LiveCDInternetKiosk
Contents
|
This page describes how to create a LiveCD that is useful for providing internet web surfing in to anonymous users while still providing a degree of web filtering to avoid access to unsuitable sites.
Disclaimer
The resulting LiveCD should not be considered fool proof and may not provide enough web filtering for your situation. There are no guarantees and the author cannot be held responsible for you use or misuse of the information here in. It is presented in the hopes that it will be useful. If it is not, that is your responsibility and you are free to further refine the instructions to meet you needs.
Starting
You should have some understanding of how to modify a LiveCD already. Please review LiveCDCustomization. These instructions will use that as a base but if you have read and understand those instructions, then these instructions will essentially replace the Customization section of that document.
Obtain the base system
Download an official Desktop CD from http://releases.ubuntu.com/
Note: the example shown here uses the ubuntu-14.04.2-desktop-amd64.iso Desktop CD. Replace it with the name of your iso.
- Move or copy it into an empty directory
mkdir ~/livecdtmp mv ubuntu-14.04.2-desktop-amd64.iso ~/livecdtmp cd ~/livecdtmp
Extract the CD .iso contents
Mount the Desktop .iso
mkdir mnt sudo mount -o loop ubuntu-14.04.2-desktop-amd64.iso mnt
Extract .iso contents into dir 'extract-cd'
mkdir extract-cd sudo rsync --exclude=/casper/filesystem.squashfs -a mnt/ extract-cd
Extract the Desktop system
Extract the SquashFS filesystem
sudo unsquashfs mnt/casper/filesystem.squashfs sudo mv squashfs-root edit
Prepare and chroot
WARNING: If you do this in 14.04 LTS, you will lose network connectivity (name resolving part of it). /etc/resolv.conf is and should remain a symlink to /run/resolvconf/resolv.conf nowadays. To enable name resolving, temporarily edit that file instead. If you need the network connection within chroot
sudo cp /etc/resolv.conf edit/etc/
NOTE: Recommended that you do not do this unless you know what you're doing Depending on your configuration, you may also need to copy the hosts file
sudo cp /etc/hosts edit/etc/
The remaining steps are good, unlike the ones above:
sudo mount --bind /dev/ edit/dev sudo chroot edit mount -t proc none /proc mount -t sysfs none /sys mount -t devpts none /dev/pts
(these mount important directories of your host system - if you later decide to delete the edit/ directory, then make sure to unmount before doing so, otherwise your host system will become unusable at least temporarily until reboot)
To avoid locale issues and in order to import GPG keys
export HOME=/root export LC_ALL=C
Configure the LiveCD for Internet Kiosk use
Install and Configure Dansguardian
Enable The Universe Repository
sed -i 's/ main / main universe /g' /etc/apt/sources.list
Create temporary Proxy settings (if necessary)
export http_proxy=http://proxy.domain.com:8080 export https_proxy=http://proxy.domain.com:8080
Temporarily set the DNS servers
cat << EOF_TMPDNS > /run/resolvconf/resolv.conf nameserver 208.67.222.222 nameserver 208.67.220.220 EOF_TMPDNS
Update the package list
apt-get update
Install Dansguardian
apt-get -y install dansguardian squid
Configure Dansguardian
sed -i '/UNCONFIGURED.*/d' /etc/dansguardian/dansguardian.conf #Ensure that any OpenDNS block page is allowed echo opendns.com >> /etc/dansguardian/lists/exceptionsitelist echo opendns.net >> /etc/dansguardian/lists/exceptionsitelist echo opendns.org >> /etc/dansguardian/lists/exceptionsitelist
Disable FreshClam updates
Dansguardian install ClamAV but there is no reason to update signatures on the live CD:
sed -i 's/Checks 24/Checks 0/g' /etc/clamav/freshclam.conf
Download and configure the blacklists
wget -q -O /root/bigblacklist.tar.gz 'http://urlblacklist.com/cgi-bin/commercialdownload.pl?type=download&file=bigblacklist' cd /etc/dansguardian/lists/ sudo tar xvfz /root/bigblacklist.tar.gz
Enable the list that you want to block by uncomenting lines that match:
sed -i -r '/artnudes|porn|violence|hacking|proxy|virusinfected|warez/ s/^#.I/.I/' /etc/dansguardian/lists/bannedsitelist sed -i -r '/artnudes|porn|violence|hacking|proxy|virusinfected|warez/ s/^#.I/.I/' /etc/dansguardian/lists/bannedurllist
Install and Configure OpenDNS Updater
Pre-requisities
This section assumes that you have an account setup with OpenDNS to configure ddclient. The ddclient will update your IP address in your OpenDNS account so that the LiveCD will make use of the web site filtering that you have setup in your account.
Install and configure ddclient
apt-get -y install ddclient cat << EOF_DDCLIENT > /etc/ddclient.conf use=web, web=myip.dnsomatic.com ssl=yes server=updates.opendns.com protocol=dyndns2 login=account@email.addr password='' Home EOF_DDCLIENT
Set DNS Servers to OpenDNS Servers
This section assumes that you are on a network that allows you to specify your own DNS server. If you are preparing the LivCD in an environment where only corporate DNS is allowed you will need to leave this step out or only enable it before you are ready to create the final CD.
Set the OpenDNS servers as the DNS servers
cat << EOF_DNS > /etc/resolvconf/resolv.conf.d/base nameserver 208.67.222.222 nameserver 208.67.220.220 EOF_DNS
Prevent the DHCP Server from overriding your hard coded DNS server settings.
sed -i 's/#prepend domain-name-servers .*$/prepend domain-name-servers 208.67.222.222, 208.67.220.220/' /etc/dhcp/dhclient.conf sed -i 's/domain-name-servers, //' /etc/dhcp/dhclient.conf
Configure the Timezone
If you want to set the TimeZone that your CD will be used in you can do the following:
dpkg-reconfigure tzdata
Remove the Live CD installer
For this use, there is no reason to have the installer. Removing it will allow you to boot directly into the desktop.
apt-get -y purge ubiquity
Install Google Chrome
Installation
Since Google Chrome has the ability to play Flash it is a good idea to install it:
echo "deb http://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google-chrome.list wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add - apt-get update apt-get -y install google-chrome-stable
Create Desktop Short Cut
cat << ENDCHROME > /etc/profile.d/google-chrome.sh cp /usr/share/applications/google-chrome.desktop /home/ubuntu/Desktop/ chmod +x /home/ubuntu/Desktop/google-chrome.desktop ENDCHROME
Lock Preferences
mkdir -p /etc/opt/chrome/policies/managed mkdir -p /etc/opt/chrome/policies/recommended cat << END_CHROMEPREFS > /etc/opt/chrome/policies/managed/test_policy.json { "DefaultBrowserSettingEnabled": false, "MetricsReportingEnabled": false, "BuiltInDnsClientEnabled": false, "RestoreOnStartup": 4, "RestoreOnStartupURLs": ["www.google.com"], "ProxyMode": "fixed_servers", "ProxyServer": "127.0.0.1:8080", "ForceSafeSearch": true, } END_CHROMEPREFS
Firefox Preferences Configuration
Lock Firefox preferences to set the proxy and home page
cat << EOF_FIREPREFS > /usr/lib/firefox/defaults/pref/all.corp.js lockPref("browser.startup.homepage","http://www.google.com"); lockPref("browser.tabs.autoHide", false); lockPref("network.proxy.type",1); lockPref("network.proxy.share_proxy_settings", true); lockPref("network.proxy.ftp","127.0.0.1"); lockPref("network.proxy.ftp_port",8080); lockPref("network.proxy.http","127.0.0.1"); lockPref("network.proxy.http_port",8080); lockPref("network.proxy.ssl","127.0.0.1"); lockPref("network.proxy.ssl_port",8080); lockPref("network.proxy.gopher","127.0.0.1"); lockPref("network.proxy.gopher_port",8080); lockPref("network.proxy.no_proxies_on", "localhost, 127.0.0.1"); lockPref("browser.shell.checkDefaultBrowser", false); lockPref("browser.defaultbrowser.notificationbar", false); EOF_FIREPREFS
Prevent Firefox from prompting to import settings from Chome
cat << EOF_FIREMIG > /usr/lib/firefox/browser/override.ini [XRE] EnableProfileMigrator=false EOF_FIREMIG
System wide Proxy settings - experimental
cat << EOF_PROXIES > /etc/init/proxy.conf # # This task is run on startup to set proxy for the system to use Dansguardian description "set system proxy settings" start on started dbus # this is not a service task script HTTP_PROXY_HOST=127.0.0.1 HTTP_PROXY_PORT=8080 HTTPS_PROXY_HOST=127.0.0.1 HTTPS_PROXY_PORT=8080 gsettings set org.gnome.system.proxy mode manual gsettings set org.gnome.system.proxy.http host "\$HTTP_PROXY_HOST" gsettings set org.gnome.system.proxy.http port "\$HTTP_PROXY_PORT" gsettings set org.gnome.system.proxy.https host "\$HTTPS_PROXY_HOST" gsettings set org.gnome.system.proxy.https port "\$HTTPS_PROXY_PORT" sed -i.bak '/http[s]::proxy/Id' /etc/apt/apt.conf tee -a /etc/apt/apt.conf <<EOF Acquire::http::proxy "http://\$HTTP_PROXY_HOST:\$HTTP_PROXY_PORT"; Acquire::https::proxy "http://\$HTTPS_PROXY_HOST:\$HTTPS_PROXY_PORT"; EOF sed -i.bak '/http[s]_proxy/Id' /etc/environment tee -a /etc/environment <<EOF http_proxy="http://\$HTTP_PROXY_HOST:\$HTTP_PROXY_PORT" https_proxy="http://\$HTTPS_PROXY_HOST:\$HTTPS_PROXY_PORT" EOF end script EOF_PROXIES
Miscellaneous LiveCD Changes
Disable the Keyboard Shortcuts Overlay
cat << EOF_OVERLAY > /etc/profile.d/overlay.sh gsettings set org.compiz.unityshell:/org/compiz/profiles/unity/plugins/unityshell/ shortcut-overlay false EOF_OVERLAY
Remove the ubuntu user from sudo
To further protect the system from modification you need to remove the ability to sudo
rm -fr /etc/sudoers.d # comment out sudo and admin in the /etc/sudoers file sed -r -i '/%admin|%sudo/ s/^/#/' /etc/sudoers
Disable the builtin webbrowser-app
There is a web browser built in to Ubuntu that I did not realize was there. It may support proxy options but sine there were better options available I simply disabled it.
chmod a-x /usr/bin/webbrowser-app
Remove some unnecessary packages
apt-get -y purge usb-creator-common usb-creator-gtk thunderbird-gnome-support thunderbird remmina-common remmina remmina-plugin-rdp remmina-plugin-vnc apt-get -y autoremove
Create the LiveCD iso
Clean Up
apt-get clean umount /proc || umount -lf /proc umount /sys umount /dev/pts exit
sudo chmod a+w extract-cd/casper/filesystem.manifest sudo chroot edit dpkg-query -W --showformat='${Package} ${Version}\n' > extract-cd/casper/filesystem.manifest sudo cp extract-cd/casper/filesystem.manifest extract-cd/casper/filesystem.manifest-desktop sudo sed -i '/ubiquity/d' extract-cd/casper/filesystem.manifest-desktop sudo sed -i '/casper/d' extract-cd/casper/filesystem.manifest-desktop
Compress the file system
sudo rm extract-cd/casper/filesystem.squashfs sudo mksquashfs edit extract-cd/casper/filesystem.squashfs
sudo chmod a+w extract-cd/casper/filesystem.size printf $(sudo du -sx --block-size=1 edit | cut -f1) > extract-cd/casper/filesystem.size
Create the CD/DVD
cd extract-cd sudo rm md5sum.txt find -type f -print0 | sudo xargs -0 md5sum | grep -v isolinux/boot.cat | sudo tee md5sum.txt sudo mkisofs -D -r -V "$IMAGE_NAME" -cache-inodes -J -l -b isolinux/isolinux.bin -c isolinux/boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table -o ../ubuntu-14.04.2-desktop-amd64-custom.iso .