September 02, 2009

Linux on public computer

New post on forum gives some information on best practice for using redhat or ubuntu as public kiosk. Seems to be a big fan of Clonezilla.

This thread is located at:

Here is the message that has just been posted:
At my university, we almost exclusively use those machines you listed (mostly 745s and 755s, a few 760s in service). They are very easy to get running in Linux, although for our labs we prettymuch exclusively use Redhat. Should be a good platform to get going, almost everything is supported out of the box.

First off, if you're using the Radeon cards, I'd just use the open source drivers (unless you really, REALLY need 3d support). You'll get to that part soon enough I'm sure. If you're using Intel graphics, the default drivers are fine (and pretty good at that).

There is a very good hard drive image cloning and management suite called Clonezilla. Check it out here:

Clonezilla (

It's basically open sourced Ghost, and has a lot of very nice features (multicasting, save to/restore from SSH, PXE booting, etc). Should be robust enough for your needs.

For burning software, the old standbys (Brasero for GNOME, K3B for KDE) are good enough. I've not set up either for a public environment, but I hear KDE has better features for that kind of use (public computers and kiosks). If you want KDE, I'd recommend installing Kubuntu, it's probably the easiest way to get up and running fast.

I would probably not recommend Blackbox for a public client, it's too 'different' and the public at large probably won't like having to relearn how to open applications. IceWM might be a good choice if you want to avoid GNOME or KDE, it (can be made) very similar to Windows interfaces, and should be easy for users to pick up quickly.

There's a post on the ubuntu forums about this:

Ubuntu for a Public Computer - Ubuntu Forums (

You're probably going to do something to the extent of setting up a small group of machines with guest accounts. Shouldn't be too bad. You'll probably want to learn some scripting (don't worry it's pretty easy to pick up if you don't), and write some scripts to sanitize the /home/guest (or whatever) directory when users log out. That way you don't overload the computer with crap.

Posted by staff at 11:08 AM

April 10, 2008

Kiosk Lockdown Using Firefox, Ubuntu and Blackbox

Nice writeup on configuring Linux browser lockdown under Ubuntu with Blackbox window manager. This install also sets up Apache,PHP and MySQL locally so app can be web-based but not necessarily connected to the Internet. Firefox is the browser engine and writer uses R-Kiosk extension for full-screen customization.

Flexing My Kerkness: Creating a Touch Screen Kiosk using Firefox, Ubuntu and Blackbox

Wednesday, April 9, 2008
Creating a Touch Screen Kiosk using Firefox, Ubuntu and Blackbox

Several of the components and posts on this web site have revolved around a business project I've been working on which involves creating a touch screen kiosk for use in a public space. I thought it might be beneficial (at least from my own documenting needs) to provide a post covering the overall process of getting a secure touch screen system up running.

The easiest way to build a kiosk application is to customize a web page to serve as the kiosk interface. Launch the web page in a browser and set the browser to run in full screen mode and voila, instant kiosk. To turn it into a touch screen kiosk all you need to do is buy an LCD touch screen monitor and your all set.

This basic solution might work fine if you're always standing next to the computer and can enable full screen mode every time it reboots and also stop anyone from mucking around with your computer should the browser crash and they get access to the desktop.

Setting up a kiosk which can run in a public space and have reasonable enough security to prevent someone from mucking around with it should the browser crash or computer crash takes a little more thought.

I've addressed the overall solution in two parts.

1) The server/host computer
2) The browser

1) The Server / Host Computer

The computer used to host a touch screen application needs some thoughtful consideration. You want something that will offer good reliable performance and also prevent anyone who might be feeling a little malicious from causing the computer or your application any harm. My touch screen system does NOT have a keyboard attached to it which certainly helps in providing a certain level of security but I still need to take steps to make sure the user cannot get access to the desktop, general file system or any application other than the Firefox browser.

For my solution I decided to run Ubuntu 7.10 and use Blackbox as the default desktop environment. Ubuntu allows me to run an apache http server as well as mysql locally. This keeps the application running very fast, provides me with dynamic data and requires no internet connection. Your kiosk application could be simple straight HTML running locally or running off a remote web server whatever suits your needs. Using Ubuntu (or really any flavor of linux you're comfortable with) keeps your kiosk highly customizable.

Using the Blackbox windows manager instead of the default Gnome or KDE desktop environment allows me to lockout the user from accessing anything other than Firefox and keeps your kiosk as a light weight, fast computer with a single focus.

How to set up the server/host computer

1. Download and install Ubuntu 7.10
A default install is fine. The main user you will create during install will be considered a super user. You'll later create a user account specifically for accessing the touch screen application. Click here to get Ubuntu

2. Install Apache, PHP5 and MySQL (Optional)
My specific application uses dynamic data and requires both Apache and PHP. Using an Ubuntu computer makes it easy to run these services locally and means my computer doesn't require a dedicated internet connection. Although having one makes remote administration and updates easier. To install these on the computer just reference the wiki

3. Create a limited user account
While your touch screen application is running you'll want to have a limited user account logged into the computer.

To create this account log into Ubuntu using the account you created during install and select :

System > Administration > Users and Groups

From the User settings window select:

Add User

From the New User Account window fill in the Basic Settings for your user. For the purpose of this example we will use the username: touchuser. After you've provided a user name and and password select the User Privileges tab. Unselect all options which are not a requirement of your touch screen application. For my application I blocked access to all external hard drives, cdroms, floppies and log monitors.

4. Install Blackbox Window Manager
Blackbox is a fast, lightweight and minimal windows manager for the X Window System. You can learn more about it here. Blackbox will be setup as the default desktop for our host computer. I use Blackbox because it helps prevent the touch screen user from having access to any applications unless they are specifically enabled via Blackbox.

To install blackbox open up the terminal and type the following command.

sudo apt-get install blackbox blackbox-themes

Next we need to create a .blackboxrc file and a .blackbox directory. These will be used to define our configuration settings for our desktop and define what applications touchuser has access to. Note: we are going to do this in the home directory of the touchuser account not the account we are logged in as. After we create the file and directory we set permissions on them.

sudo mkdir /home/touchuser/.blackbox
sudo touch /home/touchuser/.blackboxrc
sudo chown touchuser /home/touchuser/.blackbox
sudo chown touchuser /home/touchuser/.blackboxrc
sudo chgrp touchuser /home/touchuser/.blackbox
sudo chgrp touchuser /home/touchuser/.blackboxrc

5. Define the .blackboxrc File
Using your favorite text editor add the following definitions to the .blackboxrc file. Note the reference to /home/touchuser/.blackbox/menu. This file will be created in the next step.

session.styleFile: /usr/share/blackbox/styles/Gray
session.menuFile: /home/touchuser/.blackbox/menu
session.screen0.workspaces: 1
session.screen0.workspaceNames: My Touch Screen
session.fullMaximization: True

NOTE: If you decide to run Blackbox now you may find yourself unable to complete the rest of the steps in this tutorial. All the steps for setting up the host computer assume you are logged into Ubuntu using the user created during install and running a Gnome session. If you're logged into Blackbox press CTRL + ALT + BACKSPACE to return to the Ubuntu login screen. You can select the 'options' button to change what windows manager is used when you log in.

6. Create the Blackbox menu file
By default the Blackbox desktop provides no icons. To launch a program the user needs to right-click on the desktop to see a menu of available applications. We want to provide our own menu settings so that the only application available to our user is Firefox. This is really only of limited use as right-clicking on a touch screen is impossible as far as I know, but in case someone figures out how to do it we don't want them to have access to anything other than the browser.

Enter the following commands into the terminal to create the menu file and set appropriate permissions.

sudo touch /home/touchuser/.blackbox/menu
sudo chgrp touchuser /home/touchuser/.blackbox/menu
sudo chown touchuser /home/touchuser/.blackbox/menu

To limit our menu to only provide access to Firefox open up the menu file and add the following.

[begin] (ArtTouch)
[exec] (firefox) {firefox}

For more details on configuring blackbox and creating menus see the blackbox wiki

7. Install iDesk
Blackbox doesn't by default support desktop icons which is okay since we are building a minimal system. Well what if the Firefox browser crashes and the touch screen user is left starting at an empty desktop with no ability to right-click and relaunch the browser. To provide a solution to this problem we are going to install iDesk which adds icon support to minimal window managers such as Blackbox.

To install iDesk open a terminal and provide the following command

sudo apt-get install idesk

Once iDesk is installed we need to create an .ideskrc file for configuration settings and create an .idesktop folder where we can define our icons.

sudo touch /home/touchuser/.ideskrc
sudo mkdir /home/touchuser/.idesktop
sudo chgrp touchuser /home/touchuser/.ideskrc
sudo chgrp touchuser /home/touchuser/.idesktop
sudo chown touchuser /home/touchuser/.ideskrc
sudo chown touchuser /home/touchuser/.idesktop

Next open up the .ideskrc file and add the following

table Config
Background.Color: #C2CCFF
table Actions
Execute[0]: left singleClk

This is a very minimal use of iDesk configuration options for more see the iDesk Usage Wiki

8. Create an Icon and define icon commands
Next we need to create an icon for our desktop. You could use the standard Firefox icon but you're probably best to create a PNG specifically for your touch screen application. Create a PNG file (for example touchicon.png) and stick it in the .idesktop directory. To add the icon to the desktop we need to create a file with a .lnk extension and place it in the .desktop directory also.

sudo touch /home/touchuser/.idesktop/touchicon.lnk
sudo chown touchuser /home/touchuser/.idesktop/touchicon.lnk
sudo chgrp touchuser /home/touchuser/.idesktop/touchicon.lnk

Open the touchicon.lnk file and add the following. Adjust 'caption', 'tooltip', 'width', 'height' and 'x/y' coordinates to suit your needs.

table Icon
Caption: Touch Application
ToolTip.Caption: Touch Me To Launch
Command: firefox
Icon: /home/touchuser/.idesktop/touchicon.png
Width: 400
Height: 275
X: 100
Y: 100

9. Create Blackbox startup script
Now that we have a minimal desktop and we also have an icon for our desktop we need to make sure that iDesk is automatically run when Blackbox runs (by default it doesn't). To do this we are going to create a startup script for Blackbox.

Create a file called in your touchuser's home directory

sudo touch /home/touchuser/
sudo chgrp touchuser /home/touchuser/
sudo chown touchuser /home/touchuser/
sudo chmod x+ /home/touchuser/

Add the following to the file

idesk &
exec blackbox

Now we need to change the path of exec blackbox in /usr/share/xsessions/blackbox.desktop. Start by making a backup

sudo cp /usr/share/xsessions/blackbox.desktop /usr/share/xsessions/blackbox.desktop_backup

Edit /usr/share/xsessions/blackbox.desktop and make the following changes to Exec and TryExec definitions

[Desktop Entry]
Comment=Highly configurable and low resource X11 Window manager

10. Set Auto-login and define Blackbox as default window manager
The final step in configuring our server/host computer is to set up Ubuntu to automatically log into our touchuser profile and to use Blackbox as the default windows manager. This ensures that if the computer crashes or reboots that it immediately goes into kiosk mode. (note we'll further improve this by making the browser automatically launch later).

Open the Login Window Preferences by selecting:

System > Administration > Login Window

Under the General tab select 'Blackbox' for default session.
Under the Security tab select 'Enable automatic login' and select the user 'touchuser'

Hopefully after all that you should now have a basic set up to run a kiosk. When the computer boots it should load directly to a Blackbox desktop that allows the user to launch Firefox and only Firefox. In the next step of the process we are going to modify a few settings in Firefox to make sure it loads our touch screen application as it's homepage and automatically launches in full screen mode when the computer boots up.

NOTE: If the computer is running in kiosk mode and you want to be able to login as your super user and get back to a fully functional Gnome desktop all you need to do is plug in a keyboard and press CTRL + ALT + BACKSPACE. This will kill the Blackbox session and bring you to the Ubuntu login screen.

2) The Browser

Now that we have our host computer set up and running we'll want to make a few small changes to the preferences of our Firefox browser so that it performs well as a kiosk client.

1. Set the Home Page
This should be pretty obvious. When the browser launches we want it to automatically load our Kiosk application. For my solution I have the Kiosk application running locally as a Flex/PHP application. Your kiosk doesn't have to be Flex, it could be a Flash or simple HTML web page and it could be running remotely or locally. Whatever the case may be you'll want to set the URL location of your application as the homepage for Firefox.

2. Disabling session restore
When Firefox crashes or the computer is shutdown before closing the browser, Firefox will by default ask if you want to restore your previous session or start a new one the next time it launches. This is kind of a pointless feature for the kiosk as you'll likely always want it to start a new session. You can disable this feature by logging into your kiosk as 'touchuser' launching Firefox and entering 'about:config' in address bar.

Find the preference settings for browser.sessionstore.resume_from_crash and browser.sessionstore.resume_session_once and set their values to false.

3. Getting the browser to automatically launch in fullscreen mode.
When the browser is launched in order to provide a true kiosk type environment we want it to load in full screen mode giving the user no access to the navigation bar and locked out of most shortcuts. The easiest way to do this is to install one of the many 'Full Screen' extensions available for Firefox.

The one I recommend is R-Kiosk. For the pure purpose of running a web based Kiosk it does a very good job. While logged in as 'touchuser' Visit this link in Firefox and click the 'Add To Firefox' button.

NOTE: After this component is added to Firefox you'll be unable to make any preference or configuration changes to Firefox unless you launch it in safe mode. For information on how to run Firefox in safe mode, visit this link.

4. Setting the browser to automatically launch after boot
When our kiosk system is booted it will automatically login as with the touchuser profile and load our Blackbox desktop. Now we also want Firefox to automatically launch so that after the system boots the user is presented with our Kiosk application running in all it's full screen glory.

This is very simple to accomplish by adding one line to the Blackbox startup script we created in step 9 when setting up the host computer. You'll need to log into Ubuntu as the user you defined during install for this step.

Open /user/touchuser/.bbstartup and add the following line

idesk &
/usr/bin/firefox &
exec blackbox

If everything has gone as I hope, you should have a fully functioning kiosk system. The only thing left to do is buy yourself a fancy touchscreen LCD monitor and plug it in.

References for this setup can be found at the following links.
HOWTO: A Blackbox Guide --
Blackbox Wiki --
iDesk Wiki --

Posted by staff at 07:18 AM

June 30, 2007

Kiosk Mode with Mozilla and Firefox

Nice writeup on kiosk mode requiring cross-platform support using latest Firefox. Open Kiosk Port to Firefox 2.

Mozdev Group, Inc. : www: /clients/bm/index

Client Profile - Brooklyn Museum

** NEW - Open Kiosk Port to Firefox 2 **

Firefox v,2.0

* Install For Firefox Now! [ June 29, 2007] (Powered by jsLib)

** Administrators: please read the Install as Admin Instructions before installation if you wish to install the Kiosk and run as a limited user. **

Mozilla v,1.7.13

** Please read the INSTRUCTIONS before installation. **

* Install Now! [ April 04, 2007] (Powered by jsLib)

About Brooklyn Museum

Brooklyn Museum Logo The Brooklyn Museum is the second largest art museum in New York City and one of the largest in the United States. One of the premier art institutions in the world, its permanent collection includes more than one and a half million objects, from ancient Egyptian masterpieces to contemporary art, and represents almost every culture. It is housed in a 560,000 square foot, Beaux-Arts building that welcomes approximately half a million visitors each year. Located in Central Brooklyn, a half-hour from midtown Manhattan with its own subway stop, the Museum is set on Eastern Parkway and one block from Grand Army Plaza in a complex of 19th-century parks and gardens that also contains Prospect Park, the Brooklyn Botanic Garden, and the Wildlife Center.
The Task

Our task was to deliver a customized Mozilla browser for a Kiosk, basically a full-screen, locked-down, browser with access to settings disabled. The Kiosk browser would be initially deployed on the Windows platform, but the code had to be as cross-platform as possible for easy porting to other platforms. An XPI package installer would be the preferred distribution option, but a custom Mozilla distribution would be acceptable if necessary.
Kiosk in full screen mode
Figure 1 : Kiosk in full screen mode
The Result

It became clear early on in the project that a custom Mozilla distribution would not be necessary. The browser code base is flexible and powerful enough to be able to build your own fully customised browser using XPFE tools. Thus an XPI package is a much more flexible option for the client, enabling it to be installed on multiple stations in a faster time.

The primary feature of any Kiosk is that the application has to be locked down. Firstly, that there is no access to the operating system and other applications, and secondly that the user can not change any of the browser settings. The former is largely taken care of in this project by the fact that the keyboards in place at the museum do not have the standard keys for moving around on the system. This includes the Tab, Ctrl and Shift keys. So the main development challenge was to remove access to all browser settings, which was achieved with a fully customized user-interface.

Here are just some of the features included in the Museum Kiosk.
Full Screen

The browser has a full-screen mode, without a title bar and mimimize/close icons. This is a staple of any Kiosk environment. There is an option to have true full-screen mode with no UI visible. The advantage of this is that it provides a maximized content vieiwing area and less distraction for users. There is also an option to include a toolbar and/or statusbar in the UI to make available certain functionality, such as navigation (see section - Customizable User-interface)
Administration Settings Dialog

This is a secure, password protected window that the Kiosk administrator launches from the command line to set up the Kiosk browser for a particular station. The settings persist across sessions, and are available to all users logged into the system. A per-system settings system was the preferred option here, as opposed to per-user, to minimize the setup time needed. Features include the setting of the home page, turning on/off tabbed browsing, choosing filters and timers for resetting the station after a period of inactivity.
Customizable User-interface
UI Customization Options
Figure 2 : UI Customization Options

Figure 2 illustrates the UI customization options available to the Kiosk Admin. The radio option offers a choice to show widgets, or hide them which gives you true full-screen mode. If you choose to show, then there are futher options via a list where you can choose which buttons and other items appear. These settings are sticky across sessions until changed by the Kiosk administrator.
Content Filtering

One of the main purposes of many Kiosk environments is to display content on a particular topic or a certain group of topics. Here we had to accommodate this in a Web context, and the best way to achieve it is with a content filter. This takes the form of a flat text file on the filesystem, which has entries in the form of URLs. When this feature is enabled, the list is read by the software, and any time the user tries to access a site not in the list, the request is denied and they are informed with a status message. The filter has 2 modes. STRICT only allows an exact match on a URL. ALL is the second mode, and requires a little more explanation. In ALL mode, the browser will load any page that is in the domain of a particular URL (*, or sub-area of a site (
JavaScript Filtering

Complimentary to the content filter is a special request for turning JavaScript ON/OFF on a per site basis. When enabled, each request loaded into the browser will pass through the filter (a similar URL filter to the content one), and if there is not a match the request will still load but JavaScript will be turned off. No script will execute on that page, including onload handlers, onclick events and DHTML.
Command-line Handling

The Kiosk comes packaged with various command line options including:

* mozilla -kiosk : Launch the Kiosk in full screen mode
* mozilla -kiosk mode=title : Launch the Kiosk with a titlebar
* mozilla -kiosk about : Launch the About window
* mozilla -kiosk admin : Launch the Admin Settings window

Session Reset

Session Reset Alert The functionality is available to reset the Kiosk session, either via a button accessible to users, or an automatic timer which kicks in after a certain period of inactivity. What does resetting the session mean? What happens is that the browser returns to the homepage, cookies set during the session are deleted, memory cache is cleared (disk cache is always off), and the session history is deleted. Essentially, any trace of a previous session is eliminated. The option to turn on the reset timer, and the period in minutes before it does, are both available to be configured.

About Window

The Kiosk is by design almost free of branding, yet there are 2 options for identification. An optional banner above the toolbar, and an About window. The About window gives versioning and build information that is valuable for feature tracking and updates.

Posted by staff at 10:08 AM

October 10, 2006

Elo TouchSystems Releases Touchscreen Drivers for Linux and Mac

El TouchSystems released new set of drivers for touchscreens today including Linux and Mac. These include USB and Serial. Also XPe.


New Drivers Complement Elo’s Extensive Range of Flexible Offerings

October 2006 – Elo TouchSystems, the global leader in touch technology and a division of Tyco Electronics Corporation, has developed a new range of touch drivers for both Linux and Mac OS X. These new offerings complement Elo’s already extensive range of touch drivers for Windows, Macintosh and legacy operating systems such as DOS and OS/2.

According to Software Engineering Manager, Peter Studt, Elo now has the most comprehensive and flexible family of touch drivers in its market segment. “We are committed to the design and development of contemporary drivers to support all versions of current and future operating systems; in fact, any and all solutions that add value to our customer’s interface with touch technology,” says Studt.

The Driving Range
Elo offers touch drivers for a complete range of operating systems.
· Full Microsoft Windows support including Windows XP, XP Embedded (XPe), 2000 and CE
· Legacy Windows operating system support including Windows NT, 98, 95, 3.x and ME
· Three levels of Linux support
· Mac OS X and Mac OS 9.x
· Legacy OS (OS/2, DOS, Unix, QNX, SUN and other Unix drivers)
Drivers are available with serial and/or USB touch interface (where supported).

Three Tiers for Linux
Elo’s new Linux drivers are offered in three tiers:
Open/Public: This public driver was developed and is maintained by the Linux community. The developer/end-user is free to modify the driver and is responsible for the support/development of the software. It is ideal for customers who build their own systems.
Custom/Kernel: This unique and stable driver is designed, supported and modified by Elo. This is the perfect system for customers who require an “out-of-the-box” solution.
Unified: This is a blend of Open/Public and Custom/Kernel and is ideal for customers that wish to modify the code but have limited resources.

In-house Development
“Elo produces its core driver software in-house,” Elo Director of Product Management, Michael Bartelmess, confirms. “And this gives us a distinct advantage that we pass along in the quality and consistency of our products to value-added resellers (VARs), systems integrators (SIs) and, finally, the end-users themselves.”

By producing touchmonitors, the touchscreen technology within the monitors and the software drivers for the touch function, Elo is able to optimise the functionality of the total solution. It also gives customers a single point of contact to resolve any potential conflicts.
“Our in-depth knowledge of driver operation is a must for effective technical support,” adds Bartelmess. ”It also gives us the flexibility to develop custom solutions and the ability to quickly add features and address any problems. In addition, we are able to ensure a commonality between drivers produced for the various operating systems.” Bartelmess believes that this unique in-house development, combined with the company’s innate innovation and customer-centric commitment, ensures that VARs and SIs find Elo touch drivers far easier to integrate, support and sell, saving them time and money. “It also makes life easier for the end-user,” Bartelmess explains, “because our products are far easier to use.”

About Elo TouchSystems
Elo TouchSystems, global leader in touch technology, is a division of Tyco Electronics Corporation. Elo develops, manufactures and markets a complete line of touch products that simplify the interface between people and computers in both public access and employee-activated applications. Founded in 1971, the company is headquartered in Menlo Park, California, with manufacturing sites in the United States, Belgium, Brazil, China, and Japan (Elo operates in Japan under the name of Touch Panel Systems). For more information on Elo TouchSystems’ products and services, call +32 16 35 2100 in Europe or visit our web site at

About Tyco Electronics
Tyco Electronics, a business segment of Tyco International Ltd., is the world’s largest passive electronic components manufacturer; a leader in cutting edge wireless components, complete power systems, and premise wiring components and systems; and a provider of critical communications systems to the Land Mobile Radio industry. Tyco Electronics provides advanced technology products from over forty well known and respected brands, including Agastat, Alcoswitch, AMP, AMP NETCONNECT, Buchanan, CII, CoEv, Critchley, Elcon, Elo TouchSystems, M/A COM, Madison Cable, OEG, Potter & Brumfield, Raychem, Schrack and Simel. For more information, visit

XP/2000 Universal
XP Embedded USB
Linux Unified USB
Linux Unified Serial
GPL Linux
PowerMac. OSX10.4
iMac, G3 and G4. Mac OS 9 or 9.1

Main download page for ELO

Posted by keefner at 10:41 AM

October 03, 2006

Cool Tech: Running Windows on Linux

Would-be Windows-on-Linux gamers got a very early Christmas present Saturday, with the release by CodeWeavers of the first public beta of CrossOver 6.0, with support for World of Warcraft and other "steam-based" games such as Half Life 2 and Counterstrike.

CodeWeavers CEO Jeremy White wants to make sure, though, that everyone understands that "this is still beta software, and there are many issues remaining; we still have a ways to go until we feel comfortable considering it ready for release. While we greatly appreciate feedback on this release, if you don't like bleeding edge experimental software, we'd really rather you waited for a proper production version."

CodeWeavers has also released a new public beta of CrossOver Mac. This new version, which enables Intel Mac users to run Windows programs on Mac OS X, includes fixes to Internet Explorer and fixes for many programs that would run but then crash, such as Microsoft Office 2000. It also includes Outlook 2003 fixes and other improvements.

read more on Desktop Linux

Posted by keefner at 07:33 AM

October 24, 2005

Casestudy: Linux as Public WebStations

Linux developer sets up public webstations for hurricane victims. The software installs in five minutes on a Pentium 2 (old PC)with 128MB of RAM. Article out on Desktop Linux and the link to the download software and instructions is here at

Posted by keefner at 02:34 PM

June 07, 2005

Kiosk Lockdown with Linux and KDE

linux.gifStep by step configuration of KDE desktop to lockdown the desktop in kiosk mode. Includes desktop, context menus, icons and setting up custom system wide desktop icons.

Kiosk mode lockdown admin tool for Linux is available for download.

Lock Down KDE with Kiosk Mode

Hack No. 43 in Linux Desktop Hacks.

System administrators typically spend a lot of their time fixing trivial problems for users who have accidently changed their settings in some way. When an inexperienced user moves a desktop icon into the wastebin or sets a mimetype to open with the wrong programme they may be unable to reset their changes. Calls to the system administrator for help are a poor use of everyone's time. It would be better if the user had never been able to make undesirable changes.

Perhaps you just want to set up a GNU/Linux desktop for your grandmother but she keeps changing the layout of the application toolbars without meaning to. The new look confuses her so much that she calls you all the time asking for help, or worse, she gives up on GNU/Linux or her computer. Wouldn't it be great if you could protect your grandmother from herself?

For computers in a public setting such as an internet cafe or library these problems turn into more than just timewasters, they can prevent others from using the machine or cause distress as with the common anecdote of a library where a scriptkiddy had changed the background wallpaper on all the machines to pornographic photos.
Enter the Kiosk

KDE is one of the most configurable desktop environments but KDE 3.2.3 added the Kiosk framework which allows for any or all of the configuration options to be marked as unchangeable. With Kiosk you can create profiles which are attached to users or groups of users. A profile can define any KDE setting but will usually include the contents of the desktop, panel and k-menus as well as the look of the wallpaper, default fonts and widget style. You can also specify important system settings such as the network proxy and file associations. Most importantly all of these options can be set to be unchangeable by the user. This means grandma will never accidentally delete her web browser icon, and a bored teenager can't change the library's computer wallpaper to something that will give grandma a heard attack.

The easiest way to setup a Kiosk profile is to use the Kiosk Admin Tool. Some distributions include this by default, for others you can download the source from its website at

Start the Kiosk tool (as your normal user, there's no need to run as root) by selecting K-menu -> System -> Kiosk Admin Tool, or with the kiosktool command, and click Add New Profile. Give this profile a name such as 'locked-down' and click OK to save. You will be asked for your root password to save the new profile. Now click Manage Users and add a user policy to link a user to your new locked-down profile. It is also possible to link a whole group to the policy, you can see and change which users are in which groups by looking at the file /etc/group.

To configure a profile, select it in the list and click Next. The next screen presents numerous moules, each witrh specific configuration options in it. Ticking an option will lock down its corresponding feature. The settings will be saved when you click Back.

Some of the modules offer graphical setup for their settings. For example under the Desktop Icons module you can load a temporary desktop to replace your normal one. Switch to a different virtual desktop (Ctrl-F2) if you have windows covering your background. You can add, remove and move any of the icons on the temporary desktop. When you click Save in Kiosk Admin Tool, the settings for this desktop will be saved and your normal desktop will be loaded again. This makes configuring the setup for your Kiosk profile as easy as configuring your own desktop.

A general breakdown of the types of settings you will find in the most important modules follows:

Contains the settings that control the global properties for al KDE programs and inclues the ability to run commands, log out or move toolbars. Disabling Konsole removes not onlt its entry from the K-menu, but also the embedded Konsoles in Konqueror and Kate. Desktop Icons
Settings to prevent users from moving or deleting desktop icons. KDE Menu
Controls which programs are available in the K-Menu Themeing
Prevents users from changing the widget style, colour or font settings. Konqueror
Stops the user from being able to browse outside their home directory. Menu Actions
Turns off standard menu actions such as open, print, paste, settings etc from all KDE applications. File Associations
Ensures that files can be opened only with the specified programs Network Proxy
Enforces the use of your web proxy. Uses a web proxy to restrict which web sites a user can browse. Panel
Used to lock down the panel, prevents users from adding or removing the items you place here, and enables you to prevent context menus from working

The Kiosk framework has been used in large enterprise deployments of KDE. Administrators report that is cuts their time taken up by user support by half, because it reduces the number of small but time consuming problems users have.

If you are considering using Kiosk in a public setting you may want to make yourself familiar with the KDE configuration file format. Browse through /etc/kde-profile to see the setting made by the Kiosk Admin Tool. Adding [$i] to a configration option, group of options or file makes them unchangeable by users.

Kiosk is not a substitute for using Unix filesystem permissions or other security settings. You should also make sure you set X to not be killable with control-alt-backspace and prevent users from changing to a text console. Finally make sure the login manager does not allow users to log in to any other desktop environment which has not been locked down.

Copyleft Jonathan Riddell 2004


Posted by keefner at 02:26 PM