In the fall of 1999, a client appreached me regarding creating a secure browsing enviornment for the general public. In short, the client was running a public access lab with Web terminals and was having a great deal of difficulty with abuse and customization of the terminals. The client was also experiencing difficulty with policing the users with regards to fairly sharing the terminals amongst themselves.

The client also expressed concern that their terminals were underpowered 486-class machines.

I suggested at the time that the solution was fairly simple. I envisioned a lab with X-terminals constructed using XFree86, all running browsers executing on a central (high-powered) server purchased specifically for the task.

Each "session" could be started by an administrator wia a web browser. The session would automatically time out after a certain period of time, with the option to extend the session for additional time, or to kill the session immediately.

The project turned out very well, but managed to take a lot longer that I had originally anticipated. Following is a condensed account of how I got it all to work, and the reasoning behind it.

Application Server

I used FreeBSD 3.4 for the application server. The hardware consists of a PIII-500 with 256MB RAM and a 9GB hard drive. For the software I chose the browser-only version of Communicator 4.7, although almost any browser would work.

I wanted all the Netscape processes to run as the same default, unprivleged user, which I named "anybody" (as opposed to "nobody"). Fortunately, setting the enviornment variable HOME to a given directory causes the .netscape directory (containing all the specific preferences and lock files) to be created in that directory.
 

So, now by setting the Env Var "HOME" to be (for example) "/usr/guesthome/10.0.0.1:0" before I launch Netscape, I can create a private workspace for each terminal.

I needed a way to "lock down" all of Netscape preferences. I accomplished this by creating a custom "netscape.cfg" file (found here) using netscape CCK (Client Customization Kit). Netscape.cfg points netscape to pull the rest of its configuration from http://localhost/lib.jsc (see a copy)
 

Now we have a "locked down" netscape with a cleaned-up interface. Becuase netscape will run as an unprivledged user, users can't save anywhere on the local hard drive. If all processes run as the same user, they could possibly interfere with each other if the user has malicious intent. This possibility is worth addressing in a furure revision, though I hope that Mozilla 5 will allow all local file saves to be disabled.

Firstly, I needed a way to track the different Netscape processes that all the terminals would be launching. Since all the processes would be running under the same userid I needed a way to map terminal numbers (X display names) to the pids of the Netscape processes. Also, because Netscape has been known to drop core from time to time, I wanted netscape to relaunch itself automatically. A wrapper was needed.

The Wrapper
The wrapper is written in C, and performs the following functions:

• sets userid to the unprivileged user
• forks and launches netscape with supplied parameters
• writes a pid file named "remotehost:0.pid"
• sets an alarm for itself for 5 minutes before the final timeout
• waits for the netscape process to either exit or crash, and relaunch if crashed (alarm stays the same)
• if the alarm signal is received, then launch either the warning window (via netscape-remote) or terminate the application
• If terminate is the appropriate action above, then delete the pid file and exit the wrapper
• If the signal is HUP, then extend the session for the amount of time specified in the file remotehost:0.extend This deletes the ".extend" file.
• The wrapper is (ugh) setuid root so it can switch setuid down to the unpriv. user
• Potential security hole: because the CGI manager software's parameters are passed to the setuid root wrapper, there is potential that a malicious user could use a stack-overflow to execute arbitrary code as root on the server. All command line parameters to "session" and "wrapper" are carefully scrutinized, but the possibility exists, even though it is extremely remote.
• Wrapper command line help can be found here

• Displays terminal status based upon a scan of which .pid files are present
• Can launch a Netscape process via "wrapper"
• Can request a kill or extend of a given session using the signal application "session"
• Upon a launch request, creates a file called "remotehost:0.time file that the system uses to determine time remaining in the session.
• Displays a neat javascript countdown thingy.
• Displays server CPU load

Availablility
This entire package is only available when a lab service contract is purchased. Plase email SSI to find out more information.
 

Contents of lib.jsc

with (PrefConfig) { lockPref("browser.chrome.toolbar_style", 2); lockPref("browser.related.enabled", false); lockPref("browser.relatedLinksEnabled", false); lockPref("browser.download_directory", "/tmp/download"); lockPref("custtoolbar.Browser.Personal_Toolbar.showing", false); lockPref("browser.chrome.show_menubar", false); lockPref("browser.startup.agreed_to_licence", true); lockPref("browser.chrome.show_menubar", false); lockPref("browser.chrome.disableMyShopping",false); lockPref("general.startup.browser", true); lockPref("general.always_load_images", true); lockPref("network.proxy.autoconfig_url", ""); lockPref("network.proxy.type", 3); lockPref("network.cookie.cookieBehavior", 0); lockPref("network.cookie.warnAboutCookies", false); lockPref("browser.enable_style_sheets", true); lockPref("browser.startup.page", 1); lockPref("browser.startup.homepage", "http://www.nwtpls.gov.nt.ca"); lockPref("browser.cache.disk_cache_size", 0); lockPref("browser.cache.memory_cache_size", 2048); lockPref("browser.cache.check_doc_frequency", 0); lockPref("browser.foreground_color", "#000000"); lockPref("browser.background_color", "#C0C0C0"); lockPref("browser.anchor_color", "#0000EE"); lockPref("browser.visited_color", "#551A8B"); lockPref("browser.chrome.button_style", 0); lockPref("browser.link_expiration", 9); lockPref("browser.underline_anchors", true); lockPref("browser.use_document_colors", true); lockPref("browser.use_document_fonts", 2); defaultPref("browser.mac.use_internet_config", false); lockPref("javascript.enabled", true); lockPref("security.ask_for_password", 0); lockPref("security.email_as_ftp_password", false); lockPref("security.enable_java", true); lockPref("security.enable_ssl2", true); lockPref("security.enable_ssl3", true); lockPref("security.password_lifetime", 30); lockPref("security.warn_entering_secure", true); lockPref("security.warn_leaving_secure", false); lockPref("security.warn_submit_insecure", false); lockPref("security.warn_viewing_mixed", false); defaultPref("news.default_fcc", "Sent"); lockPref("news.keep.method", 0); lockPref("news.keep.days", 30); lockPref("news.keep.count", 30); lockPref("news.keep.only_unread", false); lockPref("news.remove_bodies.by_age", false); lockPref("news.remove_bodies.days", 20); defaultPref("mail.default_fcc", "Sent"); lockPref("mail.fixed_width_messages", true); lockPref("mail.quoted_style", 2); lockPref("mail.quoted_size", 0); lockPref("mail.citation_color", "#000000"); lockPref("mail.limit_message_size", false); lockPref("mail.max_size", 50); lockPref("mail.purge_threshhold", 100); lockPref("mail.prompt_purge_threshhold", false); lockPref("mailnews.reuse_thread_window", true); lockPref("mailnews.reuse_message_window", true); lockPref("intl.accept_languages", "en"); lockPref("offline.startup_mode", 0); lockPref("autoupdate.enabled", true); lockPref("netcaster.containers.channel.permissions", "24576"); lockPref("netcaster.admin.startTime", "9"); lockPref("netcaster.admin.endTime", "17"); lockPref("netcaster.admin.times", "0"); config("autoadmin.global_config_url", ""); config("toolbar.places.item_0.prompt", ""); config("toolbar.places.item_1.prompt", ""); config("toolbar.places.item_2.prompt", ""); config("toolbar.places.item_3.prompt", ""); config("toolbar.places.item_4.prompt", ""); config("menu.places.item_0.prompt", ""); config("menu.places.item_1.prompt", ""); config("menu.places.item_2.prompt", ""); config("menu.places.item_3.prompt", ""); config("menu.places.item_4.prompt", ""); config("menu.places.item_5.label", ""); config("menu.places.item_5.prompt", ""); config("menu.places.item_5.url", ""); config("menu.help.item_1.prompt", ""); config("menu.help.item_2.prompt", ""); config("menu.help.item_3.prompt", ""); config("menu.help.item_4.prompt", ""); config("menu.help.item_5.prompt", ""); config("menu.help.item_6.prompt", ""); config("menu.help.item_7.prompt", ""); config("menu.help.item_8.prompt", ""); config("menu.help.item_9.prompt", ""); config("menu.help.item_10.prompt", ""); config("menu.help.item_11.prompt", ""); config("menu.help.item_12.prompt", ""); config("menu.help.item_13.prompt", ""); config("menu.help.item_14.label", ""); config("menu.help.item_14.prompt", ""); config("menu.help.item_14.url", ""); config("user_agent", "NECCK"); }

Wrapper help

wrapper: Wraps netscape to provide a semi-secure enviornment. (c) 2000 SSI Micro. Netscape control portions Copyright © 1996 Netscape Communications Corporation Usage: wrapper -d displayname -a [arg1 arg2 arg3 ...] -d displayname -w time to warning message (in minutes) -k time to kill process (in minutes) -A args to pass to the netscape process

Session help

session: Sends signals to netscape wrapper (c) 2000 SSI Micro. Usage: session -d displayname -k -e [time] -d displayname -k kill wrapper immediately -e reset and extend session for [time] minutes