Last active
October 25, 2019 09:55
-
-
Save dakira/7485359 to your computer and use it in GitHub Desktop.
Creates a user with limited rights that has all their data removed on every login/logout/reboot utilizing aufs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # This script | |
| # - creates a user (named below) | |
| # - sets up a union (aufs) filesystem on top of the users immutable home | |
| # - creates a cleanup script (/usr/local/bin/cleanup.sh) that empties the aufs | |
| # layer on login/logout/boot | |
| # - replaces the lightdm config | |
| # - replaces rc.local to run the script | |
| # | |
| # After running the script, the aufs is not mounted, yet. So you can log in | |
| # as the userm and set everything up as you like. Only after a reboot the aufs | |
| # is mounted and the user home becomes immutable. | |
| # | |
| # If you ever need to change anything, log in as a different (admin) user | |
| # and umount the aufs before you log in again as the kiosk user. | |
| # the username to protect | |
| USERNAME="kiosk" | |
| # disable hardlink restrictions | |
| echo "kernel.yama.protected_nonaccess_hardlinks=0" | sudo tee /etc/sysctl.d/60-hardlink-restrictions-disabled.conf | |
| # install whois which is needed for mkpasswd | |
| sudo apt-get -y install whois | |
| # set up the user | |
| sudo adduser --gecos ',,,' --disabled-password $USERNAME # create blank user | |
| sudo usermod -a -G adm,dip,cdrom,plugdev $USERNAME # adds user to default groups | |
| sudo usermod -p $(mkpasswd '') $USERNAME # sets empty password | |
| sudo passwd -n 100000 $USERNAME # prevents user from changing password | |
| # create directory to store aufs data in | |
| sudo install -d -o $USERNAME -g $USERNAME /home/.${USERNAME}_rw | |
| # set up the mount | |
| echo "none /home/${USERNAME} aufs br:/home/.${USERNAME}_rw:/home/${USERNAME} 0 0" | sudo tee -a /etc/fstab | |
| # create lightdm settings to run our cleanup script, disable guests and enable manual | |
| # login (for uids < 1000). just change the admins uid to 999 to make him disappear in lightdm. | |
| #sudo tee /usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf > /dev/null <<-EOFA | |
| # [SeatDefaults] | |
| # greeter-session=unity-greeter | |
| # allow-guest=false | |
| # greeter-show-manual-login=true | |
| # greeter-setup-script=/usr/local/bin/cleanup.sh login | |
| # session-cleanup-script=/usr/local/bin/cleanup.sh logout | |
| #EOFA | |
| sudo tee /usr/local/bin/delwarning > /dev/null <<-EOFA | |
| #!/bin/sh | |
| sleep 5 | |
| notify-send "ACHTUNG" "Nach einem Neustart werden alle Daten auf diesem Rechner gelöscht. Speichert eure Daten auf USB-Sticks!" -i 30 | |
| notify-send "CAREFUL" "All data on this machine will be deleted on reboot. Save your data on your own USB sticks." -i 30 | |
| EOFA | |
| # change rc.local to run cleanup script | |
| sudo tee /etc/rc.local > /dev/null <<-EOFB | |
| #!/bin/sh -e | |
| /usr/local/bin/cleanup.sh | |
| exit 0 | |
| EOFB | |
| # cleanup script to clear aufs filesystem | |
| sudo tee /usr/local/bin/cleanup.sh > /dev/null <<-'EOFC' | |
| #!/bin/sh | |
| # only run when aufs is mounted | |
| test -n "`mount -l -t aufs`" || exit 0; | |
| #securely delete | |
| cd /home/.kiosk_rw && find . -maxdepth 1 -mindepth 1 ! -name '.wh*..*' -print0 | xargs -0 rm -rf | |
| exit 0 | |
| EOFC | |
| # set correct username in cleanup.sh | |
| sudo sed -i "s/kiosk/$USERNAME/g" /usr/local/bin/cleanup.sh | |
| sudo chmod 754 /usr/local/bin/cleanup.sh | |
| sudo chmod +x /etc/rc.local | |
| sudo chmod +x /usr/local/bin/delwarning | |
| # disable printer discovery | |
| sudo systemctl stop avahi-daemon.service | |
| sudo systemctl stop avahi-daemon.service | |
| sudo systemctl disable avahi-daemon.socket | |
| sudo systemctl disable avahi-daemon.socket | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment