[Koha] running Koha on a dedicated computer?
alex at king.net.nz
Sun Feb 18 15:22:11 NZDT 2007
This should be quite doable and I will attempt to guide you on how it
could be done. However, I will make a few assumptions since your exact
situation is not entirely clear to me.
H Lee wrote:
> We've got a question that I hope can be answered here. We're currently
> Koha on a Debian Linux PC. This PC is dedicated for patron use in the
> and is usually unattended most of the time.
You know of course that Koha is a client/server system, with the client
being simply a web browser and the server usually running on a different
machine. It is not clear to me whether the dedicated machine you are
talking about is simply a terminal running a web browser and koha is
actually running on a separate server , or whether it is a standalone
machine running both the koha server and a web browser client.
> The problem we're having is that kids are constantly using this
> machine for playing
> games and web surfing. I'd like to lock down this PC so that it is
> used only for Koha.
OK, lets take playing games first. This actually needs to be split into
two categories. The first is games that come as part of the system
(i.e., part of Debian.) Luckily, Debian is very flexible in this
regard; it is designed to be very modular so that only the things you
use need to be on the machine. Assuming that no-one else needs to use
the games, they can simply be removed using the system package tool
The other part of the games problem is games accessed through the web
browser. This comes down to your second stated need; restricting the
web sites that the browser can access to just the Koha system.
> I've tried firewall rules to prevent general web browsing but
> apparently this can be
> defeated (how they do it I don't know). I've tried deleting the games
> links in the Linux
> desktop start menu but there is always the Terminal window that can be
> opened up
> to run programs.
The games links & terminal trick won't work once you remove the games as
above. You are wrong about firewall rules to restrict browsing though,
in practice firewall rules should _not_ be able to be defeated by the
users (there are a couple of provisos though.)
Firewall rules (using iptables) are installed as root (the machine
administrative user) and can only be changed or circumvented by the root
user. So the firewall will be as safe as long as users don't have
access to the root account on the computer. To ensure the root user
account is not compromised, you need to be sure the root password isn't
known to any of the kids (so perhaps change it if you suspect it might be.)
You also need to take steps to prevent the root account from being
compromised in the future. It's actually quite difficult to prevent a
knowledgeable attacker from compromising the root account if the
computer is unattended and they have uninterrupted access to it for any
length of time. However, there are steps you can take to make it more
difficult, and if you take these steps it will prevent the vast majority
of users from being able to compromise it.
Some steps you might take to make your computer more secure include
password protecting the boot loader (grub), password protecting the
bios, removing removable drives (floppys, CD/DVD drives), removing,
disconnecting or disabling USB ports. You might consider modifying the
boot loader configuration so that a password needs to be entered each
time the machine boots; thus a staff member needs to be notified each
time the computer is restarted and can supervise the process.
The thinking behind the above is that two of the more common methods of
gaining root access are an ability to restart the computer and then
modify or influence it's start-up process, especially if you can get get
your own media into drives on the machine, and loading certain exploit
programs (again using media the user can insert, or loading from the
> How can I set up this dedicated PC so that it can ONLY run Koha? This
> would mean
> disabling all options to execute everything other than Koha (via the
> web browser) and the
> option to log off/shut down/restart.
Well, there are two ways to do that. You can either have some kind of
mandatory user profile loaded to prevent users running programs they
shouldn't, or you can just remove the programs altogether. Removing the
programs altogether is the quickest and most secure way to do it, but
obviously not every program can be removed using this method. You may
need to use a user profile as well.
Why do you want users to have the option of shut-down/restart as well?
If there isn't really a need to let users do this, I would recommend
against it. If it is needed, it can be left, but makes the system
slightly less secure.
> Ideally, what I would like is to have a default user profile in Linux
> that, when logged in,
> would only allow Koha to run and nothing else. I could envision this
> as no icons on
> the Desktop or Panels and nothing in the Start menu except the Log Out
> or Shutdown
> choices. Koha would automatically start up on the web browser when
> this login profile
> is started. If I can get a user profile to do this, then I can have
> another user profile for
> Library staff to use that has a "normal" Linux desktop.
This should be quite doable under any of the major Desktops/ Window
managers. Does the computer run GNOME, or KDE, or something else? If
so what? This would be the most time consuming aspect of securing the
system, and it may be unnecessary if you do the other stuff I suggest.
> Has anyone done this sort of thing in Linux? I'm willing to move to
> another distro if
> it is available elsewhere.
I do this type of thing with Linux on a regular basis, as do many
others. I've found Debian to be one of the most flexable distributions
and therefore best suited to this type of task.
> I've also heard from a few years back that Linux firewalls (I am using
> GuardDog) cannot
> have user-specific profiles as Linux only supported a single firewall
> profile for all users.
> Has this situation changed more recent releases of Linux?
I'm not familiar with GuardDog. I normally use the "under the bonet"
type tool called iptables. You are correct that firewall rules in linux
are not user-specific, ie, they can only restrict the whole machine, and
cannot place per user restrictions.
However, the firewalling you need to do doesn't need to be user
specific. You can simply lock the whole machine down to accessing koha
only. When I talk about firewalling, I am talking about restricting
internet (network) traffic flowing into and out of the machine. I am
not talking about any other kind of restrictions on what a user or
program can do. Those other restrictions are handled by the other
methods I have referred to above, and I don't refer to them as firewalling.
This is where the distinction of whether you have a standalone machine
with both client and server on the same machine becomes important. If
this is the case, the simplest firewall technique is to disconnect the
internet from your machine. You might remove the network card (if it
has one) when removing the CDROM etc. Otherwise, just make sure there
is no network or dsl or whatever cable plugged into the machine in
normal operation. If it is on a wireless network, it should be possible
to disable the network in such a way that only root can re-enable it.
Your computer may need a little tuning to work properly without a
network. If it is taking a long time to boot or doesn't function
correctly when not connected to the network, it may need some minor
adjustments. However, it's perfectly possible to run Debian systems
without a network connection; they are designed to be able to do this.
If you _are_ running the machine as an unattended standalone machine
with the Koha database right on it, and if the users have unfettered
access and especially if they are gaining root access, note that your
whole Koha system is at risk. A malicious user could destroy the whole
database. Most users of course aren't malicious and they probably just
want to play games. Still, you would want to check your backups if the
data is important to you.
If it is not a standalone machine and koha is really running somewhere
else on the network, you will need to keep the network connection and
firewall the machine. You can probably get what you need with a very
simple firewall setup. You need to give the machine access to the
remote host running the Koha server, and possibly also to its DNS and
DHCP servers. Other than that, you can block all network access.
The work required to do all this (excluding the user profile/locked down
user desktop) should take an experienced Linux/Deiban admin less than an
hour. In fact, once they have access to the machine and you've told
them the passwords and requirements etc, they should have most of it
done in around 15 minutes, and just be needing to tidy up, test and
document. There's a list of Debian consultants linked off the Deiban
Alternatively, you should be able to do it yourself by reading up on the
tools and a bit of trial and error if you are that way inclined. There
are plenty of Linux user groups, mailing lists and help sites which
offer free assistance. However, the fine details of how to do it are
probably not appropriate for the koha list.
> Thanks for your help,
> Finding fabulous fares is fun.
> Let Yahoo! FareChase search your favorite travel sites
> to find flight and hotel bargains.
> Koha mailing list
> Koha at lists.katipo.co.nz
Alex King Linuxworks
Phone: +64 3 473 1611
Mobile: +64 21 410 420
More information about the Koha