[SLE] Mozilla Lockdown Howto

From: Ben Higginbottom (ben_at_centralmanclc.com)
Date: 07/20/04

  • Next message: Schwartz: "Re: [SLE] usr-local-bin"
    To: "'suse-linux-e@suse.com'" <suse-linux-e@suse.com>
    Date:  Tue, 20 Jul 2004 13:10:58 +0100
    
    

    Hi,

    I've just finished writing the following howto on locking down the
    configuration of mozilla. Given IE's recent troubles, and the increasing
    adoption of linux desktops I figure that it'll be of use to far more people
    than my firm.

    Its still an initial release, so any feedback will be gratefully recieved.

    Regards,

    Ben

    -----

    Locking Down Mozilla and Fire*
    For Suse 9.1 and earlier

    Ben Higginbottom <benDOThigginbottomATntlworldDOTcom>

    (Note that this howto applies to Solaris, MacOS, Windows, BeOS and any other
    system capable of running moz with only a few modifications, it can also be
    applied to netscape browsers)

    This Howto has been prepared for a school I'm converting to dual boot
    enviroment for september. As linux was sold to them as a platform for
    providing access to educational programs as opposed to 'teach linux' I've
    had to apply to varying degrees KDE's kiosk mode developed by Waldo Bastian.
    However the schools default browser for the past two years has been Mozilla
    1.1, and they have no desire to change other than to upgrade to the latest
    version. Mozilla of course is outside of the kde lockdown, so a seperate
    procedure is needed to stop the children from messing with proxy settings or
    changing their home page and so on. Obviously this can apply in a commercial
    enviroment as well.

    To begin with install mozilla and configure as desired.

    Mozilla's preferences are stored within the home directory under the dot
    directories .mozilla or .firefox/.phoenix depending on the version you use
    in the file prefs.js in .(mozilla/firefox)/default/(profile).slt/ Copy this
    file out of the directory as this is what is to be modified in order to
    creafe a global configuration. The contents of the file are rather self
    explanitory, and look something like this:

    //personal firefox 0.91 prefs.js
    //some settings changed to protect the innocent
    user_pref("browser.download.dir", "/home/ben/iso");
    user_pref("browser.download.lastDir", "/home/ben/Documents/trinconv");
    user_pref("browser.download.save_converter_index", 0);
    user_pref("browser.download.useDownloadDir", false);
    user_pref("browser.preferences.lastpanel", 0);
    user_pref("browser.startup.homepage",
    "http://www.userfriendly.org/|http://www.techcentralstation.com/");
    user_pref("browser.startup.homepage_override.mstone", "rv:1.7");
    user_pref("browser.tabs.autoHide", false);
    user_pref("browser.tabs.warnOnClose", false);
    user_pref("extensions.disabledObsolete", true);
    user_pref("extensions.lastAppVersion", "0.9");
    user_pref("general.smoothScroll", true);
    user_pref("intl.charsetmenu.browser.cache", "UTF-8, ISO-8859-15,
    windows-1252");
    user_pref("network.cookie.prefsMigrated", true);
    user_pref("network.proxy.ftp", "0.0.0.0");
    user_pref("network.proxy.ftp_port", 8080);
    user_pref("network.proxy.http", "0.0.0.0");
    user_pref("network.proxy.http_port", 8080);
    user_pref("network.proxy.no_proxies_on", "localhost, 127.0.0.1");
    user_pref("network.proxy.ssl", "0.0.0.0");
    user_pref("network.proxy.ssl_port", 8080);
    user_pref("network.proxy.type", 1);
    user_pref("prefs.converted-to-utf8", true);
    user_pref("privacy.popups.firstTime", false);
    user_pref("security.OCSP.URL", "");
    user_pref("security.OCSP.signingCA", "Builtin Object Token:Verisign Class 1
    Public Primary OCSP Responder");
    user_pref("security.warn_entering_secure", false);
    user_pref("security.warn_leaving_secure", false);
    user_pref("security.warn_submit_insecure", false);
    user_pref("update.app.enabled", false);
    user_pref("update.extensions.enabled", false);

    These are only a few of the options that can be set, for a full list, and
    the syntax you will need to use with them type about:config into your
    address bar.
    To lock a preference, just replace user_pref with LockPref, remove any user
    specific information and then put it into a framework, for example to lock a
    proxy runing on port 8008 at 192.168.10.1; the browsers homepage being
    http;//www.acompany.com and no bypassing the proxy only for home the result
    would be:

    try {

    lockPref("network.proxy.ftp", "192.168.10.1");
    lockPref("network.proxy.ftp_port", 8008);
    lockPref("network.proxy.http", "192.168.10.1");
    lockPref("network.proxy.http_port", 8008);
    lockPref("network.proxy.ssl", "192.168.10.1");
    lockPref("network.proxy.ssl_port", 8008);
    lockPref("network.proxy.type", 1);
    lockPref("network.proxy.no_proxies_on", "localhost, 127.0.0.1");
    lockPref("browser.startup.homepage", "http://www.acompany.com/");
    lockPref("browser.startup.homepage_override.mstone", "rv:1.7");

    }

    catch(e){
      displayError("lockedPref", e);
    }

    //Note that the try and catch are there to catch any syntax errors that
    might have been made

    Save this file with whatever name you wish; from here on it will be refered
    to as $filename, if you only wish a setting to be made to be a default
    rather than locked in, pref can be used instead of lockPref

    This file now needs to be encoded into a binary that mozilla can read, this
    can be done using a perl script called moz-byteshift.pl which can be
    obtained from here:
     
    <http://alain.knaff.lu/howto/MozillaCustomization/moz-byteshift.pl>

    For windows users, or anyone else who doesnt wish to install perl, there is
    a online encoding tool available at:

    <http://www.alain.knaff.lu/~aknaff/howto/MozillaCustomization/cgi/byteshf.cg
    i>

    The encoding used is a simple offset of 13 (netscape uses 7) so the command
    is:

    moz-byteshift.pl -s 13 <$filename.js> $filename.cfg

    The cfg file should then be stored in /opt/mozilla/lib or /opt/firefox/lib
    (default install locations for SuSE).

    Finally the line

    pref("general.config.filename", "$filename.cfg");

    Must be added to the all.js file located in /opt/mozilla/lib/defaults/pref,
    this file is then called whenever mozilla is started, locked preferences
    will be visible, but greyed out, prefs will be in their relevant location,
    but editable and user_prefs will be empty.

    References used:

    Alain Knaffs Mozilla Customisation Pages

    <http://alain.knaff.linux.lu/>

    The following post at seul-edu

    <http://archives.seul.org/seul/edu/Jan-2003/msg00049.html>

    LTSP Mozilla Lockdown HOWTO

    <http://togami.com/~warren/guides/mozlockdown/>

    A Brief Guide to Mozilla Preferences

    <http://www.mozilla.org/catalog/end-user/customizing/briefprefs.html>
    Documentation is far from good, but contains the information needed to
    translate this document to another platform.

    -- 
    Check the headers for your unsubscription address
    For additional commands send e-mail to suse-linux-e-help@suse.com
    Also check the archives at http://lists.suse.com
    Please read the FAQs: suse-linux-e-faq@suse.com
    

  • Next message: Schwartz: "Re: [SLE] usr-local-bin"

    Relevant Pages

    • Re: FreeBSD on the desktop HOWTO?
      ... M> Is there a HOWTO for this? ... M> I guess many FreeBSD users start off using BSD as a server, ... M> to build a desktop box to run X too (for KDE, Mozilla, OpenOffice, ... M> installing a typical desktop. ...
      (comp.unix.bsd.freebsd.misc)
    • Re: initial mozilla config
      ... > lack of enjoyable browsing experience with regards to MANY things, AND, ... > neither mozilla, not RED-hat, has a HOWTO on allowing the user to address ... Seems you never been at mozilla.org, there you have howto and plugins for linux. ...
      (alt.os.linux.redhat)
    • Re: OT: Old Mozilla to new Thunderbird, how to get emails over?
      ... Mozilla browser/email, new one Thunderbird. ... It has some dumbed-down importer but that neither shows Mozilla ... You avoid that shit by using Linux and 'pine' as email program. ... driver not available, modem doesn't work, soundcards, etc. ...
      (sci.electronics.design)
    • Re: Floppy Disk Mystery
      ... What happens when you try to run mozilla from the command ... I am completely new to Linux, ... gets written before you manually eject the floppy. ... xDSL would be for connecting to DSL, that's what your router is doing, ...
      (alt.os.linux.redhat)
    • [AntiVirus + Ubuntu] was - Re: And another Ubuntu convert!
      ... If you search the list archives, you will find a post of mine where I ... 30% or more of internet servers ... run some linux distro or other, and there's not exactly an epidemic. ... The Mozilla Foundation is aware ...
      (Ubuntu)