Skip to the content of the web site.

The following pages outline the process taken to create a secure web kiosk installation of Linux. The kiosk runs a minimal installation of Linux and immediately starts a web browser. The booth packages and a livecd can be found at the sourceforge website.

This kiosk is essentially a web browsing appliance. The beauty of Linux is that the OS can be customized to do that one task, leaving out all unnecessary network services and software. The system can also be locked down very tightly to prevent a regular user from running anything else or making any modifications. Physical security (BIOS password and locked enclosure) is the final defense protecting the software configuration.

The kiosk boots up into a full-screen browser (Mozilla Firefox) started by the unprivileged "guest" account. The guest account has no shell access, and no log-in password. No other account exists, except the root account, which is password-protected, even in single-user mode. Firefox is configured so as not to allow the guest user access to the file system, nor to store passwords, nor to cache anything, etc. If the user closes the browser, X is restarted and a fresh guest home directory is recreated. The kiosk also resets itself using the same procedure one minute after the screen saver kicks in, following 5 minutes of inactivity.

Details of the boot process are these. System logging and a two-way firewall (netfilter) are activated on boot-up. The system auto-boots into run level 5, then inittab runs a script that cleans up the guest account and starts X as the guest user. Guest's xsession file launches the screen saver and the inactivity monitoring script, followed by the Metacity window manager (required to allow Firefox's menus to work properly), then finally Firefox itself. If X is killed, it is re-spawned by inittab as just described. The user cannot initiate a reboot, but can manually restart X by closing the browser or by the Ctrl-Alt-Backspace key sequence.

David Collie, a co-op student with Engineering Computing, developed the kiosk under the supervision of Stephen Carr, IST. It is based on the Damn Small Linux (DSL) distribution (which is based on the Knoppix live CD distribution, which is based on Debian GNU/Linux). It is open-source software released through This project is a fairly straight forward modification of the well-supported and actively developed DSL project. DSL was modified and re-mastered.The "dsl" user was removed, and several scripts were added to control the boot and cleanup functions. The Firefox browser was configured for security and user privacy. The modifications involved are documented here.

The kiosk may be built and run in several modes. It may be run as a "live CD", that is, booted and run from a CD, so that the OS cannot be tampered with at all. In that case, changes and updates must be done by re-mastering the live CD image. It may also be installed onto the hard disk, then managed from there using Debian's update tool (apt-get). In this case the kiosk may be configured as required with a default home page and white list of accessible sites. Finally, it may be PXE-booted and run diskless (an option if many such devices are to be managed conveniently). The SSH service is running on the machine in its current configuration (the only exposed service) to allow remote monitoring and maintenance. We plan to enable logging to a remote server, at which point we will be able to remove SSH.

We believe that the web kiosk is sufficiently secure to allow users to access the Internet anonymously (without authenticating via an Network Authentication Appliance, as is done on UW's wireless subnet). This Linux-based kiosk is not vulnerable to Windows exploits and malware and the user has no permissions to download or run applications in any case. In its final version it will expose no services to the network. It is running the last version of the stable 2.4 kernel for which there are no known exploits. The kernel and Firefox browser will be updated as required. All deployed kiosks will be monitored to ensure that they remain secure.

-- Stephen Carr - 13 Mar 2006





-- DavidCollie - 27 Sep 2004