Linux web browser station (formerly The Linux Public Web Browser mini-HOWTO)

Linux web browser station (formerly \"The Linux Public Web Browser mini−HOWTO\")

Table of Contents

Linux web browser station (formerly \"The Linux Public Web Browser mini−HOWTO\").......................1

Anton Chuvakin, anton@chuvakin.org..................................................................................................11. Introduction..........................................................................................................................................12. OLD GUIDE: The Linux Public Web Browser mini−HOWTO by Donald B. Marti Jr.,...................13. NEW GUIDE: Step−by−step guide....................................................................................................14. Conclusion...........................................................................................................................................25. References............................................................................................................................................21. Introduction..........................................................................................................................................21.1 Disclaimer..........................................................................................................................................21.2 Credits................................................................................................................................................21.3 New versions of this document..........................................................................................................21.4 Changes Fri Sep 22 14:32:32 EDT 2000...........................................................................................31.5 TODO................................................................................................................................................31.6 Feedback............................................................................................................................................31.7 Copyright information.......................................................................................................................3

2. OLD GUIDE: The Linux Public Web Browser mini−HOWTO by Donald B. Marti Jr.,dmarti@best.com2.1 Copyright and Disclaimer..................................................................................................................42.2 Introduction........................................................................................................................................42.3 Before you begin................................................................................................................................4

You need a graphical browser....................................................................................................4You need to be able to add an account.......................................................................................4You need httpd for a stand−alone web browsing station............................................................4

2.4 Add the guest account.......................................................................................................................4 2.5 Create or edit the following files in /home/guest..............................................................................5

File name: .bash_login................................................................................................................5File name: .Xclients....................................................................................................................5File name: .xsession....................................................................................................................5File name: .Xdefaults..................................................................................................................6

2.6 Make a .netscape directory for guest.................................................................................................62.7 Try it..................................................................................................................................................72.8 Changing preferences.........................................................................................................................73. NEW GUIDE: Step−by−step guide....................................................................................................73.1 Install RH...........................................................................................................................................73.2 Clean−up packages............................................................................................................................73.3 Install ssh.........................................................................................................................................103.4 Make a boot floppy..........................................................................................................................103.5 Modify configs.................................................................................................................................103.6 Create user.......................................................................................................................................143.7 Change Netscape settings................................................................................................................143.8 Chown the home directory...............................................................................................................153.9 Config lilo........................................................................................................................................153.10 REMOVE binaries.........................................................................................................................163.11 Physical security...........................................................................................................................163.12 Some final touches.........................................................................................................................1. Conclusion.........................................................................................................................................165. References..........................................................................................................................................16

i

Linux web browser station (formerly \"The LinuxPublic Web Browser mini−HOWTO\")

Anton Chuvakin, anton@chuvakin.org

v0.0.5 10 October 2000

Describes the setup of Internet kiosk−type system based on Linux to be deployed to provide publicInternet/webmail access.

1. Introduction

• 1.1 Disclaimer• 1.2 Credits

• 1.3 New versions of this document

• 1.4 Changes Fri Sep 22 14:32:32 EDT 2000• 1.5 TODO• 1.6 Feedback

• 1.7 Copyright information

2. OLD GUIDE: The Linux Public Web Browsermini−HOWTO by Donald B. Marti Jr.,

• 2.1 Copyright and Disclaimer• 2.2 Introduction• 2.3 Before you begin• 2.4 Add the guest account

• 2.5 Create or edit the following files in /home/guest• 2.6 Make a .netscape directory for guest• 2.7 Try it

• 2.8 Changing preferences

3. NEW GUIDE: Step−by−step guide

• 3.1 Install RH

• 3.2 Clean−up packages• 3.3 Install ssh

• 3.4 Make a boot floppy• 3.5 Modify configs• 3.6 Create user

• 3.7 Change Netscape settings• 3.8 Chown the home directory• 3.9 Config lilo

• 3.10 REMOVE binaries

Linux web browser station (formerly \"The Linux Public Web Browser mini−HOWTO\")

1

Linux web browser station (formerly \"The Linux Public Web Browser mini−HOWTO\") • 3.11 Physical security• 3.12 Some final touches

4. Conclusion5. References1. Introduction

The directions below will produce the RedHat (currently version 6.2 is used, 7.0 is in development) Linuxsystem that boots into the bare (=no window manager, like gnome, kde or fvwm2) X server and starts

Netscape Navigator (not Communicator, which includes Main and News clients). Upon exiting the browserthe X server is restarted and the new Netscape process is launched as needed. The system is intended forInternet Kiosks and similar applications. Security is emphasized at all the stages of the setup.

This HOWTO will be updated (maybe significantly) as long as more reports about the deployment of suchboxes will arrive.

1.1 Disclaimer

Use the information in this document at your own risk. I disavow any potential liability for the contents ofthis document. Use of the concepts, examples, and/or other content of this document is entirely at your ownrisk.

All copyrights are owned by their owners, unless specifically noted otherwise. Use of a term in this documentshould not be regarded as affecting the validity of any trademark or service mark.Naming of particular products or brands should not be seen as endorsements.

You are strongly recommended to take a backup of your system before major installation and backups atregular intervals.

1.2 Credits

In this version I have the pleasure of acknowledging the previous maintainer of this HOWTO who nicelyagreed to transfer it to me

dmarti@????.com

1.3 New versions of this document

New versions of this document can be found athttp://www.chuvakin.org/kiodoc

4. Conclusion2

Linux web browser station (formerly \"The Linux Public Web Browser mini−HOWTO\")

1.4 Changes Fri Sep 22 14:32:32 EDT 2000

from 0.0.4 to 0.0.3

• Merged with old HOWTOfrom 0.0.2 to 0.0.3

• references added• abstract finished

1.5 TODO

• Write abstract

• Suggested hardware

• .Xdefaults disable some keys (Alt−Ctrl−F1)• X server port 6000 attacks, do something about them• X server under root, bad

• Eliminate more unneeded RPMs

• Implement /etc/pam.d/limits.conf to prevent netscape bloat and system crash (well, by causing it tocrash before bloat ;−) ), see Security HOWTO• Protect some files with chattr is nice• Provided CDROM booting considerations• Redo everything for RedHat 7.0

1.6 Feedback

All comments, error reports, additional information (very much appreciated!!!) and criticism of all sortsshould be directed to: anton@chuvakin.orghttp://www.chuvakin.org/

My PGP key is located at http://www.chuvakin.org/pgpkey

1.7 Copyright information

This document is copyrighted (c) 2000 Anton Chuvakin, and parts of it are Copyright 1997 Donald B. MartiJr. where marked as such

2. OLD GUIDE: The Linux Public Web Browser

mini−HOWTO by Donald B. Marti Jr.,dmarti@best.com

v0.3, 5 January 1998

The basic idea here is to give web access to people who wander by, while limiting their ability to messanything up.

1.4 Changes Fri Sep 22 14:32:32 EDT 2000

3

Linux web browser station (formerly \"The Linux Public Web Browser mini−HOWTO\")

2.1 Copyright and Disclaimer

Copyright 1997 Donald B. Marti Jr. This document may be redistributed under the terms of the LinuxDocumentation Project license.

This document currently contains information for Netscape Navigator only, but I plan to add notes for otherbrowsers too as I get the necessary information. If you try this with a different browser, please let me know.

2.2 Introduction

The basic idea here is to give web access to people who wander by, while limiting their ability to messanything up.

This setup was originally intended for trade shows, but it might be applicable other places you want to have aweb browser going without having to babysit a computer.

Following these instructions does not make your system bulletproof or idiot−proof.

2.3 Before you begin

You need a graphical browser

This document assumes that you already have a running graphical web browser, such as Netscape Navigator,on your system. You should have permission to use your graphical web browser. If you want to use NetscapeNavigator in a commercial setting, you can buy a copy with appropriate license through Caldera.

You need to be able to add an account

If you don't have the right to be root, get the system administrator to add the ``guest'' account and give youownership of guest's home directory. Skip to the ``Create or edit the following files'' step ( Create or editthe following files in /home/guest) when he or she is done.

You need httpd for a stand−alone web browsing station

If you are setting up a web browsing station to run stand−alone, without a network connection, you shouldhave httpd working and the web documents installed. To tell if this is the case, enter:

lynx −dump http://localhost/

You should get the text of the home page on your system.

2.4 Add the guest account

As root, run adduser to add a user named guest. Then enter

passwd guest

to set the password for the guest account. This should be something easy to remember, like ``guest''. You2.1 Copyright and Disclaimer

4

Linux web browser station (formerly \"The Linux Public Web Browser mini−HOWTO\")

will be telling people this password. Don't make it the same as your own password.Then make guest's home directory owned by you. Enter

chown me.mygroup /home/guest

Replace ``me'' with your regular username and ``mygroup'' with your group name. (On Red Hat Linux,these will be the same, since every user has his or her own group.)You should now exit and do the rest of the steps as yourself, not root.

2.5 Create or edit the following files in /home/guest

File name: .bash_login

exec startx

This means that when guest logs in, the login shell will start up the X Window System right away.

File name: .Xclients

netscape

This means that when X starts, guest just gets the web browser, no window manager. If you prefer anotherweb browser, do something else.

The file .Xclients should be executable by guest. Enter

chmod 755 /home/guest/.Xclients

to make it so.

File name: .xsession

#!/bin/shnetscape

If you use xdm(1) to log people in, this file should make guest get the web browser as if he or she had loggedin normally. The file .xsession should be executable by guest. Enter

chmod 755 /home/guest/.xsession

to make it so.

2.5 Create or edit the following files in /home/guest5

Linux web browser station (formerly \"The Linux Public Web Browser mini−HOWTO\")

File name: .Xdefaults

! Disable drag−to−select.

*hysteresis: 3000

! Make visited and unvisited links the same color by default*linkForeground: #0000EE*vlinkForeground: #0000EENetscape.Navigator.geometry: =NETSCAPE_GEOMETRY! Disable some of the keyboard commands.*globalTranslations:

! Mouse bindings: make all mouse buttons do the same thing.

*drawingArea.translations: #replace \\: ArmLink() \\n\\: ArmLink() \\n\\: ArmLink() \\n\\~Shift: ActivateLink() \\ DisarmLink() \\n\\~Shift: ActivateLink() \\ DisarmLink() \\n\\~Shift: ActivateLink() \\ DisarmLink() \\n\\Shift: ActivateLink() \\ DisarmLink() \\n\\Shift: ActivateLink() \\ DisarmLink() \\n\\Shift: ActivateLink() \\ DisarmLink() \\n\\: DisarmLinkIfMoved() \\n\\: DisarmLinkIfMoved() \\n\\: DisarmLinkIfMoved() \\n\\: DescribeLink() \\n\\

This file disables blink tags, drag−to−select, and some of the keyboard commands. It also makes all mousebuttons do the same thing, hides the menu bar, and makes visited and unvisited links the same color, so eachvisitor gets nice clean blue links, not ones that other people have been thumbing through and staining purple.You should replace the NETSCAPE_GEOMETRY in this file with an X geometry that looks like this:

XxY+0−0, where X is the width of your screen and Y is the height of your screen + 32. This will positionthe Netscape menu bar off the top of the screen, so the user won't be distracted. For example, if your screen is800x600, the geometry should be 800x632+0−0.

2.6 Make a .netscape directory for guest

Enter

mkdir /home/guest/.netscape

chmod 777 /home/guest/.netscape

to create guest's .netscape directory and make it world−writable.

File name: .Xdefaults6

Linux web browser station (formerly \"The Linux Public Web Browser mini−HOWTO\")

2.7 Try it

Log out, then log in as guest.

2.8 Changing preferences

Since you won't be able to use the menu bar as guest, you should edit guest's preferences manually if youneed to change them, or change your own preferences to what you want guest's to be and copy thepreferences file.

3. NEW GUIDE: Step−by−step guide3.1 Install RH

Install RedHat (further just RH) Linux on the box. Make sure shadow and MD5 passwords are enabled. Andhave a nice long root password! Refer to corresponding installation guides.

3.2 Clean−up packages

RH Linux was and is *really* buggy out of the box (both local and remote exploits are discovered every day,see BugTRAQ database), and many software packages installed by default can be used to obtain root shellfrom non−privileged account or in the worst cases across the network (or just mess up the box). Thus specialattention should be given to package selection on the browser workstation.

• Use workstation or custom installation mode. The latter is recommended, when selecting groups ofpackages, only choose base−system, networked workstation, mail/www services (make sure you laterreplace Communicator with Navigator) and X packages and then erase the unneeded RPMs. If usingworkstation mode you will have to (possibly manually) remove about 300 packages.

• When partitioning the disk follow the scheme below. The sizes are appropriate for the 3 GB disk,scale the sizes accordingly for bigger drive but this is really not needed for this setup as the wholeLinux system is squeezed to under 200MB. Make sure those partitions (/,/home,/var and /tmp) arepresent! Separate /usr is not necessary! Remember to create a generous swap partition (at least thesize of RAM).

Partitions mount points and sizes used for a test system:

Filesystem 1k−blocks Used Available Use% Mounted on/dev/hda1 1571528 184184 1307512 12% /

/dev/hda7 300603 309 284773 0% /home/dev/hda6 300603 20 285062 0% /tmp/dev/hda5 809556 40 763792 1% /var

• Remove all RPMs but those (list might be shortened later and automatic RPM−removal shell scriptmight be written as well)

MAKEDEV−2.5.2−1SysVinit−2.78−5

X11R6−contrib−3.3.2−11

2.7 Try it7

Linux web browser station (formerly \"The Linux Public Web Browser mini−HOWTO\")

2.7 Try itXFree86−100dpi−fonts−3.3.6−20XFree86−3.3.6−20

XFree86−75dpi−fonts−3.3.6−20XFree86−S3−3.3.6−20XFree86−SVGA−3.3.6−20XFree86−VGA16−3.3.6−20XFree86−libs−3.3.6−20XFree86−xfs−3.3.6−20Xconfigurator−4.3.5−1apmd−3.0final−2ash−0.2−20at−3.1.7−14

audiofile−0.1.9−3authconfig−3.0.3−1basesystem−6.0−4bash−1.14.7−22bc−1.05a−5

bdflush−1.5−11

binutils−2.9.5.0.22−6bzip2−0.9.5d−2chkconfig−1.1.2−1chkfontpath−1.7−2

console−tools−19990829−10cracklib−2.7−5

cracklib−dicts−2.7−5crontabs−1.7−7dev−2.7.18−3

diffutils−2.7−17e2fsprogs−1.18−5ed−0.2−13

eject−2.0.2−4etcskel−2.3−1file−3.28−2

filesystem−1.3.5−1fileutils−4.0−21findutils−4.1−34freetype−1.3.1−5gawk−3.0.4−2gd−1.3−6

gdbm−1.8.0−3

getty_ps−2.0.7j−9glib−1.2.6−3glib10−1.0.6−6glibc−2.1.3−15gmp−2.0.2−13gpm−1.18.1−7grep−2.4−3groff−1.15−8gtk+−1.2.6−7gzip−1.2.4a−2hdparm−3.6−4imlib−1.9.7−3indexhtml−6.2−1info−4.0−5

initscripts−5.00−1iputils−20000121−2isapnptools−1.21b−1kbdconfig−1.9.2.4−1kernel−2.2.14−5.0

kernel−utils−2.2.14−5.0krb5−configs−1.1.1−9krb5−libs−1.1.1−9

8

Linux web browser station (formerly \"The Linux Public Web Browser mini−HOWTO\")

2.7 Try itkudzu−0.36−2ld.so−1.9.5−13ldconfig−1.9.5−16less−346−2

libc−5.3.12−31libgr−2.0.13−23

libgr−progs−2.0.13−23libjpeg−6b−10libpng−1.0.5−3

libstdc++−2.9.0−30libtermcap−2.0.8−20libtiff−3.5.4−5libungif−4.1.0−4libxml−1.8.6−2lilo−0.21−15

logrotate−3.3.2−1losetup−2.10f−1mailcap−2.0.6−1man−1.5h1−1

mingetty−0.9.4−11mkbootdisk−1.2.5−3mkinitrd−2.4.1−2mktemp−1.5−2

modutils−2.3.9−6mount−2.10f−1

mouseconfig−4.4−1ncompress−4.2.4−15ncurses−5.0−11net−tools−1.54−4

netscape−common−4.72−6netscape−navigator−4.72−6newt−0.50.8−2ntsysv−1.1.2−1pam−0.72−6

passwd−0..1−1pciutils−2.1.5−2popt−1.5−0.48procps−2.0.6−5psmisc−19−2pwdb−0.61−0

raidtools−0.90−6rdate−1.0−1

readline−2.2.1−6

redhat−logos−1.1.0−2redhat−release−6.2−1rootfiles−5.2−5rpm−3.0.4−0.48rpmfind−1.4−3rxvt−2.6.1−8sash−3.4−2sed−3.02−6setup−2.1.8−1setuptool−1.2−5sh−utils−2.0−5

shadow−utils−19990827−10slang−1.2.2−5slocate−2.1−2stat−1.5−12

sysklogd−1.3.31−16tar−1.13.17−3tcl−8.0.5−35

tcp_wrappers−7.6−10

9

Linux web browser station (formerly \"The Linux Public Web Browser mini−HOWTO\")

termcap−10.2.7−9textutils−2.0a−2time−1.7−9

timeconfig−3.0.3−2tmpwatch−2.2−1utempter−0.5.2−2util−linux−2.10f−7vixie−cron−3.0.1−40which−2.9−2words−2−12xinitrc−2.9−1xpm−3.4k−2zlib−1.1.3−6

Unfortunately, some of the packages above might also be redundant and potentially unsafe (evenglibc, the main runtime Linux library, was recently found to have locally exploitable bugs! And sowas PAM module library). More candidates for elimination include gpm (console mouse services,had some exploit history last year) and many others. Xlib has a buffer overflow but can't beeliminated. Make sure the latest version is used.

3.3 Install ssh

Install ssh−server RPM for remote administration. Do NOT use inetd daemon mode, make sshd runstandalone and use /etc/hosts.allow for access control (ssh daemon will read the file upon startup)

3.4 Make a boot floppy

Make sure you create a boot floppy using a mkbootdisk command as errors in LILO configuration mightrender the system unbootable.

3.5 Modify configs

Make the following modifications to configuration files

• /etc/inittab

#

# inittab This file describes how the INIT process should set up# the system in a certain run−level.#

# Author: Miquel van Smoorenburg, # Modified for RHS Linux by Marc Ewing and Donnie Barnes#−−fixed by anton for browser station

# Default runlevel. The runlevels used by RHS are:# 0 − halt (Do NOT set initdefault to this)# 1 − Single user mode

# 2 − Multiuser, without NFS (The same as 3, if you do not have networking)# 3 − Full multiuser mode# 4 − unused# −−anton−−

# 4 − browser X# 5 − X11

# 6 − reboot (Do NOT set initdefault to this)#

#id:3:initdefault:

3.3 Install ssh10

Linux web browser station (formerly \"The Linux Public Web Browser mini−HOWTO\")

#−−anton: default runlevel now 4! other levels protected by LILO passwordid:4:initdefault:

# System initialization.

si::sysinit:/etc/rc.d/rc.sysinitl0:0:wait:/etc/rc.d/rc 0l1:1:wait:/etc/rc.d/rc 1l2:2:wait:/etc/rc.d/rc 2l3:3:wait:/etc/rc.d/rc 3l4:4:wait:/etc/rc.d/rc 4l5:5:wait:/etc/rc.d/rc 5l6:6:wait:/etc/rc.d/rc 6

# Things to run in every runlevel.ud::once:/sbin/update

# Trap CTRL−ALT−DELETE

#anton −− not here, disable

#ca::ctrlaltdel:/sbin/shutdown −t3 −r now

# When our UPS tells us power has failed, assume we have a few minutes# of power left. Schedule a shutdown for 2 minutes from now.

# This does, of course, assume you have powerd installed and your# UPS connected and working correctly.

pf::powerfail:/sbin/shutdown −f −h +2 \"Power Failure; System Shutting Down\"# If power was restored before the shutdown kicked in, cancel it.

pr:12345:powerokwait:/sbin/shutdown −c \"Power Restored; Shutdown Cancelled\"# Run gettys in standard runlevels1:2345:respawn:/sbin/mingetty tty1

#−−anton −− only one is needed! comment out the rest#2:2345:respawn:/sbin/mingetty tty2#3:2345:respawn:/sbin/mingetty tty3#4:2345:respawn:/sbin/mingetty tty4#5:2345:respawn:/sbin/mingetty tty5#6:2345:respawn:/sbin/mingetty tty6# Run xdm in runlevel 5

# xdm is now a separate service

x:5:respawn:/etc/X11/prefdm −nodaemon

The file above disables Ctrl−Alt−Del combination and makes new runlevel 4 a default runlevel. Italso eliminates virtual consoles (all but 1).• /etc/fstab

#=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−/dev/hda1 / ext2 defaults,ro 1 1

/dev/hda7 /home ext2 defaults,nodev,noexec,nosuid 1 /dev/hda6 /tmp ext2 defaults,nodev,noexec,nosuid 1 /dev/hda5 /var ext2 defaults,nodev,noexec,nosuid 1 #=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−#/dev/cdrom /mnt/cdrom iso9660 noauto,owner,ro 0 0#/dev/fd0 /mnt/floppy auto noauto,owner 0 0#=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−none /proc proc defaults 0 0none /dev/pts devpts gid=5,mode=620 0 0/dev/hda8 swap swap defaults 0 0#=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−

3.3 Install ssh11

Linux web browser station (formerly \"The Linux Public Web Browser mini−HOWTO\") Brief explanation for the options (see man mount for more)

♦ For / : mounted read−only (ro), just to make it a little bit harder to do Bad Things

♦ For /home, /tmp and /var : nodev,noexec,nosuid will prevent (a) starting executable fromthem (download and run through netscape attack), (b)running suid executables (well,

redundant in presence of the above but nice to have too) (c)creating devices by makedev (nofaked /dev/mem for kernel module attack)

Making /home read−only might be good idea too as no netscape is not supposed to writeanything while running.

• Remember to REMOVE floppy and CDROM physically and disable partitions (commented out)!

• /etc/rc.d/ directory

Create file xbrowser in /etc/rc.d/init.d and symlink (cd /etc/rc.d/rc4.d ; ln −s

/etc/rc.d/init.d/xbrowser S99xbrowser)it as S99xbrowser in /etc/rc.d/rc4.d so that directory/etc/rc.d/rc4.d looks like this

drwxrwxrwx 2 root root 4096 Sep 10 15:30 . drwxrwxrwx 10 root root 4096 Sep 10 15:30 ..

lrwxrwxrwx 1 root root 1179 Sep 10 15:30 S05kudzu−> ../init.d/kudzu

lrwxrwxrwx 1 root root 5094 Sep 10 15:30 S10network−> ../init.d/network lrwxrwxrwx 1 root root 1367 Sep 10 15:30 S16apmd−> ../init.d/apmd

lrwxrwxrwx 1 root root 1542 Sep 10 15:30 S20random−> ../init.d/random lrwxrwxrwx 1 root root 3217 Sep 10 15:30 S25netfs−> ../init.d/netfs lrwxrwxrwx 1 root root 1024 Sep 10 15:30 S30syslog−> ../init.d/syslog lrwxrwxrwx 1 root root 9 Sep 10 15:30 S40atd−> ../init.d/atd

lrwxrwxrwx 1 root root 1031 Sep 10 15:30 S40crond−> ../init.d/crond

lrwxrwxrwx 1 root root 1203 Sep 10 15:30 S75keytable−> ../init.d/keytable lrwxrwxrwx 1 root root 1261 Sep 10 15:30 S85gpm−> ../init.d/gpm lrwxrwxrwx 1 root root 1956 Sep 10 15:30 S90xfs−> ../init.d/xfs

lrwxrwxrwx 1 root root 650 Sep 10 15:30 S99xbrowser−> ../init.d/xbrowser

This init files are run upon entering runlevel 4 (either at reboot or when typing init 4 from root prompt). Filesare run in order of increasing numbers so that our xbrowser runs in the end.xbrowser file looks like this

#!/bin/bash

# −−anton: Init the box into X with browser, no login scriptecho \"Starting standalone browser.....\"#put a mark into log

echo %%%%%%Reboot%%%%% >> /var/log/xlog#this file marks X startrup using out xinitrctouch /tmp/startOK

#−−main loop, indefinite with the presence of /tmp/startOK file −−−−−−−−−−−−−−−−−−while [ −f /tmp/startOK ] ; do

#put a mark into log

echo %%%%%%Restart%%%%% >> /var/log/xlog

#kill stuck netscape if any (this doesnt help if it turn zombie)killall −9 netscape >& /dev/null

3.3 Install ssh12

Linux web browser station (formerly \"The Linux Public Web Browser mini−HOWTO\")

#clear netscape lock

if [ −f ~netscape/.netscape/lock ]; then /bin/rm ~netscape/.netscape/lockfi

#start X windows, no winman, using the config that starts only netscape#config is in root home dir!!

#X server runs as root, sort of BAD

/usr/X11R6/bin/xinit /root/.xinitrc −− /usr/X11R6/bin/X bcdone

#main loop end−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

This file will start X server upon boot up with no prompting (after LILO prompt). The X server will followthe directions in /root/.xinitrc, below. X server config is shown below too.• Make sure /etc/sysctl.conf looks like this

# Disables packet forwardingnet.ipv4.ip_forward = 0

# Enables source route verificationnet.ipv4.conf.all.rp_filter = 1

# Disables automatic defragmentation (needed for masquerading, LVS)net.ipv4.ip_always_defrag = 0# Disables the magic−sysrq key#−−anton: this IS importantkernel.sysrq = 0

This disable kernel interaction keys (aka Magic SysRQ keys) on startup.• /etc/X11/XF86Config

Make changes to /etc/X11/XF86Config that was automatically created during install to look have those in:

# File generated by XConfigurator....whatever...

# **********************************************************************# Server flags section.

# **********************************************************************Section \"ServerFlags\"

# Uncomment this to cause a core dump at the spot where a signal is # received. This may leave the console in an unusable state, but may # provide a better stack trace in the core dump to aid in debugging #NoTrapSignals

# Uncomment this to disable the server abort sequence # This allows clients to receive this key event.#−−anton −− no X server kill

#−−another option is to have a kill as a means to fight broken/stuck netscape,#−−restart will bring it back after cleanup DontZap

# Uncomment this to disable the / mode switching # sequences. This allows clients to receive these key events.#−−anton −− kinda bad too DontZoomEndSection

3.3 Install ssh13

Linux web browser station (formerly \"The Linux Public Web Browser mini−HOWTO\")

...whatever...

Now, the DontZap is a questionable choice. The Crtl−Alt−Backspace sequence might be the only way to killstuck netscape or the one with some window overlapping netscape controls (like, View Source or View PageInfo) as no automatic netscape fixing is implemented. Disabling Java and JavaScript will decrease thelikelihood of it crashing, but will not eliminate this miserable occurrence altogether. In the current setuppressing Crtl−Alt−Backspace if DontZap is commented out will cause X server to restart, killing netscapeand doing a lock file cleanup.• /root/.xinitrc

Make sure that /root/.xinitrc looks like

/bin/rm −f ~netscape/.netscape/lock >& /dev/null

#−−anton: otherwise non−root netscape cant run#−−anton only allow local but from all users

#−−anton the name of test box was \"afc\" thus the line belowxhost +afc

#−−anton:starts netscape as user \"netscape\" and full screen!!#make sure 1024x768 matches your monitor

su netscape −c \"netscape −no−about−splash −geometry 1024x768+0+0\"#−−−−−−−−−−−−−−−TESTING−−−−−−−−−−−−−−−−−−−−−−−−−−−

#these commands were used in testing to set netscpae preferences#same as having \"netscape\" uiser home dir writable for this user#export HOME=/home/netscape

#netscape −no−about−splash −geometry 1024x768+0+0 >& /tmp/LOG#−−−−−−−−−−−−−−−TESTING−−−−−−−−−−−−−−−−−−−−−−−−−−−#also needed: X as user \"guest\" eventually

See comments in file for explanation

3.6 Create user

Create user netscape, his home directory will be /home/netscape.

3.7 Change Netscape settings

Start netscape and apply a restricted settings as:

• no Java (known big risks, recently really big holes discovered in Netscape Java implementation),• no JavaScript (some risks with password stealing and web mail hijacking),

• no cache (some Java bugs will access cache objects and then bypass JVM restrictions),• no cookies (might not be possible though, low risk),

• remove all launches of nonstandard applications (ideally−all applications) with file types (by going toNetscape−>Edit−>Preferences−>Navigator−>Applications),

• history length set to 0 (next user can't see what previous was doing, the risk is in seeingURL−encoded passwords sometimes)

3.6 Create user14

Linux web browser station (formerly \"The Linux Public Web Browser mini−HOWTO\")

3.8 Chown the home directory

Do chown to root on /home/netscape (by chown −R root.root /home/netscape). Make sure thathis home directory belongs to root, there are no world−writable files and subdirectories there and permissionare at least

/home/netscape/:total 9

drwxr−xr−x 4 root root 1024 Sep 7 18:29 .drwxr−xr−x 4 root root 1024 Sep 7 18:30 ..

−rw−r−−r−− 1 root root 16 Sep 7 18:29 .bash_history−rw−r−−r−− 1 root root 24 Sep 5 08:21 .bash_logout−rw−r−−r−− 1 root root 230 Sep 5 08:21 .bash_profile−rw−r−−r−− 1 root root 124 Sep 5 08:21 .bashrc−rw−r−−r−− 1 root root 93 Sep 7 18:25 .mailcap−rw−r−−r−− 1 root root 0 Sep 7 18:25 .mime.typesdrwxr−xr−x 4 root root 1024 Sep 10 08:38 .netscapedrwxr−−r−− 2 root root 1024 Sep 6 00:04 .xauth

/home/netscape/.netscape:total 2

drwxr−xr−x 4 root root 1024 Sep 10 08:38 .drwxr−xr−x 4 root root 1024 Sep 7 18:29 ..

drwxr−−r−− 2 root root 1024 Sep 6 00:04 archive

−rw−−−−−−− 1 root root 14757 Sep 7 18:38 bookmarks.htmldrwxr−−r−− 3 root root 1024 Sep 7 18:24 cache−rw−r−−r−− 1 root root 188416 Sep 6 00:05 cert7.db−rw−r−−r−− 1 root root 16384 Sep 7 18:30 history.dat−rw−r−−r−− 1 root root 111 Sep 7 16:20 history.list−rw−r−−r−− 1 root root 16384 Sep 6 00:05 key3.db

−rw−r−−r−− 1 root root 0 Sep 6 00:04 nswrapper.copy_defs−rw−r−−r−− 1 root root 279 Sep 10 08:38 plugin−list−rw−r−−r−− 1 root root 3398 Sep 7 18:29 preferences.js−rw−r−−r−− 1 root root 741 Sep 7 18:29 registry

−rw−r−−r−− 1 root root 16384 Sep 7 18:29 secmodule.db

Carefully test netscape functionality upon doing the chown to root! At present, I have not found a way toavoid periodic Netscape complaints about \"Can't write preferences\".

Another note is appropriate. Netscape is VERY buggy (last example is Red Hat Linux Security

Advisory presents a way to crash and exploit netscape using a specially crafted JPEG image) and is likely tocrash periodically, possibly producing a buffer overflow with shell access for the intruder. This shell willhave the netscape user as owner. Thus the absence of xterm and rxvt on the system is absolutely crucial as itprovides another line of defense. Permission on the system should also be set very conservatively (noworld−writable files). Ideally, NO files should be owned by user \"netscape\" on the system AT ALL (do afind / −user netscape command to confirm this, also check for world writable files with find / −perm −2 !−type l −ls).

3.9 Config lilo

Modify /etc/lilo.conf

boot=/dev/hdamap=/boot/map

install=/boot/boot.b

3.8 Chown the home directory15

Linux web browser station (formerly \"The Linux Public Web Browser mini−HOWTO\")

prompt

timeout=50default=linux

image=/boot/vmlinuz−2.2.14−5.0 label=linux read−only

root=/dev/hda1 restricted

The word restricted will cause password prompting in order to enter non−standard runlevel (e.g. linux init0 from LILO: prompt).

That implies using stock RH 6.2 kernel. Kernel upgrade to 2.2.16 might be a good idea as some bugs werefound in early 2.2.14 kernels (low risk).

3.10 REMOVE binaries

REMOVE /usr/X11R6/bin/xterm xterm executable COMPLETELY! This is REALLY IMPORTANT asshell will be much harder to obtain in this case. Make sure its clone, rxvt, is not installed! Ideally, allprograms that can spawn a shell should be removed.

3.11 Physical security

Some physical security

• Secure reset button

• Remove CDROM and floppy disk drive

• Prevent access to the box to avoid hard drive replacement

3.12 Some final touches

Some final touches (nice but not essential for system functionality)

• Implement free disk space monitor top avoid partition overflows

• Enable remote logging (preferably to some dedicated box with host−based IDS that analyzes the logs)

4. Conclusion

It just might work ;−)

5. References

1. Web Kiosk HOWTO Similar HOWTO, main differences: no keyboard, uses fvwm22. Public Web Browser HOWTO Similar HOWTO, older and less security oriented3. Security HOWTO Linux Security HOWTO

4. NIC Site You can buy something similar to what is described in the HOWTO for $199 (I am not3.10 REMOVE binaries

16

Linux web browser station (formerly \"The Linux Public Web Browser mini−HOWTO\") affiliated with the company in any way)

5. http://www.chuvakin.org/ispdoc I also maintain a Linux ISP HOWTO.

6. http://www.chuvakin.org/books I also maintain a list of computer/network security related bookswith (where available) reviews and online availability. If you have a book that I don't list please usethe form on the page and I will add it to the list and maybe review it later.

3.10 REMOVE binaries17