Setting up Linux for Shared Public Use
Contents
1. Overview
The scenario: A public library, or cyber-cafe, where anybody could be using the computer for any purpose. Once that person has finished using the computer and logged out, you do not want the next user being able to see what the previous user has been doing, or have access to any of their personal information.
For example, if a user logged into her e-mail account, and the next user went to the same provider, the previous user's e-mail address may still be visible in the login box.
This tutorial explains how to setup a user account that will reset itself when the user logs out, the account is stored on a RAM disk, so no information is ever physically saved to the computer's hard disk.
What we're going to do in this tutorial is:
- Create a control user account, this will be used to setup the public user account. How this account is setup is how the public account will appear.
- Create a public user account that will be a clone of the control account, but reset back to the control account each time the login screen is displayed.
2. Preparation
In order to create the RAM disk and reset the user account, we require two scripts. The first script will run at boot-time to format and mount the RAM disk. The second will be used by GDM to reset the user account.
First, create a directory for the scripts, in this example, I'm using /opt/public, but you can use any location you want.
mkdir /opt/public
2.1. Changing the RAM Disk Size
The default size of a RAM disk in Fedora is 16MB, if you need to increase the size, use the 'ramdisk_size' kernel parameter. 16MB is plenty for the purpose of this tutorial.
Open /etc/grub.conf', and locate the kernel line, add 'ramdisk_size=x' where x is the size of the disk in KB.
title Fedora 8
root (hd0,0)
kernel /vmlinuz-2.6.23.9-85.fc8 ro root=LABEL=/ ramdisk_size=16000
initrd /initrd-2.6.23.9-85.fc8.img
Save the file and reboot the PC.
2.2. Script to Prepare the RAM Disk
Create a text file 'prepare_rd.sh' in the above directory and copy the following text into it.
#!/bin/bash
mke2fs -m 0 /dev/ram0
mount /dev/ram0 /home/public
Make the script executable with:
chmod u+x /opt/public/prepare_rd.sh
Don't try to run the script yet as the mount point does not exist.
2.3. Script to Reset the User Account
Create another text file in the same directory called 'reset_rd.sh' and copy the following text into it:
#!/bin/bash
rm /home/public/* -Rf
rm /home/public/./.* -Rf
cp /home/public-cfg/* /home/public -R
cp /home/public/cfg/./.* /home/public -R
chown public.public
/home/public -R
chmod 0744 /home/public -R
Again, make the script executable with:
chmod u+x /opt/public/reset_rd.sh
3. Creating the Accounts
Create the two new accounts and set their passwords with the following commands:
useradd public-cfg
passwd public-cfg
useradd public
passwd public
At this point, you can login to the control account, in this case 'public-cfg' and set it up as desired.
3.1. Setting up GDM
Run 'gdmsetup' and click the 'Users' tab. You can setup GDM as you like, I won't pressume to tell you how, but the options are:
- If you want to list all local users, click 'Add' under the Exclude list and add 'public-cfg'.
- If you don't want any users to be in the list, untick 'Include all users from /etc/passwd...'.
- You can set the public account to automatically login on the 'Security' tab.
4. Finally
I've left this part until last so you can confirm the scripts work before adding them to the startup and GDM scripts.
Test the two scripts by running them manually, provided they are running properly, proceed with 4.1.
4.1. Modifying the Startup and GDM Scripts
Finally, we need to modify the startup and GDM scripts so that they call the two scripts above.
Add the following line to /etc/rc.local:
/opt/public/prepare_rd.sh
And the following line to the top of /etc/gdm/Init/Default
/opt/public/reset_rd.sh
Once done, logout, each time GDM is loaded the public profile will be reset to the control profile.
4.2. Setting a GRUB Password
To avoid users rebooting the system and modifying the grub kernel parameters, you need to set a GRUB password.
As root, run the command 'grub-md5-crypt', it will prompt for a password, once entered, it will display an MD5 encrypted password, copy that output line.
Open /etc/grub.conf and add the line 'password --md5 <copied_md5_hash>'.
If you need to modify parameters from grub, press P to prompt for the password.
4.3. Setting a BIOS Password
If you want to stop users from accessing the BIOS (recommended), you should set a BIOS password, the actual process for this varies from system to system, but in general you will:
- Reboot your computer
- At the POST screen, press F2 or DEL
- On the 'Security' tab, press ENTER on 'Setup Password'
- Enter the password
- Press F10 to save and exit the BIOS setup
5. Confirm the Account is being Reset
Confirm public the user account is being reset by logging in, creating a new directory/file in the home directory, logoff and back on to ensure it has been erased.
You can also try adding bookmarks to Firefox, and check that they and the history has been reset on the next login.
