Created
November 6, 2014 17:17
-
-
Save anonymous/5bba6c9b6425a42b4ea1 to your computer and use it in GitHub Desktop.
create a kiosk user
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # This script | |
| # - creates a user (named below) | |
| # - sets up a union (aufs) filesystem on top of the users immutable home | |
| # - creates a cleanup script (/usr/local/bin/cleanup.sh) that empties the aufs | |
| # layer on login/logout/boot | |
| # - replaces the lightdm config | |
| # - replaces rc.local to run the script | |
| # | |
| # After running the script, the aufs is not mounted, yet. So you can log in | |
| # as the userm and set everything up as you like. Only after a reboot the aufs | |
| # is mounted and the user home becomes immutable. | |
| # | |
| # If you ever need to change anything, log in as a different (admin) user | |
| # and umount the aufs before you log in again as the kiosk user. | |
| # the username to protect | |
| USERNAME="kiosk" | |
| # disable hardlink restrictions | |
| echo "kernel.yama.protected_nonaccess_hardlinks=0" | sudo tee /etc/sysctl.d/60-hardlink-restrictions-disabled.conf | |
| # install whois which is needed for mkpasswd | |
| sudo apt-get -y install whois | |
| # set up the user | |
| sudo adduser --geocos ',,,' --disabled-password $USERNAME # create blank user | |
| sudo usermod -a -G adm,dialout,cdrom,plugdev,fuse $USERNAME # adds user to default groups | |
| sudo usermod -p $(mkpasswd '') $USERNAME # sets empty password | |
| sudo passwd -n 100000 $USERNAME # prevents user from changing password | |
| # create directory to store aufs data in | |
| sudo install -d -o $USERNAME -g $USERNAME /home/.${USERNAME}_rw | |
| # set up the mount | |
| echo "none /home/${USERNAME} aufs br:/home/.${USERNAME}_rw:/home/${USERNAME} 0 0" | sudo tee -a /etc/fstab | |
| # create lightdm settings to run our cleanup script, disable guests and enable manual | |
| # login (for uids < 1000). just change the admins uid to 999 to make him disappear in lightdm. | |
| sudo tee /etc/lightdm/lightdm.conf > /dev/null <<-EOFA | |
| [SeatDefaults] | |
| user-session=ubuntu | |
| greeter-session=unity-greeter | |
| allow-guest=false | |
| greeter-show-manual-login=true | |
| greeter-setup-script=/usr/local/bin/cleanup.sh login | |
| session-cleanup-script=/usr/local/bin/cleanup.sh logout | |
| EOFA | |
| # change rc.local to run cleanup script | |
| sudo tee /etc/rc.local > /dev/null <<-EOFB | |
| #!/bin/sh -e | |
| /usr/local/bin/cleanup.sh \$0 | |
| exit 0 | |
| EOFB | |
| # cleanup script to clear aufs filesystem | |
| sudo tee /usr/local/bin/cleanup.sh > /dev/null <<-'EOFC' | |
| #!/bin/sh | |
| # only run when aufs is mounted | |
| test -n `mount -l -t aufs` || exit 0; | |
| # delete function to clear out aufs with exceptions | |
| delete (){ | |
| # find arguments to exclude aufs objects | |
| no_aufs="! -name '.wh*'" | |
| # extra find arguments | |
| more="$1" | |
| #securely delete | |
| cd /home/.kiosk_rw && find . -maxdepth 1 -mindepth 1 $no_aufs $more -print0|xargs -0 rm -rf | |
| } | |
| case "$1" in | |
| login) | |
| test $LOGNAME = "kiosk" && delete "! -name .pulse" | |
| ;; | |
| logout) | |
| # delete with delay | |
| test $LOGNAME = "kiosk" && (sleep 3; delete "! -name .pulse") & | |
| ;; | |
| /etc/rc.local) | |
| delete | |
| ;; | |
| *) | |
| ;; | |
| esac | |
| exit 0 | |
| EOFC | |
| # set correct username in cleanup.sh | |
| sudo sed -i "s/kiosk/$USERNAME/g" /usr/local/bin/cleanup.sh | |
| sudo chmod 754 /usr/local/bin/cleanup.sh |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
which version is supported?