Jump to content

Fedora Kiosk


Recommended Posts

Just like to share this.

The Fedora Kiosk is a Fedora based live operating system that takes advantage of SELinux and namespacing to setup a secure kiosk environment.

When you use a kiosk system you need to worry about the person that used the kiosk before you and after you. The person who used it before you could have left a process running on the system that can watch your keystrokes. The person who uses the kiosk after you can search through your home directory for data stored by firefox, including history, potentially credit card data, vpn access codes, etc.

The Fedora kiosk uses the xguest package which sets up a limited priviledged SELinux xguest user. This user is allowed to login to the box without a password iff SELinux is enabeled and enforcing, and there are no processes running with the same UID. The user account is locked down so it can not execute any setuid/setgid applications. The only network ports it can connect to are web ports. It can not execute any content in its home directory. The home directory/tmp directory is created when the user logs in and destroyed when the user logs out. If the account attempts to leave a process around after logout the system will attempt to kill the process and no other kiosk users will be allowed to login until the processes with this uid, are killed.

Root account is disabled.

It is also a live operating system so, rebooting the kiosk, will reset it to a known good state.


Link to comment
Share on other sites

  • Replies 3
  • Views 898
  • Created
  • Last Reply

any good? as opinion ways?

The implementation of the enviroment is great for example, when you need a live CD for use in public PCs like in Lan Houses, or to have in your PC when strange people wanna use your computer.... or even to bank/shop/make important things. The selinux policies, the inability to execute from the home partition ( most of the others folders need root pw to write at it, and the user is an a xguest account). The home/tmp directory is destroyed at logout, so if you see by restrictions, is something like Windows with standart user account + SRP/applocker denying execution, Windows firewall only allowing traffic to some ports and with something like Shadow Defender/Deep freeze virtualizing the "Users" folder out of the box.

Link to comment
Share on other sites

yes! it's a secure way and better than to use window$ + deep freeze in a kiosk or public system!

thanks someone for sharing :wub:

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...