Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
create a kiosk user
# This script
# - creates a user (named below)
# - sets up a union (aufs) filesystem on top of the users immutable home
# - creates a cleanup script (/usr/local/bin/ that empties the aufs
# layer on login/logout/boot
# - replaces the lightdm config
# - replaces rc.local to run the script
# After running the script, the aufs is not mounted, yet. So you can log in
# as the userm and set everything up as you like. Only after a reboot the aufs
# is mounted and the user home becomes immutable.
# If you ever need to change anything, log in as a different (admin) user
# and umount the aufs before you log in again as the kiosk user.
# the username to protect
# disable hardlink restrictions
echo "kernel.yama.protected_nonaccess_hardlinks=0" | sudo tee /etc/sysctl.d/60-hardlink-restrictions-disabled.conf
# install whois which is needed for mkpasswd
sudo apt-get -y install whois
# set up the user
sudo adduser --geocos ',,,' --disabled-password $USERNAME # create blank user
sudo usermod -a -G adm,dialout,cdrom,plugdev,fuse $USERNAME # adds user to default groups
sudo usermod -p $(mkpasswd '') $USERNAME # sets empty password
sudo passwd -n 100000 $USERNAME # prevents user from changing password
# create directory to store aufs data in
sudo install -d -o $USERNAME -g $USERNAME /home/.${USERNAME}_rw
# set up the mount
echo "none /home/${USERNAME} aufs br:/home/.${USERNAME}_rw:/home/${USERNAME} 0 0" | sudo tee -a /etc/fstab
# create lightdm settings to run our cleanup script, disable guests and enable manual
# login (for uids < 1000). just change the admins uid to 999 to make him disappear in lightdm.
sudo tee /etc/lightdm/lightdm.conf > /dev/null <<-EOFA
greeter-setup-script=/usr/local/bin/ login
session-cleanup-script=/usr/local/bin/ logout
# change rc.local to run cleanup script
sudo tee /etc/rc.local > /dev/null <<-EOFB
#!/bin/sh -e
/usr/local/bin/ \$0
exit 0
# cleanup script to clear aufs filesystem
sudo tee /usr/local/bin/ > /dev/null <<-'EOFC'
# only run when aufs is mounted
test -n `mount -l -t aufs` || exit 0;
# delete function to clear out aufs with exceptions
delete (){
# find arguments to exclude aufs objects
no_aufs="! -name '.wh*'"
# extra find arguments
#securely delete
cd /home/.kiosk_rw && find . -maxdepth 1 -mindepth 1 $no_aufs $more -print0|xargs -0 rm -rf
case "$1" in
test $LOGNAME = "kiosk" && delete "! -name .pulse"
# delete with delay
test $LOGNAME = "kiosk" && (sleep 3; delete "! -name .pulse") &
exit 0
# set correct username in
sudo sed -i "s/kiosk/$USERNAME/g" /usr/local/bin/
sudo chmod 754 /usr/local/bin/

This comment has been minimized.

Copy link

@cseva-ring cseva-ring commented Jul 4, 2019

which version is supported?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment