Re: [newbie] RE: kiosk?

[Derek Jennings]

On Tuesday 12 Nov 2002 11:49 pm, Derek Jennings wrote:
 On Tuesday 12 Nov 2002 11:24 pm, Schwenk, Jeanie wrote:
  I'm not sure if a kiosk is what will solve my problem.  Advice would be
  very appreciated.
 
  Here's the problem:  I am putting a linux pc in our fab (semiconductor)
  as a test to prove to management that linux is a viable, inexpensive
  option to utilize in our manufacturing plant.  (verses new xterms at $6K
  or more a pop, new servers, or new windows pizza boxes).  I need to
  prevent the technicians from hacking the box, from surfing, from
  installing ... you name it.  They need to be able to run ONLY the
  guis/programs that allow manufacturing to continue smoothly.
 
  What is the best way to have the machine automatically boot into a window
  manager that has only a background menu pick that I can program?  It does
  not have to start any software upon restart but that would be a plus.
 
  Thanks.
 
  Jeanie

 Something like this ?
 http://www.oeone.com/products/desktop.html

 It uses Mozilla as a sort of centralised interface to apps. Works on RedHat
 and now also Mandrake.


 Alternatively you could just define user accounts which have a limited set
 of menu items, and no shell available.  If you modify the users 'PATH' to
 remove /usr/bin for example, then they will be unable to run any
 application other than ones you specifically put in their path by creating
 a symlink from the application to some directory in their PATH.

  Look at /etc/profile to see the PATH available to all users, and
 ~/.bash_profile to see how the PATH is modified for individual users.

 derek


If I can rubbish my own suggestion - Changing the Path on its own does not 
improve security since anyone who knows the 'long path' to an application can 
still run it.  But here are two more suggestions for 'locking it down.'

Change the permissions on /usr/bin  (and other directories containing apps) to 
750 root,admin   where admin is a group containing trusted users. This will 
prevent any untrusted user from executing any of those apps.  Then for any 
app you want available to all, make the permissions 755.

The next step in complexity is to use PAM (Pluggable Authentication Modules). 
The best way to describe PAM is by example. halt is the name of the 
application to stop a computer. If you want to run it you execute
/usr/bin/halt,  but /usr/bin/halt is not actually the halt application. It is 
a symlink to another application called consolehelper.  When you want to run 
halt you first go to consolehelper which compares the name of the application 
it was called by (halt) with a list of files in /etc/pam.d  If there is a 
file in there of the same name, then the contents of that file are used to 
determine if the user making the request has sufficient rights. Looking at 
the contents of /etc/pam.d/halt shows us the tests performed.

These lines mean that it is OK for root to use halt, but other users have to 
pass a security test first. If the test is passed execution passes over to 
the halt command which is actually held in /sbin/halt

For a description of the Pam commands see
http://www.kernel.org/pub/linux/libs/pam/

As for Window Managers, you can use anything you like. With KDE for example 
you could modify all the Hot Keys to disable features like Alt+F2 (execute 
command). Using menudrake you can customise the menus, and apply them across 
all Window Managers, and stopping services like mgetty will disable console 
access ( Ctl+Alt+F1 etc) 

With browsers, you can configure konqueror for example to not show its menu 
bar, so depriving users of the chance to alter settings, and squid-guard can 
be used to block access to all internet sites other than work related ones to 
stop them surfing porn on the late shift.  

You could have endless fun with this project :)

derek





Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [newbie] RE: kiosk?

[Stephen Kuhn]

On Wed, 2002-11-13 at 10:24, Schwenk, Jeanie wrote:
 I'm not sure if a kiosk is what will solve my problem.  Advice would be very
 appreciated.
 
 Here's the problem:  I am putting a linux pc in our fab (semiconductor) as a
 test to prove to management that linux is a viable, inexpensive option to
 utilize in our manufacturing plant.  (verses new xterms at $6K or more a
 pop, new servers, or new windows pizza boxes).  I need to prevent the
 technicians from hacking the box, from surfing, from installing ... you name
 it.  They need to be able to run ONLY the guis/programs that allow
 manufacturing to continue smoothly.  
 
 What is the best way to have the machine automatically boot into a window
 manager that has only a background menu pick that I can program?  It does
 not have to start any software upon restart but that would be a plus.
 
 Thanks.
 
 Jeanie
 
What you can do is to setup an account on the linux box that is a normal
user - and have either BLACKBOX or WINDOWMAKER as the primary WM - setup
a menu of ONLY your preferred application and a LOGOFF option.

On the same token, you can have a customized GNOME2 or KDE3
desktop/menu system with only those applications, or even better, have a
WM setup to run the application directly after the logon (using either
scripts or what-have-you).

I would, overall, suggest BLACKBOX as it's a minimalistic wm and very
easy to edit the config files as the superuser - mere minutes and you
could have a very well done and very secure setup.

Stephen
-- 
Thu Nov 14 07:55:00 EST 2002


|____  |
|   /  \ /| |'-.   |
|  .\__/ || |   |  |
|   _ /  `._ \|_|_.-'  |
|  | /  \__.`=._) (_   |kuhn media australia
|  |/ ._/  || |http://kma.0catch.com
|  |'.  `\ | | |stephen kuhn
|  ;/ / | | |email: [EMAIL PROTECTED]
|  smk  ) /_/| |.---.| |mobile: 0410-728-389
|  '  `-`'   |linux user:267497


If the Tao is great, then the operating system is great.  If the
operating system is great, then the compiler is great.  If the compiler
is great, then the application is great.  If the application is great,
then
the user is pleased and there is harmony in the world.
The Tao gave birth to machine language.  Machine language gave birth
to the assembler.
The assembler gave birth to the compiler.  Now there are ten thousand
languages.
Each language has its purpose, however humble.  Each language
expresses the Yin and Yang of software.  Each language has its place
within
the Tao.
But do not program in COBOL if you can avoid it.
-- Geoffrey James, The Tao of Programming


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

RE: [newbie] RE: kiosk?

[Stephen Kuhn]

On Wed, 2002-11-13 at 11:10, Schwenk, Jeanie wrote:
 I wasn't sure what information to include in the initial email.  The
 software that would be running is industry specific.  Windows applications
 would be running via citrix server.  The main program would be a swing gui
 used for processing pods of wafers.   
 
 We have many creative individuals here who are bored as well.  Others are
 just hacks who live to be a pain in the patootie.  If games, browsers,
 music, videos etc. are able to be installed, management will NEVER allow
 linux in the fab.   Can't allow them command line access, period.  Right
 now, I have the only linux desktop in the entire company.  That has to
 change (yes, I'm a zealot).  Getting a linux pc the fab will make linux
 visible to all levels of management.  If it's visible and it costs them no
 money (I'm using a recycled PC), management will buy into the idea that
 linux is the way to go.   We know it is, but the phb's do not.   And I
 have to be able to show the same level of control and security our current
 options have. 
 
 So to top it off, whatever software might be available to help in this area
 has to be open source as there's no budget right now for me to do this.  But
 I am compelled to do it.   
 
 Jeanie

The only main issue that I would see with this environment would be to
get a Citrix client working on the linux desktop. I've found an
alternative at: http://sdsusa.com/jwt/ - they have a Citrix client for
linux.

I would strongly recommend using a very BARE window manager - not even
KDE or GNOME or ICEWM for this workstation.

As I've had to provide slave terms and dumb terms before, you will
have to lock down the workstation in such a manner that only you will be
able to make direct modifications to the system - since you're already
running linux on YOUR desktop, you can use VNC to administer this
workstation without ever leaving your own workstation.

As in Solaris boxes in a production environment, the menus for the
working account have only the necessary applications listed, along
with a logoff - and that's it.

You can use BLACKBOX, FLUXBOX, XFCE and Enlightenment. With
Enlightenment, there are a few themes that actually have desktop icons
- which would make it all the more easy for you to configure and lock
down - only a matter of editing text menus - literally. At least with
Enlightenment, you could dress up the desktop in such a manner as to
make it ascetically pleasing and elegant.

IMHO

Stephen 
-- 
Thu Nov 14 08:10:00 EST 2002


|____  |
|   /  \ /| |'-.   |
|  .\__/ || |   |  |
|   _ /  `._ \|_|_.-'  |
|  | /  \__.`=._) (_   |kuhn media australia
|  |/ ._/  || |http://kma.0catch.com
|  |'.  `\ | | |stephen kuhn
|  ;/ / | | |email: [EMAIL PROTECTED]
|  smk  ) /_/| |.---.| |mobile: 0410-728-389
|  '  `-`'   |linux user:267497


  THE STORY OF CREATION
   or
 THE MYTH OF URK

In the beginning there was data.  The data was without form and null,
and
darkness was upon the face of the console; and the Spirit of IBM was
moving
over the face of the market.  And DEC said, Let there be registers;
and
there were registers.  And DEC saw that they carried; and DEC separated
the
data from the instructions.  DEC called the data Stack, and the
instructions
they called Code.  And there was evening and there was morning, one
interrupt
...
-- Rico Tudor


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [newbie] RE: kiosk?

[Derek Jennings]

On Tuesday 12 Nov 2002 11:24 pm, Schwenk, Jeanie wrote:
 I'm not sure if a kiosk is what will solve my problem.  Advice would be
 very appreciated.

 Here's the problem:  I am putting a linux pc in our fab (semiconductor) as
 a test to prove to management that linux is a viable, inexpensive option to
 utilize in our manufacturing plant.  (verses new xterms at $6K or more a
 pop, new servers, or new windows pizza boxes).  I need to prevent the
 technicians from hacking the box, from surfing, from installing ... you
 name it.  They need to be able to run ONLY the guis/programs that allow
 manufacturing to continue smoothly.

 What is the best way to have the machine automatically boot into a window
 manager that has only a background menu pick that I can program?  It does
 not have to start any software upon restart but that would be a plus.

 Thanks.

 Jeanie

Something like this ?
http://www.oeone.com/products/desktop.html

It uses Mozilla as a sort of centralised interface to apps. Works on RedHat 
and now also Mandrake.


Alternatively you could just define user accounts which have a limited set of 
menu items, and no shell available.  If you modify the users 'PATH' to remove 
/usr/bin for example, then they will be unable to run any application other 
than ones you specifically put in their path by creating a symlink from the 
application to some directory in their PATH. 

 Look at /etc/profile to see the PATH available to all users, and 
~/.bash_profile to see how the PATH is modified for individual users.

derek



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

RE: [newbie] RE: kiosk?

[Schwenk, Jeanie]

I wasn't sure what information to include in the initial email.  The
software that would be running is industry specific.  Windows applications
would be running via citrix server.  The main program would be a swing gui
used for processing pods of wafers.   

We have many creative individuals here who are bored as well.  Others are
just hacks who live to be a pain in the patootie.  If games, browsers,
music, videos etc. are able to be installed, management will NEVER allow
linux in the fab.   Can't allow them command line access, period.  Right
now, I have the only linux desktop in the entire company.  That has to
change (yes, I'm a zealot).  Getting a linux pc the fab will make linux
visible to all levels of management.  If it's visible and it costs them no
money (I'm using a recycled PC), management will buy into the idea that
linux is the way to go.   We know it is, but the phb's do not.   And I
have to be able to show the same level of control and security our current
options have. 

So to top it off, whatever software might be available to help in this area
has to be open source as there's no budget right now for me to do this.  But
I am compelled to do it.   

Jeanie

-Original Message-
From: Spencer [mailto:sdander;oberon.ark.com]
Sent: Tuesday, November 12, 2002 3:44 PM
To: [EMAIL PROTECTED]
Subject: Re: [newbie] RE: kiosk?


On November 12, 2002 03:24 pm, Schwenk, Jeanie wrote:
 I'm not sure if a kiosk is what will solve my problem.  Advice would be
 very appreciated.

 Here's the problem:  I am putting a linux pc in our fab (semiconductor) as
 a test to prove to management that linux is a viable, inexpensive option
to
 utilize in our manufacturing plant.  (verses new xterms at $6K or more a
 pop, new servers, or new windows pizza boxes).  I need to prevent the
 technicians from hacking the box, from surfing, from installing ... you
 name it.  They need to be able to run ONLY the guis/programs that allow
 manufacturing to continue smoothly.

 What is the best way to have the machine automatically boot into a window
 manager that has only a background menu pick that I can program?  It does
 not have to start any software upon restart but that would be a plus.

 Thanks.

 Jeanie
Wow, that's a tall order. Icewm would be the window manager to use. It's 
totally configurable to what ever you want on a desktop. What sort of apps 
would you want to run? Is this all possible? You bet, but we need a lot more

information. Unwanted hacking or installing is easy to control, just don't 
release the root password. There is probably others on the list that can
help 
but to me, this would be an interesting challenge.

Spence



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [newbie] RE: kiosk?

[Spencer]

On November 12, 2002 04:10 pm, Schwenk, Jeanie wrote:
Jeanie, setting up a limited usage linux box is relatively easy (see Dereks 
email about PATHS. Citrix also has ICA clients for Linux so getting things 
setup shouldn't be too difficult.

Spence

 I wasn't sure what information to include in the initial email.  The
 software that would be running is industry specific.  Windows applications
 would be running via citrix server.  The main program would be a swing gui
 used for processing pods of wafers.

 We have many creative individuals here who are bored as well.  Others are
 just hacks who live to be a pain in the patootie.  If games, browsers,
 music, videos etc. are able to be installed, management will NEVER allow
 linux in the fab.   Can't allow them command line access, period.  Right
 now, I have the only linux desktop in the entire company.  That has to
 change (yes, I'm a zealot).  Getting a linux pc the fab will make linux
 visible to all levels of management.  If it's visible and it costs them no
 money (I'm using a recycled PC), management will buy into the idea that
 linux is the way to go.   We know it is, but the phb's do not.   And I
 have to be able to show the same level of control and security our current
 options have.

 So to top it off, whatever software might be available to help in this area
 has to be open source as there's no budget right now for me to do this. 
 But I am compelled to do it.

 Jeanie

 -Original Message-
 From: Spencer [mailto:sdander;oberon.ark.com]
 Sent: Tuesday, November 12, 2002 3:44 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [newbie] RE: kiosk?

 On November 12, 2002 03:24 pm, Schwenk, Jeanie wrote:
  I'm not sure if a kiosk is what will solve my problem.  Advice would be
  very appreciated.
 
  Here's the problem:  I am putting a linux pc in our fab (semiconductor)
  as a test to prove to management that linux is a viable, inexpensive
  option

 to

  utilize in our manufacturing plant.  (verses new xterms at $6K or more a
  pop, new servers, or new windows pizza boxes).  I need to prevent the
  technicians from hacking the box, from surfing, from installing ... you
  name it.  They need to be able to run ONLY the guis/programs that allow
  manufacturing to continue smoothly.
 
  What is the best way to have the machine automatically boot into a window
  manager that has only a background menu pick that I can program?  It does
  not have to start any software upon restart but that would be a plus.
 
  Thanks.
 
  Jeanie

 Wow, that's a tall order. Icewm would be the window manager to use. It's
 totally configurable to what ever you want on a desktop. What sort of apps
 would you want to run? Is this all possible? You bet, but we need a lot
 more

 information. Unwanted hacking or installing is easy to control, just don't
 release the root password. There is probably others on the list that can
 help
 but to me, this would be an interesting challenge.

 Spence



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Re: [newbie] RE: kiosk?

[Gary Armstrong]

Jeanie;

Who's fab? 
I'm new to linux, but not to what you're trying to do. My experience is 
Solaris and most things translate. I just don't know the particulars.

In Solaris, you could configure the workstation to act as an Xterm; running 
everything from a remote Xserver. If I understand correctly, this would be 
the same as spending the $6k in your post. By the way, this doesn't address 
the paranoia about the operators. If you're working for a semiconductor 
house, you probably have plenty of old sparcs that I know can be used as 
Xterms.

Most Window managers allow you to define the menus on a per account basis. 
Create an account with only the production apps and logoff (no shells) 
defined.

If you can't use a login manager, Solaris had something called a restricted 
shell. If linux has it, you can use that to make sure they get to your 
limited X setup.

Hope I've helped
Gary


On Tuesday 12 November 2002 03:24 pm, Schwenk, Jeanie wrote:
 I'm not sure if a kiosk is what will solve my problem.  Advice would be
 very appreciated.

 Here's the problem:  I am putting a linux pc in our fab (semiconductor) as
 a test to prove to management that linux is a viable, inexpensive option to
 utilize in our manufacturing plant.  (verses new xterms at $6K or more a
 pop, new servers, or new windows pizza boxes).  I need to prevent the
 technicians from hacking the box, from surfing, from installing ... you
 name it.  They need to be able to run ONLY the guis/programs that allow
 manufacturing to continue smoothly.

 What is the best way to have the machine automatically boot into a window
 manager that has only a background menu pick that I can program?  It does
 not have to start any software upon restart but that would be a plus.

 Thanks.

 Jeanie



Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com