Re: Bare Restricted Secure Linux Account

From: Enrique Perez-Terron (
Date: 11/19/05

Date: Sat, 19 Nov 2005 02:41:12 +0100

On Sat, 19 Nov 2005 01:35:45 +0100, boston_code_monkey <> wrote:

> I would like to develop a small browser application for a company
> Christmas lottery.
> The application would basically be a browser with a mysql database
> backend where employess can enter their personal information. The
> browser should be the only application a user has access to.
> I do not want any employees (logged in to this dummy account) to have
> access to any consoles or additional applications. I basically need to
> lock down the system since the information will be stored (encrypted)
> locally on the pc. I would like to disable hot keys and soft reboots. I
> would only install a bare version of linux with os firefox and
> mysql(no: desktop files, start menu, logoff button).

Between firefox and mysql you need some kind of http server.
The http server and sql should run in one context, firefox in another.
Think of them as completely separate systems.

Users will be interacting with firefox. FF is not designed to restrict
its users, it is designed to keep the user safe from dangers on the net.

You probably want to disable the address bar and the menu bar in firefox,
I am not sure if you can disable enough to prevent users from entering
their own urls. You must disable the "file:" protocol in the browser.

Restricting what FF can do will be the hardest part. Probably you can run
FF and X in a chroot jail, having all the necessary libraries available.
FF and X must communicate some way, normally they do so through a named
pipe in /tmp. With FF in a chroot jail, it must have access to X.
You can enable tcp in X, and set DISPLAY=localhost:0, then FF and X
do not need to share anything. I guess you can run FF in a jail where
/usr/bin is empty, except for just firefox.

The normal non-restricted linux system runs the desktop from init,
in /etc/inittab, there is a "prefdm" entry, which runs gdm or kdm
or xdm. Remove that and you are taking control. Put a script instead that
runs X, sleeps a second, then starts a simple window manager, and firefox.
When the firefox application terminates, just kill everything. Let
init handle the restart of the application by setting "respawn" in inttab.

In the chain of commands, before starting X, run everything under su -
restricted-user, and chroot if possible.

Also remove the "mingetty" entries in the /etc/inittab. Better, make
your lottery application run under a separate runlevel, eg. runlevel 4.
Remove "4" from the runlevel field of all entries in inittab, and create
new entries for your stuff, that run in level 4. Make 4 the default

Set a password protection on the boot loader.

Make sure the sysreq functions are disabled in the kernel by
echo 0 >/proc/sys...appropriate files.

Security is easier if employees do not use Firefox on the same computer.
Let the secured computer just run the http daemon and mysql,
and let the employees access it through any browser they like on
any PC other than the secured one. If you set up a tight firewall
on the secured PC and follow standard practice with the rest, you
should be OK.


Relevant Pages

  • Different users with different default (internet) browsers
    ... At a client we have a windows 2003 standard edition running terminal ... Firefox is the default browser, ... employees who prefer IE. ...
  • Re: IE launching when Firefox is default browser
    ... After making FireFox my default ... went to the Links folder on my ... default browser via the Control Panel>Add/Remove Programs>Set Program Access ... Replies are posted only to the newsgroup for the benefit or other readers. ...
  • Re: Where is the notificiation about IE zero day vulnerablity?
    ... > protected your Firefox web client. ... > talking about how it was poised to be the one browser to finally ... some only the local news and others the weather. ... already reporting it - report the problem as well.. ...
  • Re: I have one for you i.e. Links not working in Firefox
    ... Firefox folks should see the homepage just like us IE7 die hards! ... have suggested that using .mht files would be a bad idea, ... You may find that you like the browser ... And this page I took out the sidebar and replaced it with (yep ...
  • MDKSA-2005:120 - Updated mozilla-firefox packages fix multiple vulnerabilities
    ... A number of vulnerabilities were reported and fixed in Firefox 1.0.5 ... In several places the browser UI did not correctly distinguish between ... If an attacker can convince a victim to use the "Set As Wallpaper" ...