azorius.net

Looking for a good solution for a hands-free kiosk.
from Blisterexe@lemmy.zip to linux@lemmy.ml on 28 Nov 22:48
https://lemmy.zip/post/27100419

I want to setup a bunch of laptops to be web kiosks, I’ll organize my wants into a list so that it’s easier to skim:

Open a version of Firefox with the normal ui, tabs and all.
Automatically enters a session with no user input on reboot
Doesn’t allow doing anything but interacting with Firefox (kinda obvious, kiosk and all)
Auto-login
Automatic updates, with them being applied on restart
Firefox settings reset on reboot

Nice to haves:

nice Plymouth screen to hide the scary code on startup.
completely block any attempts to change configuration on Firefox
ad-block
easy deployment to a bunch of machines.

If these sound like pretty strict requirements, they are, I’m doing this to attempt to get an internship by making my school’s web kiosk laptops not suck (they currently run a janky install of Ubuntu 18.04)

Any help would be greatly appreciated, and I’d be glad to add more information.

#linux

threaded - newest

izax@pawb.social on 28 Nov 23:12 next collapse

I would just go with Debian personally since it’s not updated very often.

You can add Firefox to startup applications several ways, such as startup apps GUI on any desktop environment.
Most desktop environments have an “automatic login” option you can configure. You can also disable or remove the login manager
You can configure some desktop environments (xfce I know for sure) to not launch the panel. Don’t forget to also look up how to disable your TTY hotkeys!
Install the unattended-upgrades package and Debian/Ubuntu will update automatically. I hardly ever have to touch the updates on my Debian machines
You can make Firefox’s config directory read only and it won’t be able to write to it

Nice to haves:

Plymouth can be installed on Debian, and has a few themes that are simple spinners
You can do this. Look up how to do the policies.json file. Since the Firefox directory will be read only, it won’t be able to be changed by the user
I think you can still install add-ons like an ad blocker with policies.json, but not 100% dure
Do a preseed install or similar wiki.debian.org/DebianInstaller/Preseed

Blisterexe@lemmy.zip on 28 Nov 23:16 collapse

thank you for the long answer, but i looked at the policies.json documentation and it didnt have anything to block the core settings

izax@pawb.social on 29 Nov 03:16 collapse

It also supports about:config settings with the AutoConfig feature. Does this help? …mozilla.org/…/customizing-firefox-using-autoconf…

Blisterexe@lemmy.zip on 29 Nov 03:33 collapse

that should help, thanks!

edit: Yup, i can use that to reset user preferences on reboot, perfect

rzr@lemmy.sdf.org on 28 Nov 23:12 next collapse

ubuntu core has a kiosk example to look at… i was inspired from it to build and image for purl.org/rzr/pinball

Blisterexe@lemmy.zip on 28 Nov 23:22 collapse

i did, but i couldnt figure out how to get the full firefox ui, and not just a webpage.

And the full docs were locked behind requesting a document as a rep from a company -_-

CaptDust@sh.itjust.works on 28 Nov 23:32 next collapse

Debian with Cage and a systemd unit to check updates on startup

Blisterexe@lemmy.zip on 28 Nov 23:54 collapse

Debian/ubuntu with cage was what i was leaning towards, given @izax@pawb.social’s tips, i think i’ll go with that.

solrize@lemmy.world on 28 Nov 23:57 next collapse

There’s no way to srsly prevent a full-bloat browser from messing with its environment. Make a static VM image and reboot it at the beginning of every session.

rudyharrelson@lemmy.radio on 29 Nov 00:57 collapse

There’s no way to srsly prevent a full-bloat browser from messing with its environment.

Can you elaborate on this? I’m curious as to what manner a browser like Firefox could be exploited in order to affect its environment outside of something like a sandbox escape.

solrize@lemmy.world on 29 Nov 01:07 collapse

Tools:preferences, about:config, file downloads, form prefills, remember password, etc. yes you can try to lock everything but it’s too easy to miss something. And then there are outright RCEs. There’s just too much attack surface.

markstos@lemmy.world on 29 Nov 03:26 collapse

I agree. Flatpak could be used to further lockdown what Firefox can do, but it has so much features and complexity that I also expect it to be difficult to successfully lockdown.

I would either start with a product that explicitly has just the features a web-kiosk needs or use something based on ChromeOS, which explicitly has a set of enterprise policies that are there to allow admins to lock down a fleet of Chromebooks as they need.

This is based on the security principle that a system is far more secure if you explicitly allow what you need vs trying to explicitly block or disable all the things you don’t want.

Over time, the features you need to allow your web kiosk needs maybe somewhat static and in your control, while all the features you need to disable in Firefox could be constantly evolving and put of your control if you are keeping Firefox up to date.

BCsven@lemmy.ca on 29 Nov 03:38 next collapse

Something like porteus-kiosk.org

Fully Locked down browser, cache cleared on restart, user can’t change settings etc

user_naa@lemmy.world on 29 Nov 16:12 collapse

I think the best way is using live debian image with Wayland cage. User can change something, but it will be lost on restart. Debian supports plymouth out-of-the-box if enabled in grub.