[Koha] running Koha on a dedicated computer?

Alex King alex at king.net.nz
Sun Feb 18 15:22:11 NZDT 2007

This should be quite doable and I will attempt to guide you on how it 
could be done.  However, I will make a few assumptions since your exact 
situation is not entirely clear to me.

H Lee wrote:
> Hi,
> We've got a question that I hope can be answered here. We're currently 
> running
> Koha on a Debian Linux PC. This PC is dedicated for patron use in the 
> Library
> and is usually unattended most of the time.
You know of course that Koha is a client/server system, with the client 
being simply a web browser and the server usually running on a different 
machine.  It is not clear to me whether the dedicated machine you are 
talking about is simply a terminal running a web browser and koha is 
actually running on a separate server , or whether it is a standalone 
machine running both the koha server and a web browser client.
> The problem we're having is that kids are constantly using this 
> machine for playing
> games and web surfing. I'd like to lock down this PC so that it is 
> used only for Koha.
OK, lets take playing games first.  This actually needs to be split into 
two categories.  The first is games that come as part of the system 
(i.e., part of Debian.)  Luckily, Debian is very flexible in this 
regard; it is designed to be very modular so that only the things you 
use need to be on the machine.  Assuming that no-one else needs to use 
the games, they can simply be removed using the system package tool 
(e.g.. apt).

The other part of the games problem is games accessed through the web 
browser.  This comes down to your second stated need; restricting the 
web sites that the browser can access to just the Koha system.
> I've tried firewall rules to prevent general web browsing but 
> apparently this can be
> defeated (how they do it I don't know). I've tried deleting the games 
> links in the Linux
> desktop start menu but there is always the Terminal window that can be 
> opened up
> to run programs.
The games links & terminal trick won't work once you remove the games as 
above.  You are wrong about firewall rules to restrict browsing though, 
in practice firewall rules should _not_ be able to be defeated by the 
users (there are a couple of provisos though.)

Firewall rules (using iptables) are installed as root (the machine 
administrative user) and can only be changed or circumvented by the root 
user.  So the firewall will be as safe as long as users don't have 
access to the root account on the computer.  To ensure the root user 
account is not compromised, you need to be sure the root password isn't 
known to any of the kids (so perhaps change it if you suspect it might be.)

You also need to take steps to prevent the root account from being 
compromised in the future.  It's actually quite difficult to prevent a 
knowledgeable attacker from compromising the root account if the 
computer is unattended and they have uninterrupted access to it for any 
length of time.  However, there are steps you can take to make it more 
difficult, and if you take these steps it will prevent the vast majority 
of users from being able to compromise it.

Some steps you might take to make your computer more secure include 
password protecting the boot loader (grub), password protecting the 
bios, removing removable drives (floppys, CD/DVD drives), removing, 
disconnecting or disabling USB ports.  You might consider modifying the 
boot loader configuration so that a password needs to be entered each 
time the machine boots; thus a staff member needs to be notified each 
time the computer is restarted and can supervise the process.

The thinking behind the above is that two of the more common methods of 
gaining root access are an ability to restart the computer and then 
modify or influence it's start-up process, especially if you can get get 
your own media into drives on the machine, and loading certain exploit 
programs (again using media the user can insert, or loading from the 
> How can I set up this dedicated PC so that it can ONLY run Koha? This 
> would mean
> disabling all options to execute everything other than Koha (via the 
> web browser) and the
> option to log off/shut down/restart.
Well, there are two ways to do that.  You can either have some kind of 
mandatory user profile loaded to prevent users running programs they 
shouldn't, or you can just remove the programs altogether.  Removing the 
programs altogether is the quickest and most secure way to do it, but 
obviously not every program can be removed using this method.  You may 
need to use a user profile as well.

Why do you want users to have the option of shut-down/restart as well?  
If there isn't really a need to let users do this, I would recommend 
against it.  If it is needed, it can be left, but makes the system 
slightly less secure.
> Ideally, what I would like is to have a default user profile in Linux 
> that, when logged in,
> would only allow Koha to run and nothing else. I could envision this 
> as no icons on
> the Desktop or Panels and nothing in the Start menu except the Log Out 
> or Shutdown
> choices. Koha would automatically start up on the web browser when 
> this login profile
> is started. If I can get a user profile to do this, then I can have 
> another user profile for
> Library staff to use that has a "normal" Linux desktop.
This should be quite doable under any of the major Desktops/ Window 
managers.  Does the computer run GNOME, or KDE, or something else?  If 
so what?  This would be the most time consuming aspect of securing the 
system, and it may be unnecessary if you do the other stuff I suggest.
> Has anyone done this sort of thing in Linux? I'm willing to move to 
> another distro if
> it is available elsewhere.
I do this type of thing with Linux on a regular basis, as do many 
others.  I've found Debian to be one of the most flexable distributions 
and therefore best suited to this type of task.
> I've also heard from a few years back that Linux firewalls (I am using 
> GuardDog) cannot
> have user-specific profiles as Linux only supported a single firewall 
> profile for all users.
> Has this situation changed more recent releases of Linux?
I'm not familiar with GuardDog.  I normally use the "under the bonet" 
type tool called iptables.  You are correct that firewall rules in linux 
are not user-specific, ie, they can only restrict the whole machine, and 
cannot place per user restrictions.

However, the firewalling you need to do doesn't need to be user 
specific.  You can simply lock the whole machine down to accessing koha 
only.  When I talk about firewalling, I am talking about restricting 
internet (network) traffic flowing into and out of the machine.  I am 
not talking about any other kind of restrictions on what a user or 
program can do.  Those other restrictions are handled by the other 
methods I have referred to above, and I don't refer to them as firewalling.

This is where the distinction of whether you have a standalone machine 
with both client and server on the same machine becomes important.  If 
this is the case, the simplest firewall technique is to disconnect the 
internet from your machine.  You might remove the network card (if it 
has one) when removing the CDROM etc.  Otherwise, just make sure there 
is no network or dsl or whatever cable plugged into the machine in 
normal operation.  If it is on a wireless network, it should be possible 
to disable the network in such a way that only root can re-enable it.

Your computer may need a little tuning to work properly without a 
network.  If it is taking a long time to boot or doesn't function 
correctly when not connected to the network, it may need some minor 
adjustments.  However, it's perfectly possible to run Debian systems 
without a network connection; they are designed to be able to do this.

If you _are_ running the machine as an unattended standalone machine 
with the Koha database right on it, and if the users have unfettered 
access and especially if they are gaining root access, note that your 
whole Koha system is at risk.  A malicious user could destroy the whole 
database.  Most users of course aren't malicious and they probably just 
want to play games.  Still, you would want to check your backups if the 
data is important to you.

If it is not a standalone machine and koha is really running somewhere 
else on the network, you will need to keep the network connection and 
firewall the machine.  You can probably get what you need with a very 
simple firewall setup.  You need to give the machine access to the 
remote host running the Koha server, and possibly also to its DNS and 
DHCP servers.  Other than that, you can block all network access.

The work required to do all this (excluding the user profile/locked down 
user desktop) should take an experienced Linux/Deiban admin less than an 
hour.  In fact, once they have access to the machine and you've told 
them the passwords and requirements etc, they should have most of it 
done in around 15 minutes, and just be needing to tidy up, test and 
document.  There's a list of Debian consultants linked off the Deiban 

Alternatively, you should be able to do it yourself by reading up on the 
tools and a bit of trial and error if you are that way inclined.  There 
are plenty of Linux user groups, mailing lists and help sites which 
offer free assistance.  However, the fine details of how to do it are 
probably not appropriate for the koha list.
> Thanks for your help,
> Lee
> ------------------------------------------------------------------------
> Finding fabulous fares is fun.
> Let Yahoo! FareChase search your favorite travel sites 
> <http://farechase.yahoo.com/promo-generic-14795097;_ylc=X3oDMTFtNW45amVpBF9TAzk3NDA3NTg5BF9zAzI3MTk0ODEEcG9zAzEEc2VjA21haWx0YWdsaW5lBHNsawNxMS0wNw--> 
> to find flight and hotel bargains.
> ------------------------------------------------------------------------
> _______________________________________________
> Koha mailing list
> Koha at lists.katipo.co.nz
> http://lists.katipo.co.nz/mailman/listinfo/koha

Alex King    Linuxworks
Phone:   +64 3 473 1611
Mobile:  +64 21 410 420

More information about the Koha mailing list