assume we have a few minutes
# of power left. Schedule a shutdown for 2 minutes from now.
# This does, of course, assume you have powerd installed and your
# UPS connected and working correctly.
pf::powerfail:/sbin/shutdown -f -h +2 "Power Failure; System Shutting Down"
# If power was restored before the shutdown kicked in, cancel it.
pr:12345:powerokwait:/sbin/shutdown -c "Power Restored; Shutdown Cancelled"
# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
#--anton -- only one is needed! comment out the rest
#2:2345:respawn:/sbin/mingetty tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6
# Run xdm in runlevel 5
# xdm is now a separate service
x:5:respawn:/etc/X11/prefdm -nodaemon
</verb></tscreen>
The file above disables Ctrl-Alt-Del combination and makes new runlevel 4 a default
runlevel. It also eliminates virtual consoles (all but 1).
<item>
<bf>/etc/fstab</bf>
<tscreen><verb>
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
/dev/hda1 / ext2 defaults,ro 1 1
/dev/hda7 /home ext2 defaults,nodev,noexec,nosuid 1 2
/dev/hda6 /tmp ext2 defaults,nodev,noexec,nosuid 1 2
/dev/hda5 /var ext2 defaults,nodev,noexec,nosuid 1 2
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#/dev/cdrom /mnt/cdrom iso9660 noauto,owner,ro 0 0
#/dev/fd0 /mnt/floppy auto noauto,owner 0 0
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
none /proc proc defaults 0 0
none /dev/pts devpts gid=5,mode=620 0 0
/dev/hda8 swap swap defaults 0 0
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
</verb></tscreen>
Brief explanation for the options (see <it>man mount</it> for more)
<itemize>
<item>
For / : mounted read-only (<bf>ro</bf>), just to make it a little bit harder to do Bad Things
<item>
For <bf>/home, /tmp</bf> and <bf> /var</bf> : <bf>nodev,noexec,nosuid</bf> will prevent (a)
starting executable from them (download and run through netscape attack),
(b)running suid executables (well, redundant in presence of the above but nice
to have too) (c)creating devices by makedev (no faked /dev/mem for kernel
module attack)
<p>
Making <bf>/home</bf> read-only might be good idea too as no netscape is not supposed
to write anything while running.
<item>
Remember to REMOVE floppy and CDROM physically and disable partitions
(commented out)!
</itemize>
<p>
<item>
<bf>/etc/rc.d/</bf> directory
<p>
Create file <bf>xbrowser</bf> in <bf>/etc/rc.d/init.d</bf> and symlink
(<tt>cd /etc/rc.d/rc4.d ; ln -s /etc/rc.d/init.d/xbrowser S99xbrowser</tt>)it as
<bf>S99xbrowser</bf> in <bf>/etc/rc.d/rc4.d</bf>
so that directory <bf>/etc/rc.d/rc4.d</bf> looks like this
<tscreen><verb>
drwxrwxrwx 2 root root 4096 Sep 10 15:30 .
drwxrwxrwx 10 root root 4096 Sep 10 15:30 ..
lrwxrwxrwx 1 root root 1179 Sep 10 15:30 S05kudzu-> ../init.d/kudzu
lrwxrwxrwx 1 root root 5094 Sep 10 15:30 S10network-> ../init.d/network
lrwxrwxrwx 1 root root 1367 Sep 10 15:30 S16apmd-> ../init.d/apmd
lrwxrwxrwx 1 root root 1542 Sep 10 15:30 S20random-> ../init.d/random
lrwxrwxrwx 1 root root 3217 Sep 10 15:30 S25netfs-> ../init.d/netfs
lrwxrwxrwx 1 root root 1024 Sep 10 15:30 S30syslog-> ../init.d/syslog
lrwxrwxrwx 1 root root 989 Sep 10 15:30 S40atd-> ../init.d/atd
lrwxrwxrwx 1 root root 1031 Sep 10 15:30 S40crond-> ../init.d/crond
lrwxrwxrwx 1 root root 1203 Sep 10 15:30 S75keytable-> ../init.d/keytable
lrwxrwxrwx 1 root root 1261 Sep 10 15:30 S85gpm-> ../init.d/gpm
lrwxrwxrwx 1 root root 1956 Sep 10 15:30 S90xfs-> ../init.d/xfs
lrwxrwxrwx 1 root root 650 Sep 10 15:30 S99xbrowser-> ../init.d/xbrowser
</verb></tscreen>
This init files are run upon entering runlevel 4 (either at reboot or when
typing <bf>init 4</bf> from root prompt). Files are run in order of increasing
numbers so that our <bf>xbrowser</bf> runs in the end.
<p>
<bf>xbrowser</bf> file looks like this
<tscreen><verb>
#!/bin/bash
# --anton: Init the box into X with browser, no login script
echo "Starting standalone browser....."
#put a mark into log
echo %%%%%%Reboot%%%%% >> /var/log/xlog
#this file marks X startrup using out xinitrc
touch /tmp/startOK
#--main loop, indefinite with the presence of /tmp/startOK file ------------------
while [ -f /tmp/startOK ] ; do
#put a mark into log
echo %%%%%%Restart%%%%% >> /var/log/xlog
#kill stuck netscape if any (this doesnt help if it turn zombie)
killall -9 netscape >& /dev/null
#clear netscape lock
if [ -f ~netscape/.netscape/lock ]; then
/bin/rm ~netscape/.netscape/lock
fi
#start X windows, no winman, using the config that starts only netscape
#config is in root home dir!!
#X server runs as root, sort of BAD
/usr/X11R6/bin/xinit /root/.xinitrc -- /usr/X11R6/bin/X bc
done
#main loop end-------------------------------
</verb></tscreen>
This file will start X server upon boot up with no prompting (after LILO
prompt). The X server will follow the directions in <it>/root/.xinitrc</it>,
below. X server config is shown below too.
<item>
Make sure <bf>/etc/sysctl.conf</bf> looks like this
<tscreen><verb>
# Disables packet forwarding
net.ipv4.ip_forward = 0
# Enables source route verification
net.ipv4.conf.all.rp_filter = 1
# Disables automatic defragmentation (needed for masquerading, LVS)
net.ipv4.ip_always_defrag = 0
# Disables the magic-sysrq key
#--anton: this IS important
kernel.sysrq = 0
</verb></tscreen>
This disable kernel interaction keys (aka Magic SysRQ keys) on startup.
<item>
<bf>/etc/X11/XF86Config</bf>
<p>
Make changes to <bf>/etc/X11/XF86Config</bf> that was automatically created
during install to look have those in:
<tscreen><verb>
# File generated by XConfigurator.
...whatever...
# **********************************************************************
# Server flags section.
# **********************************************************************
Section "ServerFlags"
# Uncomment this to cause a core dump at the spot where a signal is
# received. This may leave the console in an unusable state, but may
# provide a better stack trace in the core dump to aid in debugging
#NoTrapSignals
# Uncomment this to disable the <Ctrl><Alt><BS> server abort sequence
# This allows clients to receive this key event.
#--anton -- no X server kill
#--another option is to have a kill as a means to fight broken/stuck netscape,
#--restart will bring it back after cleanup
DontZap
# Uncomment this to disable the <Crtl><Alt><KP_+>/<KP_-> mode switching
# sequences. This allows clients to receive these key events.
#--anton -- kinda bad too
DontZoom
EndSection
...whatever...
</verb></tscreen>
Now, the <bf>DontZap</bf> is a questionable choice. The Crtl-Alt-Backspace
sequence might be the only way to kill stuck netscape or the one with some
window overlapping netscape controls (like, View Source or View Page Info) as
no automatic netscape fixing is implemented. Disabling Java and JavaScript
will decrease the likelihood of it crashing, but will not eliminate this
miserable occurrence altogether. In the current setup pressing
Crtl-Alt-Backspace if <bf>DontZap</bf> is commented out will cause X server to
restart, killing netscape and doing a lock file cleanup.
<item>
<bf>/root/.xinitrc</bf>
<p>
Make sure that <bf>/root/.xinitrc</bf>
looks like
<tscreen><verb>
/bin/rm -f ~netscape/.netscape/lock >& /dev/null
#--anton: otherwise non-root netscape cant run
#--anton only allow local but from all users
#--anton the name of test box was "afc" thus the line below
xhost +afc
#--anton:starts netscape as user "netscape" and full screen!!
#make sure 1024x768 matches your monitor
su netscape -c "netscape -no-about-splash -geometry 1024x768+0+0"
#---------------TESTING---------------------------
#these commands were used in testing to set netscpae preferences
#same as having "netscape" uiser home dir writable for this user
#export HOME=/home/netscape
#netscape -no-about-splash -geometry 1024x768+0+0 >& /tmp/LOG
#---------------TESTING---------------------------
#also needed: X as user "guest" eventually
</verb></tscreen>
See comments in file for explanation
</itemize>
<sect1>Create user
<p>
Create user <it>netscape</it>, his home directory will be <bf>/home/netscape</bf>.
<sect1>Change Netscape settings
<p>
Start netscape and apply a restricted settings as:
<itemize>
<item>no Java (known big risks,
recently really big holes discovered in Netscape Java implementation),
<item>no
JavaScript (some risks with password stealing and web mail hijacking),
<item>no
cache (some Java bugs will access cache objects and then bypass JVM
restrictions),
<item>no cookies (might not be possible though, low risk),
<item>remove all launches of nonstandard applications (ideally-all applications) with
file types (by going to Netscape->Edit->Preferences->Navigator->Applications),
<item>history length set to 0 (next user can't see what previous was doing,
the risk is in seeing URL-encoded passwords sometimes)
</itemize>
<sect1>Chown the home directory
<p>
Do chown to root on <bf>/home/netscape</bf> (by <tt>chown -R root.root /home/netscape</tt>).
Make sure that his home directory belongs to root, there are no world-writable
files and subdirectories there and permission are at least
<tscreen><verb>
/home/netscape/:
total 9
drwxr-xr-x 4 root root 1024 Sep 7 18:29 .
drwxr-xr-x 4 root root 1024 Sep 7 18:30 ..
-rw-r--r-- 1 root root 16 Sep 7 18:29 .bash_history
-rw-r--r-- 1 root root 24 Sep 5 08:21 .bash_logout
-rw-r--r-- 1 root root 230 Sep 5 08:21 .bash_profile
-rw-r--r-- 1 root root 124 Sep 5 08:21 .bashrc
-rw-r--r-- 1 root root 93 Sep 7 18:25 .mailcap
-rw-r--r-- 1 root root 0 Sep 7 18:25 .mime.types
drwxr-xr-x 4 root root 1024 Sep 10 08:38 .netscape
drwxr--r-- 2 root root 1024 Sep 6 00:04 .xauth
/home/netscape/.netscape:
total 264
drwxr-xr-x 4 root root 1024 Sep 10 08:38 .
drwxr-xr-x 4 root root 1024 Sep 7 18:29 ..
drwxr--r-- 2 root root 1024 Sep 6 00:04 archive
-rw------- 1 root root 14757 Sep 7 18:38 bookmarks.html
drwxr--r-- 3 root root 1024 Sep 7 18:24 cache
-rw-r--r-- 1 root root 188416 Sep 6 00:05 cert7.db
-rw-r--r-- 1 root root 16384 Sep 7 18:30 history.dat
-rw-r--r-- 1 root root 111 Sep 7 16:20 history.list
-rw-r--r-- 1 root root 16384 Sep 6 00:05 key3.db
-rw-r--r-- 1 root root 0 Sep 6 00:04 nswrapper.copy_defs
-rw-r--r-- 1 root root 279 Sep 10 08:38 plugin-list
-rw-r--r-- 1 root root 3398 Sep 7 18:29 preferences.js
-rw-r--r-- 1 root root 741 Sep 7 18:29 registry
-rw-r--r-- 1 root root 16384 Sep 7 18:29 secmodule.db
</verb></tscreen>
Carefully test netscape functionality upon doing the chown to root!
At present, I have not found a way to avoid periodic Netscape complaints about
"Can't write preferences".
<p>
Another note is appropriate. Netscape is VERY buggy (last example is
<htmlurl url="http://www.redhat.com/support/errata/RHSA-2000-046-02.html" name="Red Hat Linux Security Advisory">
presents a way to crash and exploit netscape using a specially crafted JPEG
image)
and is likely to crash periodically,
possibly producing a buffer overflow with shell access for the intruder. This
shell will have the netscape user as owner. Thus the absence of xterm and rxvt
on the system is absolutely crucial as it provides another line of defense.
Permission on the system should also be set very conservatively (no
world-writable files). Ideally, NO files should be owned by user "netscape" on
the system AT ALL (do a <bf>find / -user netscape </bf> command to confirm
this, also check for world writable files with <bf>find / -perm -2 ! -type l -ls</bf>).
<p>
<sect1>Config lilo
<p>
Modify <bf>/etc/lilo.conf</bf>
<p>
<tscreen><verb>
boot=/dev/hda
map=/boot/map
install=/boot/boot.b
prompt
timeout=50
default=linux
image=/boot/vmlinuz-2.2.14-5.0
label=linux
read-only
root=/dev/hda1
restricted
</verb></tscreen>
The word <it>restricted</it> will cause password prompting in order to
enter non-standard runlevel (e.g. <bf>linux init 0</bf> from LILO: prompt).
<p>
That implies using stock RH 6.2 kernel. Kernel upgrade to 2.2.16 might be a
good idea as some bugs were found in early 2.2.14 kernels (low risk).
<p>
<sect1>REMOVE binaries
<p>
<bf>REMOVE /usr/X11R6/bin/xterm xterm executable COMPLETELY!</bf> This is REALLY IMPORTANT
as shell will be much harder to obtain in this case. Make sure its clone,
rxvt, is not installed! Ideally, all programs that can spawn a shell should be
removed.
<p>
<sect1>Physical security
<p>
Some physical security
<itemize>
<item>
Secure reset button
<item>
Remove CDROM and floppy disk drive
<item>
Prevent access to the box to avoid hard drive replacement
</itemize>
<p>
<sect1>Some final touches
<p>
Some final touches (nice but not essential for system functionality)
<itemize>
<item>
Implement free disk space monitor top avoid partition overflows
<item>
Enable remote logging (preferably to some dedicated box with host-based IDS
that analyzes the logs)
</itemize>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect>Conclusion
<p>
It just might work ;-)
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect>References
<p>
<enum>
<item>
<htmlurl url="http://linuxdoc.org/HOWTO/Kiosk-HOWTO.html" name="Web Kiosk
HOWTO">
Similar HOWTO, main differences: no keyboard, uses fvwm2
<item>
<htmlurl url="http://linuxdoc.org/HOWTO/mini/Public-Web-Browser.html"
name="Public Web Browser HOWTO">
Similar HOWTO, older and less security oriented
<item>
<htmlurl url="http://linuxdoc.org/HOWTO/Security-HOWTO.html" name="Security
HOWTO">
Linux Security HOWTO
<item>
<htmlurl url="http://www.thinknic.com" name="NIC Site">
You can buy something
similar to what is described in the HOWTO for $199 (I am not affiliated with
the company in any way)
<item>
<htmlurl url="http://www.chuvakin.org/ispdoc"
name="http://www.chuvakin.org/ispdoc">
I also maintain a Linux ISP HOWTO.
<item>
<htmlurl url="http://www.chuvakin.org/books"
name="http://www.chuvakin.org/books">
I also maintain a list of computer/network security related books with
(where available) reviews and online availability. If you have a book that I don't list please use the form on the page and I will add it to the list and maybe review
it later.
</enum>
</article>
View Git Blame Copy Permalink