kristiaan_d
Posts: 7
Joined: Mon Jul 02, 2012 8:52 pm

Raspian Jessie - how to lock down the desktop

Tue Jun 21, 2016 6:49 am

Hi Everyone, I have a requirement to lock down the user desktop of a vanilla Jessie image so that users cannot right click, add / customise menus etc and set the system so that only one app runs when launched into the desktop. and the user in question is not able to have root access.

However whilst I am fairly confident in a CLI based interface, I've never delved into GUI work (99% of things I've done are server based so no GUI).

I've found that its using LDXE for the desktop interface, but can't seem to find any useful info on how to customise this interface to stop certain things being shown, or how I can get it to launch my own app etc. I can switch bits off by removing them in the right click menu etc, but this is not suitable as the user could just add them back if they wished.

also what is startx and how can I configure it to only run an app that I specify?

any advice on this would be really useful as I am starting to feel a little lost here.

peterlite
Posts: 720
Joined: Sun Apr 17, 2016 4:00 am

Re: Raspian Jessie - how to lock down the desktop

Wed Jun 22, 2016 3:43 am

Are you setting up a separate user? Guest? There is info about creating a locked down guest user in:
http://raspberrypi.stackexchange.com/qu ... d-features

gkreidl
Posts: 5921
Joined: Thu Jan 26, 2012 1:07 pm
Location: Germany

Re: Raspian Jessie - how to lock down the desktop

Wed Jun 22, 2016 5:12 am

You don't have to use the desktop at all. You just need XORG and a window manager. Create a small file in the root of your user directory:

Code: Select all

#!/bin/sh
openbox --config-file ~/.config/openbox/rc.xml --startup myapp
Save it as mystarter and make it executable. From the command line start it with

Code: Select all

xinit ./mystarter
Minimal Kiosk Browser (kweb)
Slim, fast webkit browser with support for audio+video+playlists+youtube+pdf+download
Optional fullscreen kiosk mode and command interface for embedded applications
Includes omxplayerGUI, an X front end for omxplayer

kristiaan_d
Posts: 7
Joined: Mon Jul 02, 2012 8:52 pm

Re: Raspian Jessie - how to lock down the desktop

Wed Jun 22, 2016 8:11 am

peterlite wrote:Are you setting up a separate user? Guest? There is info about creating a locked down guest user in:<br abp="646">http://raspberrypi.stackexchange.com/qu ... d-features
Hi Peter thank you for the information on locking down the Pi, I'm going to have a look at this to see what I can apply to my installation and how far I can go locking it down.
gkreidl wrote:You don't have to use the desktop at all. You just need XORG and a window manager. Create a small file in the root of your user directory:<br abp="624">

Code: Select all

#!/bin/sh<br abp="625">openbox --config-file ~/.config/openbox/rc.xml --startup myapp<br abp="626">
<br abp="627">Save it as mystarter and make it executable. From the command line start it with<br abp="628">

Code: Select all

xinit ./mystarter
This is pretty much perfect for what I am looking to-do, the only minor change I had to make is the reference to the rc.xml file.

I could not find a file with the rc.xml name in the referenced location rather the only file I could find was lxde-pi-rc.xml so opted to try this configuration file instead. I've not had any specific errors when running with the config file mentioned so can only presume its either ignoring the file and taking defaults or its had no issue and is using it quite happily.

Thank you both very much for your input its been very useful and fixed my problem perfectly.

gkreidl
Posts: 5921
Joined: Thu Jan 26, 2012 1:07 pm
Location: Germany

Re: Raspian Jessie - how to lock down the desktop

Wed Jun 22, 2016 8:21 am

Maybe the rc.xml file is missing on new installations. It has been the settings file for openbox with default LXDE before the Foundation added its modifications.

I prefer a settings file which does not depend on the settings used by the modifications.
obconf has also been removed from the latest Raspbian image which can be used to create your own settings for OpenBox.
Minimal Kiosk Browser (kweb)
Slim, fast webkit browser with support for audio+video+playlists+youtube+pdf+download
Optional fullscreen kiosk mode and command interface for embedded applications
Includes omxplayerGUI, an X front end for omxplayer

peterlite
Posts: 720
Joined: Sun Apr 17, 2016 4:00 am

Re: Raspian Jessie - how to lock down the desktop

Thu Jun 23, 2016 10:48 pm

@gkreidl, in your configuration, how does the administrator access the system to apply security updates?

gkreidl
Posts: 5921
Joined: Thu Jan 26, 2012 1:07 pm
Location: Germany

Re: Raspian Jessie - how to lock down the desktop

Fri Jun 24, 2016 4:20 am

peterlite wrote:@gkreidl, in your configuration, how does the administrator access the system to apply security updates?
What do you mean by "my configuration"?

You can always run
sudo apt-get update && upgrade, either from a terminal or connected via SSH.
Minimal Kiosk Browser (kweb)
Slim, fast webkit browser with support for audio+video+playlists+youtube+pdf+download
Optional fullscreen kiosk mode and command interface for embedded applications
Includes omxplayerGUI, an X front end for omxplayer

peterlite
Posts: 720
Joined: Sun Apr 17, 2016 4:00 am

Re: Raspian Jessie - how to lock down the desktop

Fri Jun 24, 2016 9:21 am

Oops, I misread the setup as automatically starting when you boot the system. I was thinking of kiosks where a power outage leads to an automatic boot into the locked down system so that visitors cannot bypass security by switching the power off then on.

gkreidl
Posts: 5921
Joined: Thu Jan 26, 2012 1:07 pm
Location: Germany

Re: Raspian Jessie - how to lock down the desktop

Fri Jun 24, 2016 10:00 am

peterlite wrote:Oops, I misread the setup as automatically starting when you boot the system. I was thinking of kiosks where a power outage leads to an automatic boot into the locked down system so that visitors cannot bypass security by switching the power off then on.
This is possible, of course. I have helped in the past to set up such kiosk systems, in a German school, for example, where pupils can use 3 kiosks to order their meals for lunch. It had to be prevented from being used to surf the web, play games etc. by all means.
Minimal Kiosk Browser (kweb)
Slim, fast webkit browser with support for audio+video+playlists+youtube+pdf+download
Optional fullscreen kiosk mode and command interface for embedded applications
Includes omxplayerGUI, an X front end for omxplayer

kristiaan_d
Posts: 7
Joined: Mon Jul 02, 2012 8:52 pm

Re: Raspian Jessie - how to lock down the desktop

Fri Jun 24, 2016 10:31 am

peterlite wrote:Oops, I misread the setup as automatically starting when you boot the system. I was thinking of kiosks where a power outage leads to an automatic boot into the locked down system so that visitors cannot bypass security by switching the power off then on.
In our situation we have control of the images and look at keeping one master image that boots to the command prompt, this allows us to test / update the image etc. before its pushed to the general user population we reconfigure the image so that it automatically boots into the xinit interface.

Testing is then carried out to make sure the image does what we expect and users cannot get a root prompt, at this point the SD card is duplicated and rolled out to our users.

you can still get ssh access to each system remotely but we only really use this to debug crashes, reboot stuck systems etc.

hello world :-)
Posts: 121
Joined: Sat Nov 14, 2015 7:12 am
Location: England, in an insecure cloud, ie. The Interwebs
Contact: Website Yahoo Messenger AOL

Re: Raspian Jessie - how to lock down the desktop

Sun Jun 26, 2016 7:04 pm

gkreidl wrote:Maybe the rc.xml file is missing on new installations. It has been the settings file for openbox with default LXDE before the Foundation added its modifications.

I prefer a settings file which does not depend on the settings used by the modifications.
obconf has also been removed from the latest Raspbian image which can be used to create your own settings for OpenBox.

Code: Select all

apt-get install obconf
(slow clap).
I do moral support. Here: https://www.raspberrypi.org/forums/search.php?search_id=egosearch
I know I use too many parentheses. Problem?
Topics I have posted in: http://bit.ly/1NbDdr5
My topics: http://bit.ly/1ObnKqQ
All my posts: http://bit.ly/1OHzje7

peterlite
Posts: 720
Joined: Sun Apr 17, 2016 4:00 am

Re: Raspian Jessie - how to lock down the desktop

Wed Jun 29, 2016 10:56 am

@ kristiaan_d, thank you for the explanation of what you do. It is similar to what I do for some projects before updating the system just in case the update breaks the configuration. With the low cost of an SD card, it makes sense to keep multiple copies.

peterlite
Posts: 720
Joined: Sun Apr 17, 2016 4:00 am

Re: Raspian Jessie - how to lock down the desktop

Tue Jul 05, 2016 12:58 am

Thinking about a slightly different use case. Give the user a computer they can use to browse the Internet, Skype, whatever. Also allow the administrator full access via remote desktop. I would do this with multiple users.

Give the local user an automatic login to the restricted guest user. Start vnc for one admin session and another session to view the user's session. I followed some tutorials that ended up not working unless you logged in locally. Then I found a tutorial that put start up info in /etc/rc.local. rc.local appears to run before a user is started. Using x11vnc and rc.local, I could start vnc for administrator remote access without waiting for a user session.

I suspect this could be used to start a second session for the guest login. You could then watch what they do and work out ways to stop them doing whatever you do not want them doing. Or you could just watch them log in to their bank account. :evil:

rc.local looks like a useful script.

vunthao
Posts: 1
Joined: Tue May 07, 2019 2:04 pm

Re: Raspian Jessie - how to lock down the desktop

Tue May 07, 2019 2:23 pm

Thank you for your great post, I'm looking to setup something similar. I'm a newbie when it comes to raspberry pi and was wondering if you could share the steps to set it up?

Return to “Raspbian”