Locking down a Linux machine

August, 2006

I recently had to make a locked down kiosk out of a 17" iMac with Linux (see my hardware fixes here). As part of this, the box had to be completely locked down as it's accessible by the public.

Removing CTRL+ALT+DEL

The first thing we need to get rid of is CTRL+ALT+DEL rebooting the machine and switching runlevels. Edit /etc/inittab and find the line defining what to do when CTRL+ALT+DEL is pressed. Most distributions have a similar line. The Debian one looks like this:

# What to do when CTRL-ALT-DEL is pressed.
ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now

Just comment it out with a hash.

Locking down X

X requires a couple of things doing - we need to prevent CTRL+ALT+BACKSPACE from killing X, and we should also prevent switching to virtual terminals.

To do this, add the following flags to your xorg.conf

Section "ServerFlags"
	Option "DontZap" "True"
	Option "DontVTSwitch" "True"
EndSection

Locking down the Window Manager

For my purposes, I wanted a bare window manager with my application loaded. I chose WindowMaker for this (well, it is my favourite). You can use its prefs utility to disable the dock and clip. You can then go to the keyboard shortcuts and clear them all. This leaves the user with no choice but to interact with your application.

I did also add a couple of menu entries with hotkeys that used gksu to start an admin application for the staff at the company where the kiosk was going. A separate application handled common tasks (shutting the box down, ejecting anything from the CD drive, reporting disk free space, etc.)

Create your kiosk system user and start WindowMaker:

adduser kiosk (replace with your user)
su - kiosk
echo "wmaker" > ~/.xinitrc
startx

Auto-starting an X application with a user

To get your X application booting on startup, create your user first. Then, you'll need to make a .xinitrc file and add your application and window manager to it.

su - kiosk
echo "wmaker &
sleep 2
xhost +
yourapp" > .xinitrc

The sleep is in there so the window manager has time to start before your application is loaded. Because the app is the last part of the script, X will close when your application does. I put xhost + in there because my application uses gksu to start some apps as root (and they wouldn't be able to talk to the X display otherwise) - remove this line if you don't need it.

Next, you need to get X to fire up on boot. I chose a Debian system so I created an init.d script that drops rights to the user and starts X. The /etc/init.d/kiosk file looks like this:

#!/bin/sh
# /etc/init.d/kiosk

case "$1" in
start)	echo "Starting X for user"
	su kiosk -l -c startx &
	;;
stop)	echo "Stopping X for user"
	killall xinit
	;;
restart) $0 stop
	$0 start
	;;
*)	echo "Usage: /etc/init.d/kiosk {start|stop|restart}"
	exit 2
	;;
esac
exit 0

Put this file in your /etc/init.d directory, then create a symlink to the default Debian runlevel so it starts up at the end of the boot cycle.

ln -s /etc/init.d/kiosk /etc/rc2.d/S99kiosk

Almost there, but X won't start in this manner due to a security restriction. Edit /etc/X11/Xwrapper.config and change allowed_users to anybody.

#allowed_users=console
allowed_users=anybody

You can now test from a VT by running /etc/init.d/kiosk start

Don't forget, you've just locked the machine down so until you're completely happy with it (or have SSH access), leave at least one method open of getting back to your console! (comment out DontVTSwitch option in xorg.conf until you're ready is probably simplest)

Back

Me

Stuff

Articles

Free Software