Re: Bare Restricted Secure Linux Account
From: Enrique Perez-Terron (enrio_at_online.no)
Date: Sat, 19 Nov 2005 02:41:12 +0100
On Sat, 19 Nov 2005 01:35:45 +0100, boston_code_monkey <firstname.lastname@example.org> wrote:
> I would like to develop a small browser application for a company
> Christmas lottery.
> The application would basically be a browser with a mysql database
> backend where employess can enter their personal information. The
> browser should be the only application a user has access to.
> I do not want any employees (logged in to this dummy account) to have
> access to any consoles or additional applications. I basically need to
> lock down the system since the information will be stored (encrypted)
> locally on the pc. I would like to disable hot keys and soft reboots. I
> would only install a bare version of linux with os firefox and
> mysql(no: desktop files, start menu, logoff button).
Between firefox and mysql you need some kind of http server.
The http server and sql should run in one context, firefox in another.
Think of them as completely separate systems.
Users will be interacting with firefox. FF is not designed to restrict
its users, it is designed to keep the user safe from dangers on the net.
You probably want to disable the address bar and the menu bar in firefox,
I am not sure if you can disable enough to prevent users from entering
their own urls. You must disable the "file:" protocol in the browser.
Restricting what FF can do will be the hardest part. Probably you can run
FF and X in a chroot jail, having all the necessary libraries available.
FF and X must communicate some way, normally they do so through a named
pipe in /tmp. With FF in a chroot jail, it must have access to X.
You can enable tcp in X, and set DISPLAY=localhost:0, then FF and X
do not need to share anything. I guess you can run FF in a jail where
/usr/bin is empty, except for just firefox.
The normal non-restricted linux system runs the desktop from init,
in /etc/inittab, there is a "prefdm" entry, which runs gdm or kdm
or xdm. Remove that and you are taking control. Put a script instead that
runs X, sleeps a second, then starts a simple window manager, and firefox.
When the firefox application terminates, just kill everything. Let
init handle the restart of the application by setting "respawn" in inttab.
In the chain of commands, before starting X, run everything under su -
restricted-user, and chroot if possible.
Also remove the "mingetty" entries in the /etc/inittab. Better, make
your lottery application run under a separate runlevel, eg. runlevel 4.
Remove "4" from the runlevel field of all entries in inittab, and create
new entries for your stuff, that run in level 4. Make 4 the default
Set a password protection on the boot loader.
Make sure the sysreq functions are disabled in the kernel by
echo 0 >/proc/sys...appropriate files.
Security is easier if employees do not use Firefox on the same computer.
Let the secured computer just run the http daemon and mysql,
and let the employees access it through any browser they like on
any PC other than the secured one. If you set up a tight firewall
on the secured PC and follow standard practice with the rest, you
should be OK.