[Koha] running Koha on a dedicated computer?

spark at cclsd.org spark at cclsd.org
Sun Feb 18 16:18:00 NZDT 2007 

On computers dedicated as "opac only" we use the proxy settings in Firefox to only
allow access to our catalog.

If you are running Koha on the same computer that patrons are using to browse your
catalog you could set the proxy to localhost and have all browser traffic end up at
your catalog as a matter of course.  this on top of iptables, as Alex mentioned, is
an arrangement that works really well for us.

To keep users from altering the proxy settings (and a bunch of other stuff) in
Firefox we have altered the Firefox browser.jar file (in the Firefox /chrome folder)
in such a way that only minimal browsing is allowed and all other controls are not
available, such as menu "options" and context menus.  It's really stripped down.  If
you'd like to obtain that .jar file I'd be happy to pass it along.  It works great
on our regular public-use internet computers as well (for ffox v1.5).  We had really
good luck with K-Meleon before that, using the same concept.  Hope this helps!

Kind regards,

Sean - CCLSD, OR, USA



> This should be quite doable and I will attempt to guide you on how it
> could be done.  However, I will make a few assumptions since your exact
> situation is not entirely clear to me.
>
> H Lee wrote:
>> Hi,
>>
>> We've got a question that I hope can be answered here. We're currently
>> running
>> Koha on a Debian Linux PC. This PC is dedicated for patron use in the
>> Library
>> and is usually unattended most of the time.
> You know of course that Koha is a client/server system, with the client
> being simply a web browser and the server usually running on a different
> machine.  It is not clear to me whether the dedicated machine you are
> talking about is simply a terminal running a web browser and koha is
> actually running on a separate server , or whether it is a standalone
> machine running both the koha server and a web browser client.
>>
>> The problem we're having is that kids are constantly using this
>> machine for playing
>> games and web surfing. I'd like to lock down this PC so that it is
>> used only for Koha.
> OK, lets take playing games first.  This actually needs to be split into
> two categories.  The first is games that come as part of the system
> (i.e., part of Debian.)  Luckily, Debian is very flexible in this
> regard; it is designed to be very modular so that only the things you
> use need to be on the machine.  Assuming that no-one else needs to use
> the games, they can simply be removed using the system package tool
> (e.g.. apt).
>
> The other part of the games problem is games accessed through the web
> browser.  This comes down to your second stated need; restricting the
> web sites that the browser can access to just the Koha system.
>> I've tried firewall rules to prevent general web browsing but
>> apparently this can be
>> defeated (how they do it I don't know). I've tried deleting the games
>> links in the Linux
>> desktop start menu but there is always the Terminal window that can be
>> opened up
>> to run programs.
>>
> The games links & terminal trick won't work once you remove the games as
> above.  You are wrong about firewall rules to restrict browsing though,
> in practice firewall rules should _not_ be able to be defeated by the
> users (there are a couple of provisos though.)
>
> Firewall rules (using iptables) are installed as root (the machine
> administrative user) and can only be changed or circumvented by the root
> user.  So the firewall will be as safe as long as users don't have
> access to the root account on the computer.  To ensure the root user
> account is not compromised, you need to be sure the root password isn't
> known to any of the kids (so perhaps change it if you suspect it might be.)
>
> You also need to take steps to prevent the root account from being
> compromised in the future.  It's actually quite difficult to prevent a
> knowledgeable attacker from compromising the root account if the
> computer is unattended and they have uninterrupted access to it for any
> length of time.  However, there are steps you can take to make it more
> difficult, and if you take these steps it will prevent the vast majority
> of users from being able to compromise it.
>
> Some steps you might take to make your computer more secure include
> password protecting the boot loader (grub), password protecting the
> bios, removing removable drives (floppys, CD/DVD drives), removing,
> disconnecting or disabling USB ports.  You might consider modifying the
> boot loader configuration so that a password needs to be entered each
> time the machine boots; thus a staff member needs to be notified each
> time the computer is restarted and can supervise the process.
>
> The thinking behind the above is that two of the more common methods of
> gaining root access are an ability to restart the computer and then
> modify or influence it's start-up process, especially if you can get get
> your own media into drives on the machine, and loading certain exploit
> programs (again using media the user can insert, or loading from the
> internet.)
>> How can I set up this dedicated PC so that it can ONLY run Koha? This
>> would mean
>> disabling all options to execute everything other than Koha (via the
>> web browser) and the
>> option to log off/shut down/restart.
>>
> Well, there are two ways to do that.  You can either have some kind of
> mandatory user profile loaded to prevent users running programs they
> shouldn't, or you can just remove the programs altogether.  Removing the
> programs altogether is the quickest and most secure way to do it, but
> obviously not every program can be removed using this method.  You may
> need to use a user profile as well.
>
> Why do you want users to have the option of shut-down/restart as well?
> If there isn't really a need to let users do this, I would recommend
> against it.  If it is needed, it can be left, but makes the system
> slightly less secure.
>> Ideally, what I would like is to have a default user profile in Linux
>> that, when logged in,
>> would only allow Koha to run and nothing else. I could envision this
>> as no icons on
>> the Desktop or Panels and nothing in the Start menu except the Log Out
>> or Shutdown
>> choices. Koha would automatically start up on the web browser when
>> this login profile
>> is started. If I can get a user profile to do this, then I can have
>> another user profile for
>> Library staff to use that has a "normal" Linux desktop.
>>
> This should be quite doable under any of the major Desktops/ Window
> managers.  Does the computer run GNOME, or KDE, or something else?  If
> so what?  This would be the most time consuming aspect of securing the
> system, and it may be unnecessary if you do the other stuff I suggest.
>> Has anyone done this sort of thing in Linux? I'm willing to move to
>> another distro if
>> it is available elsewhere.
>>
> I do this type of thing with Linux on a regular basis, as do many
> others.  I've found Debian to be one of the most flexable distributions
> and therefore best suited to this type of task.
>> I've also heard from a few years back that Linux firewalls (I am using
>> GuardDog) cannot
>> have user-specific profiles as Linux only supported a single firewall
>> profile for all users.
>> Has this situation changed more recent releases of Linux?
>>
> I'm not familiar with GuardDog.  I normally use the "under the bonet"
> type tool called iptables.  You are correct that firewall rules in linux
> are not user-specific, ie, they can only restrict the whole machine, and
> cannot place per user restrictions.
>
> However, the firewalling you need to do doesn't need to be user
> specific.  You can simply lock the whole machine down to accessing koha
> only.  When I talk about firewalling, I am talking about restricting
> internet (network) traffic flowing into and out of the machine.  I am
> not talking about any other kind of restrictions on what a user or
> program can do.  Those other restrictions are handled by the other
> methods I have referred to above, and I don't refer to them as firewalling.
>
> This is where the distinction of whether you have a standalone machine
> with both client and server on the same machine becomes important.  If
> this is the case, the simplest firewall technique is to disconnect the
> internet from your machine.  You might remove the network card (if it
> has one) when removing the CDROM etc.  Otherwise, just make sure there
> is no network or dsl or whatever cable plugged into the machine in
> normal operation.  If it is on a wireless network, it should be possible
> to disable the network in such a way that only root can re-enable it.
>
> Your computer may need a little tuning to work properly without a
> network.  If it is taking a long time to boot or doesn't function
> correctly when not connected to the network, it may need some minor
> adjustments.  However, it's perfectly possible to run Debian systems
> without a network connection; they are designed to be able to do this.
>
> If you _are_ running the machine as an unattended standalone machine
> with the Koha database right on it, and if the users have unfettered
> access and especially if they are gaining root access, note that your
> whole Koha system is at risk.  A malicious user could destroy the whole
> database.  Most users of course aren't malicious and they probably just
> want to play games.  Still, you would want to check your backups if the
> data is important to you.
>
> If it is not a standalone machine and koha is really running somewhere
> else on the network, you will need to keep the network connection and
> firewall the machine.  You can probably get what you need with a very
> simple firewall setup.  You need to give the machine access to the
> remote host running the Koha server, and possibly also to its DNS and
> DHCP servers.  Other than that, you can block all network access.
>
> The work required to do all this (excluding the user profile/locked down
> user desktop) should take an experienced Linux/Deiban admin less than an
> hour.  In fact, once they have access to the machine and you've told
> them the passwords and requirements etc, they should have most of it
> done in around 15 minutes, and just be needing to tidy up, test and
> document.  There's a list of Debian consultants linked off the Deiban
> website.
>
> Alternatively, you should be able to do it yourself by reading up on the
> tools and a bit of trial and error if you are that way inclined.  There
> are plenty of Linux user groups, mailing lists and help sites which
> offer free assistance.  However, the fine details of how to do it are
> probably not appropriate for the koha list.
>> Thanks for your help,
>> Lee
>>
>> ------------------------------------------------------------------------
>> Finding fabulous fares is fun.
>> Let Yahoo! FareChase search your favorite travel sites
>> <http://farechase.yahoo.com/promo-generic-14795097;_ylc=X3oDMTFtNW45amVpBF9TAzk3NDA3NTg5BF9zAzI3MTk0ODEEcG9zAzEEc2VjA21haWx0YWdsaW5lBHNsawNxMS0wNw-->
>> to find flight and hotel bargains.
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Koha mailing list
>> Koha at lists.katipo.co.nz
>> http://lists.katipo.co.nz/mailman/listinfo/koha
>>
>
> --
> Alex King    Linuxworks
> Phone:   +64 3 473 1611
> Mobile:  +64 21 410 420
>
> _______________________________________________
> Koha mailing list
> Koha at lists.katipo.co.nz
> http://lists.katipo.co.nz/mailman/listinfo/koha
>

More information about the Koha mailing list