Porteus Kiosk edition and USB redirection

Post bug reports related to either the kiosk ISO or the kiosk wizard here.
Post Reply
rbrunetti
White ninja
White ninja
Posts: 4
Joined: 13 Jun 2013, 10:40
Distribution: 2.0.4
Location: Torino

Porteus Kiosk edition and USB redirection

Post#1 by rbrunetti » 14 Jun 2013, 14:12

Dear porteus users.
I'm trying to use the Porteus kiosk edition (v 2.0.4 32bit) to provide a remote desktop service using the spice protocol.
Basically a user should connect to the remote virtual machine running on top of KVM/Ovirt and open a remote-viewer session using the firefox spice-xpi plugin.
This works pretty well if I use the Porteus standard edition. The remote-viewer session starts and I can display the remote desktop. Also the usb redirection works: if I plug a USB pendrive on the Porteus client, a popup asks if I want to redirect it to the remote machine and if I say yes the drive is mounted on it.
This usb redirection fails on the kiosk edition.
As far as I know the spice-gtk package includes a suid helper script that uses PolKit to ask if a user is authorized to use the device and in such a case it modifies the ACL to allow such an operation (see http://lists.freedesktop.org/archives/s ... 07198.html).
It seems to me that this polkit operation fails on the kiosk edition, but I can't understand why since I included the in the kiosk edition the same modules (not all indeed) as the standard edition.
Probably I'm missing some other module or there is some special configuration of the kiosk edition that prevents this operation to a lower level.
Do you have some suggestions or do someone tried to do the same (or a similar) task?
I need to use the kiosk edition because the sistem is supposed to be used in this and ONLY in this way, so this is the perfect configuration.
For the sake of completeness this is the list of additional modules that I included in the kiosk so far:

acl-2.2.51-i486-1.xzm p11-kit-0.12-i486-1.xzm
attr-2.4.46-i486-1.xzm polkit-0.105-i486-3.xzm
celt051-0.5.1.3-i486-1_SBo.xzm polkit-qt-1-0.103.0-i486-1.xzm
cyrus-sasl-2.1.23-i486-4.xzm pygobject-2.28.6-i486-2.xzm
gamin-0.1.10-i486-5.xzm pygtk-2.24.0-i486-1.xzm
glib2-2.32.4-i486-1.xzm python-2.7.3-i486-2.xzm
gmp-5.0.5-i486-1.xzm spice-0.12.0-i486-1_SBo.xzm
gnutls-3.0.23-i486-1.xzm spice-gtk-0.19-i486-2_SBo-italiano.xzm
gst-plugins-base-0.10.36-i486-2.xzm spice-protocol-0.12.2-noarch-1_SBo.xzm
gstreamer-0.10.36-i486-1.xzm spice-xpi-2.8-2.fc17.i686.xzm
gtk-vnc-0.5.1-i486-2_SBo.xzm udev-182-i486-5.xzm
libatasmart-0.19-i486-1.xzm udisks-1.0.4-i486-1.xzm
libusb-1.0.9-i486-1.xzm usbredir-0.6-i486-1_SBo.xzm
libusb-compat-0.1.4-i486-1.xzm vala-0.20.0-i486-1_SBo.xzm
nettle-2.5-i486-1.xzm vim-gvim-7.3.645-i486-1.xzm
openssl-solibs-1.0.1c-i486-3.xzm virt-viewer-0.5.5-i486-1_SBo.xzm

Best Regards
Riccardo

User avatar
fanthom
Site Admin
Site Admin
Posts: 4588
Joined: 28 Dec 2010, 02:42
Distribution: Porteus Kiosk
Location: Poland, currently - Cork, IE
Contact:

Re: Porteus Kiosk edition and USB redirection

Post#2 by fanthom » 14 Jun 2013, 16:44

hello Ricardo,
This usb redirection fails on the kiosk edition.
security is the top priority in kiosk so usb hotplugging in disabled (this way users can't smuggle any files/binaries to the Kiosk)
It seems to me that this polkit operation fails on the kiosk edition, but I can't understand why since I included the in the kiosk edition the same modules (not all indeed) as the standard edition.
something must be missing. kiosk edition weights 38MB while standard around 200MB. kiosk contains only necessary libs/utils for existing functionality and nothing more.

i would give up with Porteus Kiosk as it seems to be is too much restricted for your task.
Please add [Solved] to your thread title if the solution was found.

rbrunetti
White ninja
White ninja
Posts: 4
Joined: 13 Jun 2013, 10:40
Distribution: 2.0.4
Location: Torino

Re: Porteus Kiosk edition and USB redirection

Post#3 by rbrunetti » 18 Jun 2013, 07:44

Hi fanthom.
Thank you very much for your prompt reply.
I perfectly understand your point, and I agree with you. Actually the reason why I would like to use the kiosk edition is that I need a very small system, without any other feature than a browser, so I have two choices: to start from the standard edition and remove everything but the browser and what I need to make the spice machinery to work, or start from the kiosk edition (which is already very small and has good security features) and just add what I need to include the spice stuff.
I preferred to go for the second approach but I'm stucked with the USB devide access.
Could you give me some hint on how to enable the USB access?

Thanks a lot.
Best Regards
Riccardo

User avatar
fanthom
Site Admin
Site Admin
Posts: 4588
Joined: 28 Dec 2010, 02:42
Distribution: Porteus Kiosk
Location: Poland, currently - Cork, IE
Contact:

Re: Porteus Kiosk edition and USB redirection

Post#4 by fanthom » 18 Jun 2013, 20:42

this sounds like a fork of the kiosk edition and i wont have a time to support it - sorry about that.
i'm not familiar with oVirt (Fedora product?) and spice protocol so it's hard for me to give precise answers.

my short hints would be:
a) use kernel from 32bit standard edition (/boot/syslinux/vmlinuz and /porteus/base/000-kernel.xzm) and check if that helps.
b) if not then add udisks (in version 1 or 2) + pcmanfm (hotplugging helper). pcmanfm must hold the whole session and you can start it as 'pcmanfm --desktop &' in 003-settings.xzm/etc/xdg/openbox/autostart
c) tweak 003-settings.xzm/etc/xdg/openbox/autostart to launch firefox as root instead of guest so polkit and friends wont be required

personally it think it would be much easier to tweak our standard LXDE edition for this task.
Please add [Solved] to your thread title if the solution was found.

rbrunetti
White ninja
White ninja
Posts: 4
Joined: 13 Jun 2013, 10:40
Distribution: 2.0.4
Location: Torino

Re: Porteus Kiosk edition and USB redirection

Post#5 by rbrunetti » 19 Jun 2013, 07:10

Hi fanthom.
this sounds like a fork of the kiosk edition and i wont have a time to support it - sorry about that
No worries, I understand. What I'm trying to do is something that escapes the kiosk goals, so I would never ask you to support it, it was jus a request for suggestions.
I will try to follow your hints.
I'll let you posted if I will manage to accomplish this task.

Thanks again.
Riccardo

kir4
White ninja
White ninja
Posts: 6
Joined: 21 Jun 2013, 02:37
Distribution: msdos
Location: EmeraldCity

Re: Porteus Kiosk edition and USB redirection

Post#6 by kir4 » 21 Jun 2013, 02:42

Hello rbrunetti,
Did you win USB?
I need this feature for kiosk edition too.

kir4
White ninja
White ninja
Posts: 6
Joined: 21 Jun 2013, 02:37
Distribution: msdos
Location: EmeraldCity

Re: Porteus Kiosk edition and USB redirection

Post#7 by kir4 » 22 Jun 2013, 07:32

Hello,
I have some upds regarding USB.
I need this feature to allow users to send some files via email or post messages with attached files, just read only mode.
By recommendation of fanthom I used kernel from 32bit standard edition, just replaced vmlinuz file and put 000-kernel.xzm in porteus/base/ folder.
Then created folder "media" (mkdir rootcopy/media, chmod 755 rootcopy/media)
and added file 70-mount-usb-storage.rules to rootcopy/etc/udev/rules.d/ folder.

Contents of my 70-mount-usb-storage.rules
cat rootcopy/etc/udev/rules.d/70-mount-usb-storage.rules

# Add
ACTION=="add", KERNEL=="sd[a-z][0-9]", ENV{ID_USB_DRIVER}=="usb-storage", RUN+="/bin/mkdir -p /media/$env{ID_FS_LABEL_ENC}"
ACTION=="add", KERNEL=="sd[a-z][0-9]", ENV{ID_USB_DRIVER}=="usb-storage", ENV{ID_FS_TYPE}=="vfat", RUN+="/bin/mount -t vfat -o ro /dev/%k /media/$env{ID_FS_LABEL_ENC}"

# Remove
ACTION=="remove", KERNEL=="sd[a-z][0-9]", ENV{ID_USB_DRIVER}=="usb-storage", RUN+="/bin/umount /media/$env{ID_FS_LABEL_ENC}"
ACTION=="remove", KERNEL=="sd[a-z][0-9]", ENV{ID_USB_DRIVER}=="usb-storage", RUN+="/bin/rmdir /media/$env{ID_FS_LABEL_ENC}

For usb stick with ntfs we need to add the line:
ACTION=="add", KERNEL=="sd[a-z][0-9]", ENV{ID_USB_DRIVER}=="usb-storage", ENV{ID_FS_TYPE}=="ntfs", RUN+="/bin/ntfs-3g -o ro /dev/%k /media/$env{ID_FS_LABEL_ENC}"
in the Add section and add ntfs-3g module. But I didn't check it yet.
Does any one know where I can get ntfs-3g package for kios edition?

rbrunetti
White ninja
White ninja
Posts: 4
Joined: 13 Jun 2013, 10:40
Distribution: 2.0.4
Location: Torino

Re: Porteus Kiosk edition and USB redirection

Post#8 by rbrunetti » 22 Jun 2013, 09:38

Hi all.
Yes, I managed to make it working by following the fanthom's suggestion. I used the standard edition kernel and 000-kernel.xzm file.
I guess that the problem is that the kiosk kernel is not compiled with ACL support, so the spice helper script can't temporary modify the USB device ACL to allow the guest user to have access to it.
Now the USB can be redirected to the remote machine through the spice protocol.
I still have a small issue concerning the "USB auto-share", but this is probably an issue related to spice more than porteus.
If I will discover something more, I will post my findings.

In the meantime, thank you all folks for your valuable help.

Cheers
Riccardo

P.S. Concerning the ntfs-3g, what about getting it from here (http://pkgs.org/slackware-14.0/slackwar ... 2.txz.html), convert it with txz2xzm and then adding it to the porteus/module dir?

Post Reply