[SLE] Mozilla Lockdown Howto

From: Ben Higginbottom (ben_at_centralmanclc.com)
Date: 07/20/04

  • Next message: Schwartz: "Re: [SLE] usr-local-bin"
    To: "'suse-linux-e@suse.com'" <suse-linux-e@suse.com>
    Date:  Tue, 20 Jul 2004 13:10:58 +0100


    I've just finished writing the following howto on locking down the
    configuration of mozilla. Given IE's recent troubles, and the increasing
    adoption of linux desktops I figure that it'll be of use to far more people
    than my firm.

    Its still an initial release, so any feedback will be gratefully recieved.




    Locking Down Mozilla and Fire*
    For Suse 9.1 and earlier

    Ben Higginbottom <benDOThigginbottomATntlworldDOTcom>

    (Note that this howto applies to Solaris, MacOS, Windows, BeOS and any other
    system capable of running moz with only a few modifications, it can also be
    applied to netscape browsers)

    This Howto has been prepared for a school I'm converting to dual boot
    enviroment for september. As linux was sold to them as a platform for
    providing access to educational programs as opposed to 'teach linux' I've
    had to apply to varying degrees KDE's kiosk mode developed by Waldo Bastian.
    However the schools default browser for the past two years has been Mozilla
    1.1, and they have no desire to change other than to upgrade to the latest
    version. Mozilla of course is outside of the kde lockdown, so a seperate
    procedure is needed to stop the children from messing with proxy settings or
    changing their home page and so on. Obviously this can apply in a commercial
    enviroment as well.

    To begin with install mozilla and configure as desired.

    Mozilla's preferences are stored within the home directory under the dot
    directories .mozilla or .firefox/.phoenix depending on the version you use
    in the file prefs.js in .(mozilla/firefox)/default/(profile).slt/ Copy this
    file out of the directory as this is what is to be modified in order to
    creafe a global configuration. The contents of the file are rather self
    explanitory, and look something like this:

    //personal firefox 0.91 prefs.js
    //some settings changed to protect the innocent
    user_pref("browser.download.dir", "/home/ben/iso");
    user_pref("browser.download.lastDir", "/home/ben/Documents/trinconv");
    user_pref("browser.download.save_converter_index", 0);
    user_pref("browser.download.useDownloadDir", false);
    user_pref("browser.preferences.lastpanel", 0);
    user_pref("browser.startup.homepage_override.mstone", "rv:1.7");
    user_pref("browser.tabs.autoHide", false);
    user_pref("browser.tabs.warnOnClose", false);
    user_pref("extensions.disabledObsolete", true);
    user_pref("extensions.lastAppVersion", "0.9");
    user_pref("general.smoothScroll", true);
    user_pref("intl.charsetmenu.browser.cache", "UTF-8, ISO-8859-15,
    user_pref("network.cookie.prefsMigrated", true);
    user_pref("network.proxy.ftp", "");
    user_pref("network.proxy.ftp_port", 8080);
    user_pref("network.proxy.http", "");
    user_pref("network.proxy.http_port", 8080);
    user_pref("network.proxy.no_proxies_on", "localhost,");
    user_pref("network.proxy.ssl", "");
    user_pref("network.proxy.ssl_port", 8080);
    user_pref("network.proxy.type", 1);
    user_pref("prefs.converted-to-utf8", true);
    user_pref("privacy.popups.firstTime", false);
    user_pref("security.OCSP.URL", "");
    user_pref("security.OCSP.signingCA", "Builtin Object Token:Verisign Class 1
    Public Primary OCSP Responder");
    user_pref("security.warn_entering_secure", false);
    user_pref("security.warn_leaving_secure", false);
    user_pref("security.warn_submit_insecure", false);
    user_pref("update.app.enabled", false);
    user_pref("update.extensions.enabled", false);

    These are only a few of the options that can be set, for a full list, and
    the syntax you will need to use with them type about:config into your
    address bar.
    To lock a preference, just replace user_pref with LockPref, remove any user
    specific information and then put it into a framework, for example to lock a
    proxy runing on port 8008 at; the browsers homepage being
    http;//www.acompany.com and no bypassing the proxy only for home the result
    would be:

    try {

    lockPref("network.proxy.ftp", "");
    lockPref("network.proxy.ftp_port", 8008);
    lockPref("network.proxy.http", "");
    lockPref("network.proxy.http_port", 8008);
    lockPref("network.proxy.ssl", "");
    lockPref("network.proxy.ssl_port", 8008);
    lockPref("network.proxy.type", 1);
    lockPref("network.proxy.no_proxies_on", "localhost,");
    lockPref("browser.startup.homepage", "http://www.acompany.com/");
    lockPref("browser.startup.homepage_override.mstone", "rv:1.7");


      displayError("lockedPref", e);

    //Note that the try and catch are there to catch any syntax errors that
    might have been made

    Save this file with whatever name you wish; from here on it will be refered
    to as $filename, if you only wish a setting to be made to be a default
    rather than locked in, pref can be used instead of lockPref

    This file now needs to be encoded into a binary that mozilla can read, this
    can be done using a perl script called moz-byteshift.pl which can be
    obtained from here:

    For windows users, or anyone else who doesnt wish to install perl, there is
    a online encoding tool available at:


    The encoding used is a simple offset of 13 (netscape uses 7) so the command

    moz-byteshift.pl -s 13 <$filename.js> $filename.cfg

    The cfg file should then be stored in /opt/mozilla/lib or /opt/firefox/lib
    (default install locations for SuSE).

    Finally the line

    pref("general.config.filename", "$filename.cfg");

    Must be added to the all.js file located in /opt/mozilla/lib/defaults/pref,
    this file is then called whenever mozilla is started, locked preferences
    will be visible, but greyed out, prefs will be in their relevant location,
    but editable and user_prefs will be empty.

    References used:

    Alain Knaffs Mozilla Customisation Pages


    The following post at seul-edu


    LTSP Mozilla Lockdown HOWTO


    A Brief Guide to Mozilla Preferences

    Documentation is far from good, but contains the information needed to
    translate this document to another platform.

    Check the headers for your unsubscription address
    For additional commands send e-mail to suse-linux-e-help@suse.com
    Also check the archives at http://lists.suse.com
    Please read the FAQs: suse-linux-e-faq@suse.com

  • Next message: Schwartz: "Re: [SLE] usr-local-bin"