2

I'm planning an exhibition where I need to run an app which needs a keyboard, but no mouse. I want to lock the viewers into one fullscreen application. They should never be able to see anything except this one app. Nothing whatsoever.

So I'd set up a new user which will start the app (in fullscreen mode) as soon as the user logs in. The machine it's running on will be physically secured.

But they have access to the keyboard and could do unwanted things (even closing or switching applications is unwanted). Is there any way of preventing all keyboard based application switching, launching, shutting down, access to tty, login prompt... - such that the only way to leave the application (or simply see anything else) is using the power off button on the (secured) hardware?

The app is intended for Ubuntu 17.10.

neo post modern
  • 361
  • 1
    I guess you could make your application catch every key input to a doNothing function – derHugo Nov 09 '17 at 17:16
  • Use apparmor to restrict access. You may be interested in a kiosk of some sort. – Panther Nov 09 '17 at 17:52
  • As @Panther suggested, you are rather looking for running ubuntu in kiosk (single application) mode. I haven't found anything for more recent Ubuntu, but here's how-to doc about setting it in 14.04. Some things got outdated obviously, but you should get the idea: https://thepcspy.com/read/converting-ubuntu-desktop-to-kiosk/ You just need to put your app in the while loop instead of chrome. – michal Nov 09 '17 at 23:15
  • @michal - good suggestion, but the article specifically mentions (even suggests) using CTRL+ALT+F1 to leave the kiosk mode. I'm expecting tech-savvy users around, so that's a no-go. – neo post modern Nov 10 '17 at 06:44
  • @neopostmodern yes, but it will only switch to login prompt. And you need to be able to leave kiosk somehow ;) You can disable other ttys or change the key shortcut – michal Nov 10 '17 at 09:27
  • @michal - no, that's exactly my use case. I want to leave the installation unattended, possibly all day and under no circumstances should ever be anything visible on the screen except the app. Even the login prompt will look terrible, especially if no one is around to switch back. Unfortunately this is a security + aesthetics problem. But looking back, I realize that I haven't made that clear enough in the question. – neo post modern Nov 10 '17 at 09:37
  • @neopostmodern I get that - in that case I'd set it up to run only 'kiosk mode' session and if I ever want to revert - boot from usb, mount the drive and change things back. I'm not on 17.10 yet, but I guess systemd is handling it now: https://unix.stackexchange.com/questions/56531/how-to-get-fewer-ttys-with-systemd otherwise ctrl+alt+fx is handled by xorg config. – michal Nov 10 '17 at 09:47

2 Answers2

0

As per derHugo's suggestion I've found a way to map key inputs to nothing.

I couldn't figure out how to do so within the application (Python), taking into account Super and Ctrl+Alt+F1 et cetera... But this answer on how to disable the Super key with Xmodmap (here is some documentation) can be extended to every key. I've decided to disable all the keys that aren't strictly necessary for my app (which is just [a-zA-Z0-9@.] alias e-mail addresses).

So, to summarize:

  1. Create a .Xmodmap: xmodmap -pke > ~/.Xmodmap
  2. Edit ~/.Xmodmap and remove the actions of unwanted keys (e.g. keycode 23 = Tab ISO_Left_Tab Tab ISO_Left_Tab to keycode 23 =)
  3. Optional: Test this by running xmodmap ~/.Xmodmap
  4. Log out and in again, keys should be disabled
  5. If you're on 17.10 with Gnome, they aren't yet. Manually apply with xmodmap ~/.Xmodmap and/or add this to your startup.

Careful: If you disable as many keys as I did, you're basically limited to the mouse!

neo post modern
  • 361
0

Is it a touchscreen? If so, you can use an onscreen keyboard that limits what characters the user can choose. I used that in a museum application. Or don't use a keyboard at all with a touchscreen and just use gxmessage. I used that also. Startup person saw login screen that had instructions as to login name to enter and had onscreen keyboard. There were actually 2 users (runtime and "application administrator) with the second having a password but with no prompt to select that. Once login was done by the volunteer who started it, the onscreen keyboard (with limited choices of letters/numbers/special characters) disappeared and all the other prompts and choices were handled by gxmessage. No shutdown allowed. Power switch (physically secured) was only shutdown.

jpezz
  • 1,120