From ac1ee8963cc6ad5a45b8189801b360aa728a5cda Mon Sep 17 00:00:00 2001 From: Agnete Moos Date: Wed, 4 Dec 2024 11:33:41 +0100 Subject: [PATCH] Core scripts added --- adjust_settings_access.md | 33 ++ always_logout_after_time_visual.md | 46 +++ apt_periodic_control.md | 40 ++ autostart_program.md | 29 ++ browser_set_default.md | 30 ++ browser_update_launcher.md | 22 ++ change_login_timeout.md | 33 ++ chrome_chromium_add_remove_extension.md | 74 ++++ chrome_chromium_policy_homepage.md | 41 +++ ...romium_start_maximized_fullscreen_kiosk.md | 31 ++ chrome_install.md | 38 ++ chromium_autostart.md | 51 +++ chromium_install.md | 14 + dconf_change_login_bg.md | 65 ++++ dconf_desktop_background.md | 39 ++ dconf_gnome_lock_menu_editing.md | 30 ++ dconf_run_prompt_toggle.md | 41 +++ dconf_ubuntu_dock_adjust.md | 24 ++ desktop_launcher_logout_button_icon.md | 40 ++ desktop_launcher_program_shortcut.md | 31 ++ desktop_logout_button_icon.md | 46 +++ desktop_toggle_writable.md | 35 ++ desktop_url_shortcut.md | 42 +++ disable_network_connectivity_check.md | 15 + firefox_global_policies.md | 49 +++ get_daily_login_count.md | 34 ++ hard_shutdown_lockdown.md | 46 +++ inactivity_logout_after_time.md | 58 +++ lightdm_enable_numlock.md | 24 ++ lightdm_hide_superuser.md | 34 ++ overwrite_libreoffice_config.md | 30 ++ polkit_policy_shutdown_suspend.md | 41 +++ printer_default.md | 20 + printer_del.md | 22 ++ printer_options_get.md | 22 ++ printer_options_set.md | 48 +++ printer_princh_add.md | 43 +++ printer_princh_install.md | 20 + printer_toggle_network_discovery.md | 27 ++ protect_terminal.md | 29 ++ scripts/adjust_settings_access.sh | 62 ++++ scripts/always_logout_after_time_visual.sh | 157 ++++++++ scripts/apt_periodic_control.sh | 89 +++++ scripts/autostart_program.sh | 59 +++ scripts/browser_set_default.sh | 50 +++ scripts/browser_update_launcher.sh | 33 ++ scripts/change_login_timeout.sh | 15 + .../chrome_chromium_add_remove_extension.sh | 64 ++++ scripts/chrome_chromium_policy_homepage.sh | 69 ++++ ...romium_start_maximized_fullscreen_kiosk.sh | 119 ++++++ scripts/chrome_install.sh | 201 ++++++++++ scripts/chromium_autostart.sh | 345 ++++++++++++++++++ scripts/chromium_install.sh | 101 +++++ scripts/dconf_change_login_bg.sh | 45 +++ scripts/dconf_desktop_background.sh | 69 ++++ scripts/dconf_gnome_lock_menu_editing.sh | 21 ++ scripts/dconf_run_prompt_toggle.sh | 38 ++ scripts/dconf_ubuntu_dock_adjust.sh | 39 ++ .../desktop_launcher_logout_button_icon.sh | 79 ++++ scripts/desktop_launcher_program_shortcut.sh | 39 ++ scripts/desktop_logout_button_icon.sh | 80 ++++ scripts/desktop_toggle_writable.sh | 77 ++++ scripts/desktop_url_shortcut.sh | 86 +++++ scripts/disable_network_connectivity_check.sh | 9 + scripts/firefox_global_policies.sh | 110 ++++++ scripts/get_daily_login_count.sh | 101 +++++ scripts/hard_shutdown_lockdown.sh | 123 +++++++ scripts/inactivity_logout_after_time.sh | 124 +++++++ scripts/lightdm_enable_numlock.sh | 62 ++++ scripts/lightdm_hide_superuser.sh | 40 ++ scripts/lockdown_usb.sh | 163 +++++++++ scripts/overwrite_libreoffice_config.sh | 42 +++ scripts/polkit_policy_shutdown_suspend.sh | 83 +++++ scripts/printer_default.sh | 10 + scripts/printer_del.sh | 15 + scripts/printer_options_get.sh | 3 + scripts/printer_options_set.sh | 74 ++++ scripts/printer_princh_add.sh | 29 ++ scripts/printer_princh_install.sh | 43 +++ scripts/printer_toggle_network_discovery.sh | 43 +++ scripts/protect_terminal.sh | 59 +++ scripts/shutdown_at_time.sh | 83 +++++ scripts/unexpire_user.sh | 46 +++ scripts/update_all.sh | 43 +++ scripts/user_automatic_login.sh | 40 ++ scripts/vnc_and_ssh_install.sh | 35 ++ shutdown_at_time.md | 36 ++ unexpire_user.md | 18 + update_all.md | 19 + user_automatic_login.md | 37 ++ vnc_and_ssh_install.md | 22 ++ 91 files changed, 4886 insertions(+) create mode 100644 adjust_settings_access.md create mode 100644 always_logout_after_time_visual.md create mode 100644 apt_periodic_control.md create mode 100644 autostart_program.md create mode 100644 browser_set_default.md create mode 100644 browser_update_launcher.md create mode 100644 change_login_timeout.md create mode 100644 chrome_chromium_add_remove_extension.md create mode 100644 chrome_chromium_policy_homepage.md create mode 100644 chrome_chromium_start_maximized_fullscreen_kiosk.md create mode 100644 chrome_install.md create mode 100644 chromium_autostart.md create mode 100644 chromium_install.md create mode 100644 dconf_change_login_bg.md create mode 100644 dconf_desktop_background.md create mode 100644 dconf_gnome_lock_menu_editing.md create mode 100644 dconf_run_prompt_toggle.md create mode 100644 dconf_ubuntu_dock_adjust.md create mode 100644 desktop_launcher_logout_button_icon.md create mode 100644 desktop_launcher_program_shortcut.md create mode 100644 desktop_logout_button_icon.md create mode 100644 desktop_toggle_writable.md create mode 100644 desktop_url_shortcut.md create mode 100644 disable_network_connectivity_check.md create mode 100644 firefox_global_policies.md create mode 100644 get_daily_login_count.md create mode 100644 hard_shutdown_lockdown.md create mode 100644 inactivity_logout_after_time.md create mode 100644 lightdm_enable_numlock.md create mode 100644 lightdm_hide_superuser.md create mode 100644 overwrite_libreoffice_config.md create mode 100644 polkit_policy_shutdown_suspend.md create mode 100644 printer_default.md create mode 100644 printer_del.md create mode 100644 printer_options_get.md create mode 100644 printer_options_set.md create mode 100644 printer_princh_add.md create mode 100644 printer_princh_install.md create mode 100644 printer_toggle_network_discovery.md create mode 100644 protect_terminal.md create mode 100755 scripts/adjust_settings_access.sh create mode 100644 scripts/always_logout_after_time_visual.sh create mode 100755 scripts/apt_periodic_control.sh create mode 100755 scripts/autostart_program.sh create mode 100755 scripts/browser_set_default.sh create mode 100755 scripts/browser_update_launcher.sh create mode 100755 scripts/change_login_timeout.sh create mode 100644 scripts/chrome_chromium_add_remove_extension.sh create mode 100755 scripts/chrome_chromium_policy_homepage.sh create mode 100755 scripts/chrome_chromium_start_maximized_fullscreen_kiosk.sh create mode 100755 scripts/chrome_install.sh create mode 100644 scripts/chromium_autostart.sh create mode 100644 scripts/chromium_install.sh create mode 100755 scripts/dconf_change_login_bg.sh create mode 100755 scripts/dconf_desktop_background.sh create mode 100755 scripts/dconf_gnome_lock_menu_editing.sh create mode 100755 scripts/dconf_run_prompt_toggle.sh create mode 100755 scripts/dconf_ubuntu_dock_adjust.sh create mode 100755 scripts/desktop_launcher_logout_button_icon.sh create mode 100755 scripts/desktop_launcher_program_shortcut.sh create mode 100755 scripts/desktop_logout_button_icon.sh create mode 100755 scripts/desktop_toggle_writable.sh create mode 100755 scripts/desktop_url_shortcut.sh create mode 100755 scripts/disable_network_connectivity_check.sh create mode 100755 scripts/firefox_global_policies.sh create mode 100755 scripts/get_daily_login_count.sh create mode 100755 scripts/hard_shutdown_lockdown.sh create mode 100755 scripts/inactivity_logout_after_time.sh create mode 100644 scripts/lightdm_enable_numlock.sh create mode 100755 scripts/lightdm_hide_superuser.sh create mode 100755 scripts/lockdown_usb.sh create mode 100755 scripts/overwrite_libreoffice_config.sh create mode 100644 scripts/polkit_policy_shutdown_suspend.sh create mode 100644 scripts/printer_default.sh create mode 100644 scripts/printer_del.sh create mode 100644 scripts/printer_options_get.sh create mode 100755 scripts/printer_options_set.sh create mode 100755 scripts/printer_princh_add.sh create mode 100644 scripts/printer_princh_install.sh create mode 100755 scripts/printer_toggle_network_discovery.sh create mode 100755 scripts/protect_terminal.sh create mode 100755 scripts/shutdown_at_time.sh create mode 100755 scripts/unexpire_user.sh create mode 100755 scripts/update_all.sh create mode 100755 scripts/user_automatic_login.sh create mode 100755 scripts/vnc_and_ssh_install.sh create mode 100644 shutdown_at_time.md create mode 100644 unexpire_user.md create mode 100644 update_all.md create mode 100644 user_automatic_login.md create mode 100644 vnc_and_ssh_install.md diff --git a/adjust_settings_access.md b/adjust_settings_access.md new file mode 100644 index 0000000..5a6917f --- /dev/null +++ b/adjust_settings_access.md @@ -0,0 +1,33 @@ +--- +title: "Juster adgang til Indstillinger for Borger" +parent: "Sikkerhed" +source: os2borgerpc-scripts/os2borgerpc/sikkerhed/adjust_settings_access.sh +parameters: + - name: "Giv adgang til Indstillinger" + type: "boolean" + default: null + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +SIKKERHEDSMÆSSIGE OVERVEJEJELSER: +Dette script låser ned eller op for adgang til Indstillinger. + +Hvis borgere gives adgang til indstillinger, vil ændringer de foretager dog *generelt* stadig nulstilles efter logud. Det har dog vist sig, der kan være enkelte undtagelser: +Indstillinger -> Privatliv -> Tjek af forbindelse +...kan ændres permanent! + +Det mest nedlåste er, hvis borgere ikke har adgang til indstillinger, hvilket er standardindstillingen på nyere images (3.1.0 og nyere images). +Vi FRARÅDER pga. ovenstående at Borger gives adgang til Indstillinger. + +BESKRIVELSE: + +Sæt hak: Borger har adgang til Indstillinger +Intet hak: Borger har IKKE adgang til Indstillinger + +Dette script påvirker kun Borger-kontoen - superuser har altid adgang til Indstillinger, men superusers ændringer i Indstillinger påvirker ikke Borger - eller omvendt. + +Dette script er blevet testet og virker som udgangspunkt på Ubuntu 22.04. Hvis man klikkede "ja" til Ubuntus opgraderings-popup inden vi fjernede den, kan maskinen dog være endt i en tilstand, hvor dette script ikke har den ønskede effekt. Dette problem løses af scriptet "22.04 opgradering - Reparer tidlig opgradering". \ No newline at end of file diff --git a/always_logout_after_time_visual.md b/always_logout_after_time_visual.md new file mode 100644 index 0000000..4d40ace --- /dev/null +++ b/always_logout_after_time_visual.md @@ -0,0 +1,46 @@ +--- +title: "Log altid ud efter X minutter med nedtæller" +parent: "Sikkerhed" +source: os2borgerpc-scripts/os2borgerpc/sikkerhed/always_logout_after_time_visual.sh +parameters: + - name: "Aktiver?" + type: "boolean" + default: null + mandatory: false + - name: "Antal MINUTTER til logud" + type: "int" + default: null + mandatory: true + - name: "Tekst der vises før tidspunktet i nedtællingen" + type: "string" + default: null + mandatory: false + - name: "Antal SEKUNDER tilbage af nedtællingen hvor bruger advares" + type: "int" + default: null + mandatory: false + - name: "Tekst i advarselsinfoboks om kommende logud" + type: "string" + default: null + mandatory: false +compatibility: + - "BorgerPC" +--- + +## Beskrivelse +Opsætter en OS2borgerPC til altid at logge ud efter et bestemt antal minutter, med en visuel nedtæller på skærmen, til at vise, hvor længe, der er tilbage før logud. + +## Parametre + + 1. (Påkrævet) Aktivér?: Sæt hak for at aktivere scriptet, lad stå tom for at deaktivere scriptet. + + 2. (Påkrævet) Antal MINUTTER før der logges ud. + + 3. (Valgfri) Tekst der vises før nuværende tidspunkt i nedtællingen. + Standardværdi: "Tid tilbage: " + + 4. (Valgfri) Hvor mange SEKUNDER inden logud skal de advares om kommende logud. + Standardværdi: 60 + + 5. (Valgfri) Tekst der vises i beskeden om at brugeren snart logges ud. + Standardværdi: "Tiden er udløbet om et minut. Husk at gemme dine ting." \ No newline at end of file diff --git a/apt_periodic_control.md b/apt_periodic_control.md new file mode 100644 index 0000000..e9bb0f2 --- /dev/null +++ b/apt_periodic_control.md @@ -0,0 +1,40 @@ +--- +title: "System - Aktiver automatiske opdateringer fra Ubuntu" +parent: "System" +source: os2borgerpc-scripts/common/system/apt_periodic_control.sh +parameters: + - name: "Aktiver generelle opdateringer (sikkerhed/alt/falsk)" + type: "string" + default: null + mandatory: true +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Dette script aktiverer automatiske opdateringer fra Ubuntu. + +Når du slår automatiske opdateringer til skal du vælge om du både vil have sikkerhedsopdateringer og generelle opdateringer slået til, eller blot sikkerhedsopdateringer. + +Hvis du ønsker at det kun er sikkerhedsopdateringer der skal slåes til skal du tilføje parametren "sikkerhed". Hvis det derimod er både sikkerhedsopdateringer og generelle opdateringer skal du tilføje parametren "alt". + +Hvis du ønsker at slå alle automatiske opdateringer fra (anbefales generelt ikke, men det kan være relevant som test), kan du køre scriptet med parametret "falsk". + +Vær opmærksom på at med de nyeste os2borgerpc-images er sikkerhedsopdateringer allerede slået til. +Magenta anbefaler at kun sikkerhedsopdateringer er slået til. Især hvis man gør brug af Google Chrome. + +Info om de to opdateringsmuligheder: + +Sikkerhedsopdateringer: +De vigtigste opdateringer, som retter sårbarheder i systemet og dets programmer. + +Generelle opdateringer: +Retter fejl og tilføjer nogle gange ny funktionalitet i tilføjelsesprogrammerne. + +Info omkring Ubuntus håndtering af automatiske opdateringer: +- Disse opdateringer hentes og installeres usynligt i baggrunden, uanset om maskinen er i brug eller ej. +- Maskinen vil tjekke efter opdateringer to gange dagligt, på tilfældige tidspunkter. +Hvis den missede en opdatering dagen før, fordi den var lukket ned på et af dens planlagte opdateringstidspunkter, vil den tjekke kort efter opstart. + +Dette script er blevet testet og virker på Ubuntu 22.04. \ No newline at end of file diff --git a/autostart_program.md b/autostart_program.md new file mode 100644 index 0000000..661d545 --- /dev/null +++ b/autostart_program.md @@ -0,0 +1,29 @@ +--- +title: "Autostart program" +parent: "System" +source: os2borgerpc-scripts/os2borgerpc/os2borgerpc/autostart_program.sh +parameters: + - name: "Programmets navn" + type: "string" + default: null + mandatory: true + - name: "Slå autostart til" + type: "boolean" + default: null + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Starter et givent program hver gang en borger logger på. +For at få en liste over mulige programmer på en maskine kan man køre scriptet "Desktop - Vis programliste" med parametren sat til "mulige" + +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre +1. Navnet på det program der skal starte. Navnet ser forskel på store og små bogstaver (da nogle programmer har store bogstaver i deres navn). Kan udfyldes med eller uden filforlængelsen, f. eks. "firefox" eller "firefox.desktop". For at autostarte Chrome skrives "google-chrome". + +2. Et afkrydsningsfelt der, hvis der er sat hak i det, tilføjer et program til autostart. Hvis afkrydsningsfeltet er tomt, slettes programmet fra autostart igen. + diff --git a/browser_set_default.md b/browser_set_default.md new file mode 100644 index 0000000..d958582 --- /dev/null +++ b/browser_set_default.md @@ -0,0 +1,30 @@ +--- +title: "Sæt standard-browser" +parent: "Browser" +source: os2borgerpc-scripts/os2borgerpc/browser/browser_set_default.sh +summary: "Skifter standard-browseren ml. eksempelvis Firefox og Chrome." +parameters: + - name: "Ønsket standardbrowser (firefox, google-chrome, microsoft-edge)" + type: "string" + default: null + mandatory: true +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Installerer du andre browsere, virker scriptet også med disse. + +Ved en frisk installation af BorgerPC er firefox allerede standardbrowser. +Hvis maskinen i stedet skal bruge Chrome eller Edge som standardbrowser, forudsætter det at disse browsere først er installeret, via de pågældende scripts. + +Det kan være nødvendigt med logud, før det tager effekt. + +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre +1: 'firefox' skifter standardbrowseren til firefox, 'google-chrome' skifter den til Chrome og 'microsoft-edge' sætter den til Edge. + + + diff --git a/browser_update_launcher.md b/browser_update_launcher.md new file mode 100644 index 0000000..521126d --- /dev/null +++ b/browser_update_launcher.md @@ -0,0 +1,22 @@ +--- +title: "Udskift browser-genvejen i venstremenuen med en valgfri browser" +parent: "Browser" +source: os2borgerpc-scripts/os2borgerpc/browser/browser_update_launcher.sh +summary: "Udskifter browser-knappen i venstremenuen (der som standard er Firefox) med en valgfri browser." +parameters: + - name: "Udskift browseren i venstremenuen med følgende browser (se muligheder i beskrivelse)" + type: "text_field" + default: "firefox,google-chrome,microsoft-edge" + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Valgmulighederne er: +- firefox +- google-chrome +- microsoft-edge + +Dette script er blevet testet og virker på Ubuntu 22.04. \ No newline at end of file diff --git a/change_login_timeout.md b/change_login_timeout.md new file mode 100644 index 0000000..6fca682 --- /dev/null +++ b/change_login_timeout.md @@ -0,0 +1,33 @@ +--- +title: "Ændr login-timeout" +parent: "Login" +source: os2borgerpc-scripts/os2borgerpc/login/change_login_timeout.sh +parameters: + - name: "Antal sekunder" + type: "int" + default: null + mandatory: true +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Scriptet ændrer logintimeout til et valgfrit antal sekunder, givet som første parameter. +Standardindstillingen er pt. 10 sekunder. + +Hvis du ønsker nærmest øjeblikkelig login, kan den sættes til 2 sekunder. Tests har vist at den ikke kan nå at indlæse loginsiden hvis den sættes til 0, som kan betyde, at den slet ikke får logget ind, og forbliver på loginskærmen. + +Scriptet tager oftest først effekt efter genstart. + +Dette script antager, at automatisk login er slået til. Det er det som standard, men hvis det inden er blevet slået fra via scriptet "OS2borgerPC - Automatisk borgerlogin til/fra", vil dette script ikke have nogen effekt. + +Hvis du ønsker at deaktivere automatisk login helt, kan det i stedet gøres med førnævnte script. + +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre +1: Antallet af sekunder der går, før der automatisk logges ind. + + + diff --git a/chrome_chromium_add_remove_extension.md b/chrome_chromium_add_remove_extension.md new file mode 100644 index 0000000..2e4f1ce --- /dev/null +++ b/chrome_chromium_add_remove_extension.md @@ -0,0 +1,74 @@ +--- +title: "Chrome/Chromium: Tilføj/Fjern Udvidelse(r)" +parent: "Browser" +source: os2borgerpc-scripts/os2borgerpc/browser/chrome_chromium_add_remove_extension.sh +summary: "Tilføjer/fjerner en eller flere Chrome/Chromium-Udvidelser til/fra browserens ExtensionSettings policy" +parameters: + - name: "Aktivér" + type: "boolean" + default: null + mandatory: false + - name: "Udvidelser" + type: "string" + default: null + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" + + +--- + +## Beskrivelse +Udviklet og testet i samarbejde med Aarhus kommune. + +##### VIGTIGT! ##### +Hvis en given PC eller Gruppe gør brug af "Chrome/Chromium: Gæstetilstand til/fra (guest mode)", så husk at deaktivere denne browserpolitik, hvis du har i sinde at benytte dette script. +Årsagen hertil er, at Gæstetilstand, som resultat af Googles design heraf, deaktiverer alle udvidelser. + +### SCRIPTET +1. Kan tilføje/fjerne en list(en-til-mange) Chrome/Chromium-Udvidelser til/fra browserens ExtensionSettings policy. +2. Kan slette browserens ExtensionSettings policy. + + +### HVORDAN GØR JEG? + +(Læs det hele inden du kører scriptet) + +For installere udvidelser skal scriptet køres med flueben i checkbox'en "Aktivér". + +Alle Chrome-Udvidelser har et unikt ID der fremgår i URL'en i Chrome Web Store. + +ID'et er det du finder inden for < >-symbolerne i URL'en herunder: +https://chrome.google.com/webstore/detail/ublock-origin/?hl=en +Dvs. alt efter den sidste / og før ?-symbolet. + +Eksempelvis for uBlock Origin vil URL'en se således ud: + +https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en + +ID'et for uBlock Origin, som du skal bruge ifm. kørsel af scriptet, er derved: +cjpalhdlnbpafiamejdnhcphjbkeiagm + +Eksempel på en liste med 3 udvidelser, henholdsvis uBlock Origin, IntoWords, og AppWriter: + +cjpalhdlnbpafiamejdnhcphjbkeiagm,nopjifljihndhkfeogabcclpgpceapln,lokadhdaghfjbmailhhenifjejpokche + +Ovenstående er den tekststreng man angiver ved kørsel i tekstfeltet "Udvidelser", hvis man vil installere de tre udvidelser. + +Hver gang scriptet køres så overskrives den eksisterende liste med den nye liste. + +For at slette alle Udvidelser køres scriptet uden flueben i checkbox'en "Aktivér". + +Dette script er blevet testet og virker på Ubuntu 22.04. + +### MULIGE UDVIDELSER + +Nogle kommuner bruger udvidelsen "Adgang for Alle" til oplæsning på Dansk: +https://chrome.google.com/webstore/detail/adgang-for-alle-opl%C3%A6sning/emlafdcpicmngaecnedehchapmmcjfhb?hl=da + +Hvis man er kunde hos AppWriter eller IntoWords kan man overveje deres udvidelser for at øge tilgængeligheden i browser. + +## Parametre +1. Aktivér : True/False +2. Udvidelser : komma-separeret liste af ID'er \ No newline at end of file diff --git a/chrome_chromium_policy_homepage.md b/chrome_chromium_policy_homepage.md new file mode 100644 index 0000000..05cf557 --- /dev/null +++ b/chrome_chromium_policy_homepage.md @@ -0,0 +1,41 @@ +--- +title: "Chrome/Chromium: Sæt startside(r)" +parent: "Browser" +source: os2borgerpc-scripts/os2borgerpc/browser/chrome_chromium_policy_homepage.sh +parameters: + - name: "Startside-URL" + type: "string" + default: null + mandatory: true + - name: "Ekstra faneblade" + type: "string" + default: null + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Scriptet skifter startside(r) for Google Chrome og Chromium for brugeren Borger. +Scriptet forventer en hjemmeside-URL som første input parameter. + +Derudover kan man også tilføje en liste yderligere ekstra faner man kunne tænke sig. Læs mere forneden. +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre + +1. Startside-URL : tekststreng +2. Ekstra faneblade : tekststreng + +##### Eksempel med startside plus en ekstra fane ##### + +Startside-URL : https://borger.dk +Ekstra faneblade : https://info.jobnet.dk/ + +##### Eksempel med startside plus 3 ekstra faner ##### + +URL'erne separes med | som forneden. + +Ekstra faneblade : https://info.jobnet.dk/|https://skat.dk|https://www.sundhed.dk/ + diff --git a/chrome_chromium_start_maximized_fullscreen_kiosk.md b/chrome_chromium_start_maximized_fullscreen_kiosk.md new file mode 100644 index 0000000..b84e2b6 --- /dev/null +++ b/chrome_chromium_start_maximized_fullscreen_kiosk.md @@ -0,0 +1,31 @@ +--- +title: "Chrome/Chromium: Start i maksimeret, fuld skærm eller kiosk tilstand" +parent: "Browser" +source: os2borgerpc-scripts/os2borgerpc/browser/chrome_chromium_start_maximized_fullscreen_kiosk.sh +parameters: + - name: "Ønsket tilstand (se beskrivelse)" + type: "int" + default: null + mandatory: true +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Indstil Chrome til at åbne eller ikke at åbne i maksimeret tilstand, fuld skærm eller kiosk tilstand som standard. +Der skal logges ud eller genstartes før det tager effekt. + +Forudsætter at "Chrome - Installer" tidligere er blevet kørt. + +Teknisk note: Disse sættes pt. i .desktop-filerne fremfor via Chrome politikker, da det desværre ikke pt. er muligt at styre disse via sidstnævnte fra Googles side. + +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre +Scriptet tager kun ét parameter, som er et tal. Følgende tal svarer til følgende indstilling: +- 0: Slå både maksimeret, fuld skærm og kiosk fra +- 1: Slå maksimeret til +- 2: Slå fuld skærm til +- 3: Slå kiosk til + diff --git a/chrome_install.md b/chrome_install.md new file mode 100644 index 0000000..dbf8c6a --- /dev/null +++ b/chrome_install.md @@ -0,0 +1,38 @@ +--- +title: "Chrome: Installer" +parent: "Browser" +source: os2borgerpc-scripts/os2borgerpc/browser/chrome_install.sh +parameters: + - name: "Installér?" + type: "boolean" + default: null + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Udviklet og testet i samarbejde med Aarhus kommune. + +Installerer Google Chrome - kan også bruges til at opdatere Google Chrome. + +Siden sidste udgave er der nu tilføjet nedenstående til OS2borgerpc's default Chrome policy, som gør at borger ikke kan: + +- Logge på(BrowserSync) Chrome med en Google-konto +- Installere udvidelser. (Administrator kan styre dette centralt vha. scriptet "Chrome: Tilføj/fjern Udvidelser") +- Tilgå Chrome' Udviklerværktøjer +- Gemme sine logins +- Ændre/tilføje startside(r) +- Bruge Chromecast +- Web data som cookies og web databaser preserveres ikke efter nedlukning af browser. +- Tilgå udvalgte chrome-settings URL'er. + +Chrome-policies der fremgår i scriptet kan man læse mere om ved at søge på en given policy(fx ForceEphemeralProfiles) her: https://chromeenterprise.google/policies/ + +Ønsker man at Chrome skal nedlukkes endnu mere, så henvises der til "Chrome: Gæstetilstand til/fra (guest mode)". +Det kan også være, at "Chrome - Sæt Inkognito" er det man leder efter. + +Hvis du fortsat oplever en besked om at oprette en "nøglering" når der vises et password-felt, kan du herefter køre scriptet "Deaktiver nøglering" for at fjerne denne. + +Dette script er blevet testet og virker på Ubuntu 22.04. \ No newline at end of file diff --git a/chromium_autostart.md b/chromium_autostart.md new file mode 100644 index 0000000..979db49 --- /dev/null +++ b/chromium_autostart.md @@ -0,0 +1,51 @@ +--- +title: "Chromium Autostart" +parent: "Kiosk" +source: os2borgerpc-scripts/os2borgerpc/os2borgerpc_kiosk/chromium_autostart.sh +parameters: + - name: "Forsinkelse" + type: "int" + default: 0 + mandatory: true + - name: "URL" + type: "string" + default: null + mandatory: true + - name: "Bredde" + type: "int" + default: null + mandatory: true + - name: "Højde" + type: "int" + default: null + mandatory: true + - name: "Orientation" + type: "string" + default: "normal" + mandatory: true +compatibility: + - "22.04" + - "Kiosk" +--- + +## Beskrivelse +Start Chromium i kiosk-mode og sæt start-URL-en. + +Dette script forudsætter at følgendes scripts allerede er kørt: +- Chromium Installer + +Chromium Autostart slår automatisk kiosk-tilstand til, men ikke inkognito. + +Hvis du benytter skærmtastatur-scriptet og genkører dette script, skal skærmtastatur-scriptet køres igen herefter. + +Scriptet kræver en genstart før det tager effekt. + +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre +Der angives en forsinkelse før browseren startes, der kan hjælpe med at løse evt. timing issues (som regel virker det fint med 1 sekund, der angives ved tallet 1). + +Skærmens højde og bredde skal sættes til skærmens korrekte opløsning. + +Desuden skal der angives en orientering, som kan være "left", "right" eller "normal". + diff --git a/chromium_install.md b/chromium_install.md new file mode 100644 index 0000000..790cb3f --- /dev/null +++ b/chromium_install.md @@ -0,0 +1,14 @@ +--- +title: "Chromium Installér" +parent: "Kiosk" +source: os2borgerpc-scripts/os2borgerpc/os2borgerpc_kiosk/chromium_install.sh +parameters: +compatibility: + - "22.04" + - "Kiosk" +--- + +## Beskrivelse +Installér Chromium og en minimal X. + +Dette script er blevet testet og virker på Ubuntu 22.04. \ No newline at end of file diff --git a/dconf_change_login_bg.md b/dconf_change_login_bg.md new file mode 100644 index 0000000..073384c --- /dev/null +++ b/dconf_change_login_bg.md @@ -0,0 +1,65 @@ +--- +title: "Skift baggrundsbillede på loginskærm" +parent: "Login" +source: os2borgerpc-scripts/os2borgerpc/login/dconf_change_login_bg.sh +parameters: + - name: "Aktivér?" + type: "boolean" + default: null + mandatory: false + - name: "Billede" + type: "file" + default: null + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Scriptet skifter baggrundsbilledet på loginskærmen. + + +##### VEJLEDNING ##### + +Undgå at bruge æøå i filnavnet, da det kan forårsage problemer. + +Billedets opløsning skal som minimum svare til skærmens opløsning. + +Undersøg størrelsesforhold / "aspect ratio" på de pågældende skærme. Saml eventuelt skærme med ens størrelsesforhold i en gruppe for sig, hvis der er en-til-mange af forskellige størrelsesforhold. Hvis et givent billedes størrelsesforhold er anderledes fra skærmens størrelsesforhold, så får man et "strukket" billede. + +For se en given maskines skærmopløsning samt størrelsesforhold, så log på som superuser og gå til "indstillinger" -> "Skærme". + +Eksempler på opløsninger til forskellige størrelsesforhold: + +4:3 +800 x 600 +1024 x 768 +1400 x 1050 +1600 x 1200 + +5:4 +1280 x 1024 +2560 x 2048 + +16:9 +1366 x 768 +1600 x 900 +1920 x 1080 +2560 x 1440 + +16:10 +1280 x 800 +1440 x 900 +1680 x 1050 +1920 x 1200 +2560 x 1600 + +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre + +1. Aktivér: + Sæt hak for at sætte og fastlåse baggrundsbilledet + Udelad hak for at gøre det muligt manuelt at sætte sit eget billede direkte fra computeren +2. Billede : Filupload \ No newline at end of file diff --git a/dconf_desktop_background.md b/dconf_desktop_background.md new file mode 100644 index 0000000..44ef121 --- /dev/null +++ b/dconf_desktop_background.md @@ -0,0 +1,39 @@ +--- +title: "Skift baggrundsbillede på skrivebordet" +parent: "Desktop" +source: os2borgerpc-scripts/os2borgerpc/desktop/dconf_desktop_background.sh +parameters: + - name: "Baggrundsbillede" + type: "file" + default: null + mandatory: true + - name: "Billedeindstillinger (se muligheder i beskrivelsen)" + type: "string" + default: "zoom" + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Dette script skifter baggrundsbillede på skrivebordet for Borger på en OS2borgerPC. +Borger behøver ikke at logge ud før baggrundsbillede skifter. +Efterfølgende vil det ikke være tilladt for Borger at skifte baggrundsbilledet, men det kan stadig ændres fra adminsitet. + +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre + + 1. Baggrundsbillede: + Her vælger du det billede, der skal anvendes som baggrundsbillede. + Undgå at bruge æøå i filnavnet, da det kan forårsage problemer. + 2. Billedeindstillinger + De indstillinger der skal være for billedet. Mulighederne er: + - zoom (standardindstillingen): Baggrunden zoomes ind eller ud for at passe til skærmens størrelse. Der zoomes indtil billedet fylder hele skærmen, som potentielt kan betyde at kanterne af billedet ikke ses. + - stretched: Baggrunden strækkes for at dække hele skærmen uden hensyntagen til proportioner. + - centered: Baggrunden placeres centralt på skærmen uden nogen form for tilpasning. + - scaled: Baggrunden tilpasses skærmens størrelse, bevarende dens proportioner. Der skaleres indtil billedet når ud til den ene kant, så der kan potentielt være en sort bjælke hvis billedets proportioner ikke passer til skærmen. + - wallpaper: Baggrunden anvendes som tapet, gentagende eller fyldende hele skærmen. + - none: Der er ingen baggrund, skærmen viser en ensfarvet baggrund eller transparent baggrund. + diff --git a/dconf_gnome_lock_menu_editing.md b/dconf_gnome_lock_menu_editing.md new file mode 100644 index 0000000..8e504f3 --- /dev/null +++ b/dconf_gnome_lock_menu_editing.md @@ -0,0 +1,30 @@ +--- +title: "Lås menu" +parent: "Sikkerhed" +source: os2borgerpc-scripts/os2borgerpc/sikkerhed/dconf_gnome_lock_menu_editing.sh +parameters: + - name: "Aktivér" + type: "boolean" + default: null + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" +included_in_image: true +--- + +## Beskrivelse +Låser venstremenuen så Borger ikke kan redigere i den. + +Den nulstilles uanset efter login, så det er nærmere hvis man også vil forhindre ændring af menuen i løbet af en login-session. + +SIKKERHEDSMÆSSIGE OVERVEJELSER: +Dette script er designet til at beskytte mod phishing - dvs. nærmere specifikt at en person modificerer en genvej i menuen til at pege over på eks. en Mit ID-lignende side, +som i stedet opsnapper loginoplysninger og sender dem til en tredjepart. I OS2borgerPC 4.0.0 er dette muligt. Som skrevet længere oppe, så bliver disse ændringer dog uanset nulstillet efter logud, så det er primært et problem, hvis man ikke har automatisk logud ved inaktivitet, eller hvis angriberen skulle finde en måde at holde gang i aktiviteten på maskinen på afstand, så den ikke logger ud. + +BESKRIVELSE: +Dette script er indbygget i OS2borgerPC 5.0.0 og fremefter. + +--------------- + +Dette script er blevet testet og virker på Ubuntu 22.04. \ No newline at end of file diff --git a/dconf_run_prompt_toggle.md b/dconf_run_prompt_toggle.md new file mode 100644 index 0000000..c3f075a --- /dev/null +++ b/dconf_run_prompt_toggle.md @@ -0,0 +1,41 @@ +--- +title: "Juster adgang til kør prompt (ALT-F2)" +parent: "Sikkerhed" +source: os2borgerpc-scripts/os2borgerpc/sikkerhed/dconf_run_prompt_toggle.sh +parameters: + - name: "Slå kør prompt fra" + type: "boolean" + default: null + mandatory: false +included_in_image: true +compatibility: + - "22.04" + - "BorgerPC" +included_in_image: true + + +--- + +## Beskrivelse +Slår "kør"-prompten (ALT-F2) fra eller til. + +SIKKERHEDSMÆSSIGE OVERVEJELSER: +Dette script fjerner genvejen til "Kør" prompten, hvorfra man kan køre kommandoer. +Dette script har ikke den store sikkerhedsmæssige betydning, medmindre man samtidig kører vores script til at blokere for terminalen, da man fra terminalen kan gøre det samme og mere. + +Grundlæggende mener vi ikke, at dette er et kritisk script rent sikkerhedsmæssigt, af den årsag, at HVIS det skulle vise sig der er en kommando eller række af kommandoer gør det muligt at udnytte et tænkt sikkerhedshul på en BorgerPC, så er det nærmere det kommandoerne gør, der bør sikres/forhindres. Dvs. det egentlige sikkerhedshul ligger i det kommandoerne har rettigheder til at kunne, ikke i selve kommandoerne. + +BESKRIVELSE: +Bemærk at man bagefter at det slås fra, stadig godt kan gå ind og forsøge at sætte en genvejstast til "kør kommando", +men selvom genvejstast-kombinationen nu vises, som om den var sat, virker den i praksis ikke. + +Dette script er indbygget i OS2borgerPC image 5.0.0 og fremover. + +Dette script er blevet testet og virker på Ubuntu 22.04. + +Udviklet og testet i samarbejde med Aarhus kommune. + +## Parametre + Slå kør prompt fra : + - Sæt hak for at slå kør prompten fra + - Lad stå tom for at slå kør prompten til \ No newline at end of file diff --git a/dconf_ubuntu_dock_adjust.md b/dconf_ubuntu_dock_adjust.md new file mode 100644 index 0000000..18fa03c --- /dev/null +++ b/dconf_ubuntu_dock_adjust.md @@ -0,0 +1,24 @@ +--- +title: "Juster Ubuntu Dock (programmenu)" +parent: "Desktop" +source: os2borgerpc-scripts/os2borgerpc/desktop/dconf_ubuntu_dock_adjust.sh +parameters: + - name: "Ønsket position for menuen (LEFT er standard)" + type: "text_field" + default: "LEFT,RIGHT,TOP,BOTTOM" + mandatory: false + - name: "Flyt applikationsåbner-knappen til starten af menuen? (udeladt hak er standard)" + type: "boolean" + default: null + mandatory: false +compatibility: + - "BorgerPC" +--- + +## Beskrivelse +Dette script kan justere Ubuntus Dock (programmenuen ved siden af skrivebordet) på to måder: + +1. Ubuntu Docks ligger normalt opad venstre kant af skærmen ("LEFT"), men kan flyttes til en af de andre sider. +2. Applikationsstarteren (de 9 "prikker") ligger normalt i bunden af menuen. Hvis du vælger "true", kan den flyttes til toppen. + +Tager scriptet ikke øjeblikkeligt effekt, så prøv med en genstart. \ No newline at end of file diff --git a/desktop_launcher_logout_button_icon.md b/desktop_launcher_logout_button_icon.md new file mode 100644 index 0000000..5b55f8f --- /dev/null +++ b/desktop_launcher_logout_button_icon.md @@ -0,0 +1,40 @@ +--- +title: "Genvej til logud fra menu" +parent: "Desktop" +source: os2borgerpc-scripts/os2borgerpc/desktop/desktop_launcher_logout_button_icon.sh +parameters: + - name: "Tilføj logudknappen?" + type: "boolean" + default: null + mandatory: false + - name: "Genvejsnavn" + type: "string" + default: null + mandatory: true + - name: "Indsæt i starten af menuen?" + type: "boolean" + default: null + mandatory: false + - name: "Ikon" + type: "file" + default: null + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Opretter en logud-genvej i menuen med valgfrit ikon. Man kan også undlade at vælge et ikon selv, og så benyttes et standard-ikon. Ikonet skal være i et af følgende formater: +.svg, .png, .jpg/.jpeg +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre +1. Skal genvejen tilføjes eller fjernes? + Sæt hak for at tilføje. + Lad stå tom for at slette den, så fremt den findes. +2. Navnet du ønsker, genvejen skal have. Denne kan ses hvis Borgeren holder musen hen over genvejen. +3. Skal genvejen sættes i starten eller enden af menuen? + Sæt hak for at sætte den i starten. +4. Her kan du uploade eget ikon at bruge til genvejen. Du kan også udelade at uploade et ikon, og der vil i så fald blive brugt et standard-ikon til genvejen. + diff --git a/desktop_launcher_program_shortcut.md b/desktop_launcher_program_shortcut.md new file mode 100644 index 0000000..06cf72e --- /dev/null +++ b/desktop_launcher_program_shortcut.md @@ -0,0 +1,31 @@ +--- +title: "Genvej til program fra menu" +parent: "Desktop" +source: os2borgerpc-scripts/os2borgerpc/desktop/desktop_launcher_program_shortcut.sh +parameters: + - name: "Tilføj programmet?" + type: "boolean" + default: null + mandatory: false + - name: "Programnavn" + type: "string" + default: null + mandatory: true +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Tilføjer/Fjerner en genvej i menuen til venstre, ved siden af skrivebordet. +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre +1: Aktiver: + Sæt hak: Programmet tilføjes til menuen. + Fjern hak: Programmet fjernes fra menuen (hvis det findes) +2: Programnavn: Hvilket program du ønsker at tilføje eller slette. + Eksempler: firefox, google-chrome, simple-scan, yelp, libreoffice-impress, libreoffice-writer, libreoffice-calc, org.gnome.Nautilus + +Hvis du ikke kender program-navnet præcist, kan du bruge scriptet "Desktop - Vis programliste". + diff --git a/desktop_logout_button_icon.md b/desktop_logout_button_icon.md new file mode 100644 index 0000000..a9c3ac3 --- /dev/null +++ b/desktop_logout_button_icon.md @@ -0,0 +1,46 @@ +--- +title: "Genvej til logud fra skrivebord" +parent: "Desktop" +source: os2borgerpc-scripts/os2borgerpc/desktop/desktop_logout_button_icon.sh +parameters: + - name: "Aktiver?" + type: "boolean" + default: null + mandatory: false + - name: "Navn på genvejen" + type: "string" + default: null + mandatory: true + - name: "Bekræftelse på logud?" + type: "boolean" + default: null + mandatory: false + - name: "Ikon til genvejen (png/svg/jpg)" + type: "file" + default: null + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Tilføjer en logud-knap til skrivebordet, med valgfrit navn og ikon (uploades), og mulighed for at bestemme om der skal logges ud øjeblikkeligt, eller om brugeren skal bekræfte først. + +Log ud efter kørsel. + +BEMÆRK: Dette script forudsætter også at scriptet "Desktop - Aktiver genveje" køres for at aktivere knappen. +Scriptet "Desktop - Aktiver genveje" har været indbygget i alle images siden image 5.0 og er derfor under udfasning. + +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre +1: Aktiver?: + Sæt hak: Genvejen tilføjes + Lad stå tom: Genvejen fjernes +2: Navn: Navnet du ønsker, knappen skal have på skrivebordet. +3. Bekræftelse på logud: + Sæt hak: Borgeren spørges efter bekræftelse. + Lad stå tom: Der genstartes øjeblikelligt, uden at spørge om bekræftelse (der er mulighed for at fortryde). +4. Ikon: Hvilket ikon logudknappen skal have (en kvadratisk .SVG- eller .PNG-fil). Hvis du ikke vælger ét, vil et standardikon blive brugt. + diff --git a/desktop_toggle_writable.md b/desktop_toggle_writable.md new file mode 100644 index 0000000..9fb9be1 --- /dev/null +++ b/desktop_toggle_writable.md @@ -0,0 +1,35 @@ +--- +title: "Slå skriverettigheder for skrivebord fra/til" +parent: "Sikkerhed" +source: os2borgerpc-scripts/os2borgerpc/sikkerhed/desktop_toggle_writable.sh +parameters: + - name: "Aktivér? (hak: fjern skriverettighed / udelad hak: giv skriverettighed)" + type: "boolean" + default: null + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" +included_in_image: true +--- + +## Beskrivelse +Slår skriverettigheder for skrivebordet til og fra for Borger-brugeren. + +SIKKERHEDSMÆSSIGE OVERVEJELSER: +Dette script er designet til at beskytte mod phishing - dvs. nærmere specifikt at en person modificerer en genvej på skrivebordet til at pege over på eks. en Mit ID-lignende side, som i stedet opsnapper loginoplysninger og sender dem til en tredjepart. I OS2borgerPC 4.0.0 er dette muligt. Som skrevet længere oppe, så bliver disse ændringer dog uanset nulstillet efter logud, så det er primært et problem, hvis man ikke har automatisk logud ved inaktivitet, eller hvis angriberen skulle finde en måde at holde gang i aktiviteten på maskinen på afstand, så den ikke logger ud. + +Vi anbefaler pba. ovenstående ikke at slå dem til. + +BESKRIVELSE: +I OS2borgerPC 5.0.0 og fremefter er det indbygget, at skriverettighederne til skrivebordet er fjernet. + +Dette script er blevet testet og virker på Ubuntu 22.04. + +Udviklet og testet i samarbejde med Aarhus kommune. + +## Parametre + 1. Aktivér?: + Sæt hak: brugeren har IKKE rettighed til at lægge filer på skrivebordet (standard) + Lad stå tom: brugeren har rettighed til at lægge filer på skrivebordet + diff --git a/desktop_url_shortcut.md b/desktop_url_shortcut.md new file mode 100644 index 0000000..e17672f --- /dev/null +++ b/desktop_url_shortcut.md @@ -0,0 +1,42 @@ +--- +title: "Genvej til hjemmeside på skrivebord" +parent: "Desktop" +source: os2borgerpc-scripts/os2borgerpc/desktop/desktop_url_shortcut.sh +parameters: + - name: "Aktivér?" + type: "boolean" + default: null + mandatory: false + - name: "URL" + type: "string" + default: null + mandatory: true + - name: "Navn på genvejen til websitet (ingen mellemrum!)" + type: "string" + default: null + mandatory: true + - name: "Ikon (Valgfri. Hvis tom benyttes et standard-ikon.)" + type: "file" + default: null + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Opretter eller sletter en genvej til til en valgfri hjemmeside på skrivebordet, med det angivne navn. +Efter kørsel tager det effekt efter logud. + +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre +1. Sæt hak for at oprette genvejen, + Lad stå tom for at slette den, så fremt den findes. +2. URL til webstedet +3. Navnet genvejen skal have på skrivebordet. + Bemærk at navnet ikke må indeholde mellemrum. +4. Ikon. Du kan selv uploade et ikon-billede, eller du kan undlade og så bruger den et standardikon. + +Bemærk: Husk https:// eller http:// foran - det skal være den fulde adresse (kopier den eventuelt fra adresselinien i browseren), fremfor eks. bare eboks.dk eller www.eboks.dk, som ikke vil virke. + diff --git a/disable_network_connectivity_check.md b/disable_network_connectivity_check.md new file mode 100644 index 0000000..9538a9c --- /dev/null +++ b/disable_network_connectivity_check.md @@ -0,0 +1,15 @@ +--- +title: "System - Fjern Network Managers Forbindelsestjek (Netics)" +parent: "System" +source: os2borgerpc-scripts/common/system/disable_network_connectivity_check.sh +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Afprøv først på en enkelt maskine! + +Det kan bruges til at fjerne hotspot popups fra bl.a. Netics. + +Dette script er blevet testet og virker på Ubuntu 22.04. \ No newline at end of file diff --git a/firefox_global_policies.md b/firefox_global_policies.md new file mode 100644 index 0000000..61a3012 --- /dev/null +++ b/firefox_global_policies.md @@ -0,0 +1,49 @@ +--- +title: "Firefox: Kiosk og Sæt startside(r)" +parent: "Browser" +source: os2borgerpc-scripts/os2borgerpc/browser/firefox_global_policies.sh +parameters: + - name: "Startside-URL" + type: "string" + default: null + mandatory: true + - name: "Ekstra faneblade" + type: "string" + default: null + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" + + +--- + +## Beskrivelse +Udviklet og testet i samarbejde med Aarhus kommune. + +Scriptet fjerner alle default startsider (inkl. fanen "Firefox Privacy Notice"), som køres hver gang Firefox startes for første gang i en given ny bruger-session. +Scriptet implementerer policies der bla.a. deaktiverer slut-brugers' mulighed for at installere udvidelser samt at logge på(browser sync). +Ydermere deaktiveres lagring af historik og cache, gem-password, tracking, m.m. +For mere info de konkrete implementerede policies henvises til at læse scriptet, hvor man kan krydsrefere med Mozillas dokumentation her: +https://github.com/mozilla/policy-templates + +Udover at sætte startsiden kan man også tilføje en liste yderligere ekstra faner man kunne tænke sig. Læs mere forneden. +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre + +1. Startside-URL : tekststreng +2. Ekstra faneblade : tekststreng + +##### Eksempel med startside plus en ekstra fane ##### + +Startside-URL : https://borger.dk +Ekstra faneblade : https://info.jobnet.dk/ + +##### Eksempel med startside plus 3 ekstra faner ##### + +URL'erne separes med | som forneden. + +Ekstra faneblade : https://info.jobnet.dk/|https://skat.dk|https://www.sundhed.dk/ + + diff --git a/get_daily_login_count.md b/get_daily_login_count.md new file mode 100644 index 0000000..7ac1c6c --- /dev/null +++ b/get_daily_login_count.md @@ -0,0 +1,34 @@ +--- +title: "Send løbende antal login dagligt til adminsitet" +parent: "Login" +source: os2borgerpc-scripts/os2borgerpc/login/get_daily_login_count.sh +parameters: + - name: "Aktiver?" + type: "boolean" + default: null + mandatory: false +compatibility: + - "BorgerPC" +--- + +## Beskrivelse +Dette script gør at computeren sender sit daglige antal logins til adminsitet. Dette kan give et indblik i hvor meget en given maskine anvendes. + +Eksempel: +Scriptet køres ud på en række maskiner. Man kigger på dataen d. 21/10 og vil kunne se der d. 20/10 var 10 logins på PC1, 12 logins på PC2, 8 logins på PC3 etc. +Du kan derved se, hvor mange gange der er blevet logget ind på en given maskine på en given dag. + +BEMÆRK: Denne data er ikke rigtig brugbar, før man slår automatisk login på den givne maskine FRA, som kan gøres med scriptet "Login - Automatisk borgerlogin til/fra". Inden da tælles såvel automatiske og manuelle logins med. + +Dataen bliver sendt, så den kan ses under tabben "Konfigurationer" for en Computer, og den udstilles derfra igennem det nye API, så dataen kan importeres i programmer som Power BI, eller tilsvarende open source software. + +Yderligere informationer: +- Maskinen vil kun indrapportere antal logins for de dage, hvor den har været tændt. +- Maskinen indrapporterer først antal logins for en given dag på den efterfølgende dag. +- Maskinen opbevarer dataen i 90 dage. + +## Parametre +1. Aktiver? +Sæt hak i tjekboksen for at aktivere indrapportering af daglige antal login. +Lad tjekboksen stå tom for at deaktivere indrapporteringen. + diff --git a/hard_shutdown_lockdown.md b/hard_shutdown_lockdown.md new file mode 100644 index 0000000..99b1ba0 --- /dev/null +++ b/hard_shutdown_lockdown.md @@ -0,0 +1,46 @@ +--- +title: "Bloker for login ved hård nedlukning" +parent: "Sikkerhed" + +source: os2borgerpc-scripts/os2borgerpc/sikkerhed/hard_shutdown_lockdown.sh +parameters: + - name: "Aktiver?" + type: "boolean" + default: null + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Dette script låser bruger-kontoen ved en hård nedlukning (f.eks. hvis man hiver strømstikket ud eller slukker maskinen på knappen). +Dets primære formål er at være med til at forhindre borgere i at omgå scriptet "Sikkerhed - Bloker for login ved USB-event". + +SIKKERHEDSMÆSSIGE OVERVEJELSER: +En BorgerPC kan kun overvåges af software såsom sikkerhedsscripts, så længe, den er tændt. +Dvs. hvis Borger kan tilgå maskinen mens den er slukket, kan der indsættes en keylogger, uden at det kan detekteres. +Derfor er dette script skrevet til at låse en maskine for login til Borger og give en advarsel hvis strømmen går på maskinen, eksempelvis ved tryk på sluk-knappen eller ved at hive strømstikket. +Dette script låser IKKE maskinen hvis den lukkes ned på normal vis - eksempelvis ved at vælge "Luk ned" fra menuen, eller kørsel af scripts til genstart/nedlukning. +Af denne grund er det også centralt for dette script, at Borgers mulighed for at lukke ned/genstarte fjernes. Dette er der et script til, som nævnes længere nede. + +BESKRIVELSE: +Det er en god idé at verificere at det virker, hvis computeren slukkes på knappen eller strømstikket fjernes. + +Dette script bruges sammen: + +- Scriptet "Desktop - Fjern Luk Ned, Genstart og Hviletilstand fra menuen" +...så Borgeren ikke bare kan lukke computeren ned fra menuen, så fjernelse af strømstik eller knappen på maskinen er eneste mulighed for at slukke den. + +- Sikkerhedsscriptet "Detekter låst/udløbet bruger event", hvis man ønsker en advarsel, når Borger-kontoen låses. + +Når man så oplever, at Borger-kontoen er blevet låst, kan den låses op med Scriptet: +"Sikkerhed - Sæt Borger som aktiv efter blokeret login (lås op)". + +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre +Aktivér: + Sæt hak: Blokering af login ved hård nedlukning slås til + Lad stå tom: Blokering af login ved hård nedlukning slås fra (standard) + diff --git a/inactivity_logout_after_time.md b/inactivity_logout_after_time.md new file mode 100644 index 0000000..5d94a51 --- /dev/null +++ b/inactivity_logout_after_time.md @@ -0,0 +1,58 @@ +--- +title: "Log Borger ud efter X minutters inaktivitet med besked" +parent: "Sikkerhed" +source: os2borgerpc-scripts/os2borgerpc/sikkerhed/inactivity_logout_after_time.sh +parameters: + - name: "Aktiver?" + type: "boolean" + default: null + mandatory: false + - name: "Antal MINUTTER til dialog bliver vist" + type: "int" + default: null + mandatory: true + - name: "Antal MINUTTER til brugeren bliver logget ud" + type: "int" + default: null + mandatory: true + - name: "Tekst som bliver vist i dialogboksen" + type: "string" + default: null + mandatory: false + - name: "Tekst som bliver vist på dialogboks knappen" + type: "string" + default: null + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Vis en advarsel efter et antal minutters inaktivitet - ved fortsat inaktivitet logges brugeren automatisk ud. +Dette script har til formål at sørge for at brugeren automatisk logges ud, hvis de skulle forlade maskinen uden selv at logge ud. + +SIKKERHEDSMÆSSIGE OVERVEJELSER: +Mens en BorgerPC er logget ind kan der godt gemmes filer på den, nogle programmer vil huske besøgte webadresser på den, og en Borger kunne efterlade en maskine logget ind på deres E-Boks. +Automatisk logud er lavet til scenarier hvor Borger ikke husker selv at lukke/slette vigtige filer, eller bare logge ud. +Så vil maskinen i så fald efter X antal tid selv sørge for det. + +Vi anbefaler at genstarte efter kørsel, for at være sikker på, det har taget effekt. + +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre +Scriptet tager 5 inputparametre: +1. Hvorvidt scriptet skal aktiveres. Sæt hak i tjekboksen for at aktivere scriptet. Lad tjekboksen stå tom for at deaktivere scriptet. +2. Antal MINUTTER computeren kan være inaktiv, før en advarsel vises. +3. Antal MINUTTER computeren kan være inaktiv, før den lukkes ned. + Det skal være længere tid end det første inputparameter, da advarslen ellers ikke vil blive set. Vi foreslår minimum 3 minutter længere. +4. Teksten der vises i inaktivitetsadvarslen. Hvis feltet efterlades tomt, bruges standardteksten "Du er inaktiv og bliver logget ud om kort tid..." +5. Teksten der vises på knappen i inaktivitetsadvarslen. Hvis feltet efterlades tomt, bruges standardteksten "OK" + +Eksempel: +Med inputparametrene 5 og 10 vil der vises en advarsel efter 5 minutter, og hvis inaktiviteten så fortsætter 5 minutter derefter, vil brugeren blive logget af. + +Hvis du ønsker linieskift i teksten, kan det gøres ved at skrive \n således: +Linie1\nLinie2 + diff --git a/lightdm_enable_numlock.md b/lightdm_enable_numlock.md new file mode 100644 index 0000000..be71551 --- /dev/null +++ b/lightdm_enable_numlock.md @@ -0,0 +1,24 @@ +--- +title: "Sæt NumLock-tilstand" +parent: "System" +source: os2borgerpc-scripts/os2borgerpc/os2borgerpc/lightdm_enable_numlock.sh +parameters: + - name: "Slå numlock til" + type: "boolean" + default: null + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Dette script installerer numlockx og slår numlock til når computeren når til loginsiden. + +OBS: Medmindre scriptet "Login - Slå scriptkørsel ved login" er kørt også, vil numlock først blive slået til efter brugeren logger på. + +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre +1. Sæt hak for at slå numlock til, eller lad stå tomt for at fjerne denne funktion igen. + diff --git a/lightdm_hide_superuser.md b/lightdm_hide_superuser.md new file mode 100644 index 0000000..6b6de65 --- /dev/null +++ b/lightdm_hide_superuser.md @@ -0,0 +1,34 @@ +--- +title: "Skjul superuser fra loginskærm og vis eventuelt loginfelt til valgfri bruger" +parent: "Login" +source: os2borgerpc-scripts/os2borgerpc/login/lightdm_hide_superuser.sh +parameters: + - name: "Skjul superuser-brugeren" + type: "boolean" + default: null + mandatory: false + - name: "Vis loginfelt til valgfri bruger" + type: "boolean" + default: null + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Dette script gør det muligt at skjule superuser fra loginskærmen. +Man kan i samme forbindelse vælge at slå det til, så man selv kan indtaste et brugernavn på loginskærmen i stedet, som så også kan være superuser. + +Det kræver genstart før det tager effekt. + +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre +1. Skjul superuser-brugeren: + Sæt hak for at skjule superuser-brugeren. + Lad stå tom for igen at vise superuser-brugeren (standard) +2. Vis loginfelt til login på valgfri bruger under "Borger": + Sæt hak for at vise loginfeltet + Lad stå tom for at skjule loginfeltet + diff --git a/overwrite_libreoffice_config.md b/overwrite_libreoffice_config.md new file mode 100644 index 0000000..2512709 --- /dev/null +++ b/overwrite_libreoffice_config.md @@ -0,0 +1,30 @@ +--- +title: "LibreOffice - Sæt indstillinger" +parent: "Programmer" +source: os2borgerpc-scripts/os2borgerpc/libreoffice/overwrite_libreoffice_config.sh +parameters: + - name: "Slå 'Tip of the Day' fra" + type: "boolean" + default: null + mandatory: false + - name: "Brug Microsofts filformater" + type: "boolean" + default: null + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Script der overskriver LibreOffices config med vores egen. + +Kræver at brugeren logger ud og ind igen før indstillingerne træder i kraft. + +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre +1. Sæt kryds for at slå "Tip of the Day" og frigivelsesnoter fra. Lad stå tom for at slå dem til. +2. Sæt kryds for at bruge Microsofts filformater (.docx, .xlsx, .pptx) frem for LibreOffices standard ODF formater. Lad stå tom for at bruge standard-formaterne. + + diff --git a/polkit_policy_shutdown_suspend.md b/polkit_policy_shutdown_suspend.md new file mode 100644 index 0000000..eef0ea9 --- /dev/null +++ b/polkit_policy_shutdown_suspend.md @@ -0,0 +1,41 @@ +--- +title: "Fjern Luk Ned, Genstart og Hviletilstand fra menuen" +parent: "Sikkerhed" +source: os2borgerpc-scripts/os2borgerpc/sikkerhed/polkit_policy_shutdown_suspend.sh +parameters: + - name: "Fjern hviletilstand?" + type: "boolean" + default: null + mandatory: false + - name: "Fjern også luk ned og genstart?" + type: "boolean" + default: null + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" +included_in_image: true +--- + +## Beskrivelse +Udviklet og testet i samarbejde med Aarhus kommune. + +Scriptet fjerner Luk Ned, Genstart og Hviletilstand fra menuen og blokerer også for de samme via systempolitik, så eks. genstart/luk ned i så fald heller ikke kan køres fra terminalen af Borger. + +SIKKERHEDSMÆSSIGE OVERVEJELSER: +Disse muligheder er fjernet i nyere images af den årsag, at sikkerhedsscripts ikke kan overvåge maskinen, når den er slukket. +Dvs. en angriber kunne potentielt slukke maskinen, indsætte en keylogger ml. tastatur og computer, og så tænde computeren igen. +Af samme grund har vi også udviklet scriptet "Bloker for login ved hård nedlukning" for at forhindre at der lukkes ned på andre måder end menuen, dvs. ved at trykke på knappen eller hive strømstikket ud. + +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre + +1. Fjern hviletilstand? + Sæt hak for at blokere for borgerens mulighed for at aktivere hviletilstand. + Lad stå tom for at tilføje muligheden. +2. Fjern også luk ned og genstart? + Sæt hak for også at blokere for borgerens mulighed for at lukke eller genstarte computeren. + Lad stå tom for at tilføje muligheden. + Hvis første input står tom, tilføjes muligheden uanset værdien af dette input. + diff --git a/printer_default.md b/printer_default.md new file mode 100644 index 0000000..eac3321 --- /dev/null +++ b/printer_default.md @@ -0,0 +1,20 @@ +--- +title: "Sæt standard" +parent: "Printer" +source: os2borgerpc-scripts/os2borgerpc/printer/printer_default.sh +parameters: + - name: "Navn" + type: "string" + default: null + mandatory: true +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Vælg standard printer. Printer navnet kan findes ved at køre scriptet "Printer - Vis printer liste" + +*Note - Scriptet har problemer hvis printer navnet indeholder mellemrum. I så fald anbefales det at ændre printer navnet. + +Dette script er blevet testet og virker på Ubuntu 22.04. \ No newline at end of file diff --git a/printer_del.md b/printer_del.md new file mode 100644 index 0000000..8807c63 --- /dev/null +++ b/printer_del.md @@ -0,0 +1,22 @@ +--- +title: "Slet printer" +parent: "Printer" +source: os2borgerpc-scripts/os2borgerpc/printer/printer_del.sh +parameters: + - name: "Navn" + type: "string" + default: null + mandatory: true +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Slet den angivne printer. + +Det kan både være en regulær netværksprinter eller en Princh-printer. + +For at finde navnet på printeren, kan du køre scriptet "Printer - Vis printer-liste". + +Dette script er blevet testet og virker på Ubuntu 22.04. \ No newline at end of file diff --git a/printer_options_get.md b/printer_options_get.md new file mode 100644 index 0000000..5641f1b --- /dev/null +++ b/printer_options_get.md @@ -0,0 +1,22 @@ +--- +title: "Vis indstillinger" +parent: "Printer" +source: os2borgerpc-scripts/os2borgerpc/printer/printer_options_get.sh +parameters: + - name: "Printer-navn" + type: "string" + default: null + mandatory: true +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Vis de forskellige indstillinger for den ønskede printer i Job-loggen. + +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre +1: Navnet på printeren (kør evt. "Printer - Vis printer-liste" for at finde det) + diff --git a/printer_options_set.md b/printer_options_set.md new file mode 100644 index 0000000..8a7c1f0 --- /dev/null +++ b/printer_options_set.md @@ -0,0 +1,48 @@ +--- +title: "Sæt indstillinger" +parent: "Printer" +source: os2borgerpc-scripts/os2borgerpc/printer/printer_options_set.sh +parameters: + - name: "Printer-navn" + type: "string" + default: null + mandatory: true + - name: "PageSize (f.eks. A4 eller Letter)" + type: "string" + default: "A4" + mandatory: false + - name: "ColorModel (f.eks. RGB eller Gray)" + type: "string" + default: null + mandatory: false + - name: "Duplex (f.eks. DuplexTumble eller None)" + type: "string" + default: null + mandatory: false + - name: "Print-orientering" + type: "text_field" + default: ",Portrait,Landscape,Reverse landscape,Reverse portrait" + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Script, der sætter de printer-indstillinger (kaldet "Options" i Linux-printersystemet CUPS), der er forespurgt og fundet. + +Kør scriptet "Printer - Vis printer-indstillinger" for at se, hvilke indstillingsmuligheder, den givne printer har. + +Vil kun virke, hvis der er en PPD-fil eller hvis printeren er sat op med IPP Everywhere. + +NB: De konkrete muligheder og værdier kan variere fra printer til printer. + +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre + 1: Printer-navn + 2: Papirstørrelse + 3: Farve eller sort-hvid + 4: Duplex + 5: Print-orientering + diff --git a/printer_princh_add.md b/printer_princh_add.md new file mode 100644 index 0000000..dc26922 --- /dev/null +++ b/printer_princh_add.md @@ -0,0 +1,43 @@ +--- +title: "Tilføj Princh Cloud Printer" +parent: "Printer" +source: os2borgerpc-scripts/os2borgerpc/printer/printer_options_set.sh +parameters: + - name: "Navn (OBS: INGEN ÆØÅ, mellemrum eller apostrofer)" + type: "string" + default: null + mandatory: true + - name: "ID" + type: "int" + default: null + mandatory: true + - name: "Beskrivelse / Placering (INGEN ÆØÅ)" + type: "string" + default: null + mandatory: true +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Forudsætninger: +Dette script køres efter scriptet "Printer - Installer Princh Cloud Printer". + +Hvis du ønsker Princh sat som standard-printer, så kør herefter scriptet "Printer - Sæt en standard-printer", med det navn du gav printeren i dette script. + +Har i endnu ikke en Princh-aftale, men ønsker at teste oplevelsen med det, stiller Princh dette test printer-ID til rådighed, som du kan indtaste som inputparameter til dette script: +990000 + +Vi tager udgangspunkt i Princh's egen installationsguide - hvis man vil kigge nærmere på den, kan den findes her: +https://2803061.fs1.hubspotusercontent-na1.net/hubfs/2803061/Setup%20and%20installation%20guides,%20tech%20reqs/Princh%20for%20Linux%20Installation%20Guide.pdf + +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre +1. Navn: Det navn printeren vil få af styresystemet, som du selv bestemmer hvad skal være. Der er dog nogle tekniske begrænsninger: Navnet kan ikke indeholde Æ, Ø, Å, mellemrum, skråstreg eller apostroffer. + +2. ID: Dette ID identificerer printeren fra Princhs side, og det skulle de kunne oplyse til dig. Det er et 6-cifret tal. + +3. Beskrivelse / Placering: Beskrivelsen printeren får ift. styresystemet. Den vælger du frit selv. Beskrivelsen kan godt indeholde mellemrum. Indeholder den mellemrum "skal parametret skrives med citationstegn rundt om". + diff --git a/printer_princh_install.md b/printer_princh_install.md new file mode 100644 index 0000000..14bf549 --- /dev/null +++ b/printer_princh_install.md @@ -0,0 +1,20 @@ +--- +title: "Installer Princh Cloud Printer" +parent: "Printer" +source: os2borgerpc-scripts/os2borgerpc/printer/printer_princh_install.sh +parameters: +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Installer Princh Cloud Printer + +Efter dette script køres "Printer - Tilføj Princh Cloud Printer". + +VIGTIG BEMÆRKNING: Dette script genererer pt. tre sudo-sikkerhedshændelser per computer, hvis man har sat en Sudo-Sikkerhedsregel op på den. +Dette skyldes ikke at vi selv bruger sudo i vores script, men at der i det installationsscript, Princh har udgivet, benyttes sudo. +Kontakt evt. Princh omkring at fjerne disse sudo-kommandoer, og i stedet køre servicen som root, eller bruge pkexec eller lign. + +Dette script er blevet testet og virker på Ubuntu 22.04. \ No newline at end of file diff --git a/printer_toggle_network_discovery.md b/printer_toggle_network_discovery.md new file mode 100644 index 0000000..0da99f8 --- /dev/null +++ b/printer_toggle_network_discovery.md @@ -0,0 +1,27 @@ +--- +title: "Slå automatisk netværksprinter-finding fra/til" +parent: "Printer" +source: os2borgerpc-scripts/os2borgerpc/printer/printer_toggle_network_discovery.sh +parameters: + - name: "Slå automatisk netværksprinter-finding FRA?" + type: "boolean" + default: null + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Fjerner alle printere, der automatisk er fundet via netværket. +Derefter kan en printer så eventuelt tilføjes manuelt via enten scriptet "Printer - Tilføj netværksprinter" eller "Printer - Tilføj netværksprinter (PPD-fil skal angives)". +Hvis I udelukkende bruger Princh kan i nøjes med de installationsscripts dertil. + +Hvis det ikke tager effekt med det samme, foreslås det at genstarte maskinen, efter scriptet er kørt. + +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre + Slå automatisk netværksprinter-finding fra?: + Sæt hak: Slår netværksprinter-finding fra + Lad stå tom: Slår netværksprinter-finding til (standard) \ No newline at end of file diff --git a/protect_terminal.md b/protect_terminal.md new file mode 100644 index 0000000..cccd432 --- /dev/null +++ b/protect_terminal.md @@ -0,0 +1,29 @@ +--- +title: "Juster adgang til terminalen" +parent: "Sikkerhed" +source: os2borgerpc-scripts/os2borgerpc/sikkerhed/protect_terminal.sh +parameters: + - name: "Giv adgang til terminalen" + type: "boolean" + default: null + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Scriptet kan spærre adgangen til terminalen for publikumsbrugeren. superuser har stadig adgang. + +SIKKERHEDSMÆSSIGE OVERVEJELSER: +Bemærk, at brugerens adgang til terminalen ikke i sig selv er et sikkerhedshul. Brugeren kan fra terminalen gøre præcis de ting, som vedkommende har tilladelse til i forvejen. + +Hvis brugeren er i stand til at udfordre systemets sikkerhed fra terminalen, skyldes det altså de underliggende tilladelser - ikke terminaladgangen - som ikke gør en grundlæggende forskel. + +Blokering af terminaladgangen er dermed dybest set en lappeløsning, som kan være ganske fornuftig - men de underliggende problemer burde adresseres, og hvis de bliver det, vil det ikke længere være nødvendigt at blokere for terminaladgangen. + +-------------------- + +Dette script er blevet testet og virker på Ubuntu 22.04. + +Udviklet og testet i samarbejde med Aarhus kommune. \ No newline at end of file diff --git a/scripts/adjust_settings_access.sh b/scripts/adjust_settings_access.sh new file mode 100755 index 0000000..82b587e --- /dev/null +++ b/scripts/adjust_settings_access.sh @@ -0,0 +1,62 @@ +#!/usr/bin/env bash + +set -ex + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +ACTIVATE=$1 + +# Restore access to settings +if [ "$ACTIVATE" = 'True' ]; then + + # Making sure we're not removing the actual + # gnome-control-center if run with the wrong argument or multiple times + if grep --quiet 'zenity' /usr/bin/gnome-control-center; then + # Remove the permissions override and manually reset permissions to defaults + # Suppress error to prevent set -e exiting in case the override no longer exists + dpkg-statoverride --remove /usr/bin/gnome-control-center.real || true + chown root:root /usr/bin/gnome-control-center.real + chmod 755 /usr/bin/gnome-control-center.real + # Remove the shell script that prints the error message + rm /usr/bin/gnome-control-center + # Remove location override and restore gnome-control-center.real back to gnome-control-center + dpkg-divert --remove --no-rename /usr/bin/gnome-control-center + # dpkg-divert can --rename it itself, but the problem with doing that is that in some images + # dpkg-divert is not used, it was simply moved/copied, so that won't restore it, leaving you + # with no gnome-control-center + mv /usr/bin/gnome-control-center.real /usr/bin/gnome-control-center + fi +else # Remove access to settings + + if [ ! -f "/usr/bin/gnome-control-center.real" ]; then + dpkg-divert --rename --divert /usr/bin/gnome-control-center.real --add /usr/bin/gnome-control-center + dpkg-statoverride --update --add superuser root 770 /usr/bin/gnome-control-center.real + fi + + cat << EOF > /usr/bin/gnome-control-center +#!/bin/bash + +USER=\$(id -un) + +# Set the info text based on the chosen language +if echo \$LANG | grep sv; then + INFO="Systeminställningarna är inte tillgängliga för allmänheten.\n\nKontakta personalen om det uppstår problem." +elif echo \$LANG | grep en; then + INFO="The settings are not accessible to the public.\n\nContact the staff if there are issues." +else + INFO="Systemindstillingerne er ikke tilgængelige for publikum.\n\nKontakt personalet, hvis der er problemer." +fi + +if [ \$USER == "user" ]; then + zenity --info --text="\$INFO" +else + /usr/bin/gnome-control-center.real "\$@" +fi +EOF + + chmod +x /usr/bin/gnome-control-center + +fi diff --git a/scripts/always_logout_after_time_visual.sh b/scripts/always_logout_after_time_visual.sh new file mode 100644 index 0000000..b740727 --- /dev/null +++ b/scripts/always_logout_after_time_visual.sh @@ -0,0 +1,157 @@ +#! /usr/bin/env sh + +# We need to run this program only AFTER login, so not graphical.target or whatever, if that +# includes the login manager which also runs in X. + +# This program needs to run as root or superuser so a user can't kill it, +# but at the same time the timer program must run as the regular user to be able to write things to +# screen. +# It's fine if they kill the visual timer as long as they're then logged out automatically or the timer +# continues in the background. + +set -x + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +# Argument handling +ACTIVATE=$1 +MINUTES_TO_LOGOUT=$2 # This sets the default timeout time, which the Cicero script then overwrites +PRE_TIMER_TEXT="${3:-Tid tilbage: }" +HEADS_UP_SECONDS_LEFT=${4:-60} +HEADS_UP_MESSAGE="${5:-Tiden er udløbet om et minut. Husk at gemme dine ting}" + + +# Settings + +# COMMON +export DEBIAN_FRONTEND=noninteractive +SHADOW=".skjult" +EXTENSION_NAME='logout-timer@os2borgerpc.magenta.dk' +LOGOUT_TIMER_CONF="/usr/share/gnome-shell/extensions/$EXTENSION_NAME/config.json" +SESSION_CLEANUP_FILE="/usr/share/os2borgerpc/bin/user-cleanup.bash" +LOGOUT_TIMER_SESSION_CLEANUP_FILE="/usr/share/os2borgerpc/bin/user-cleanup-logout-timer.bash" +OUR_USER="user" + +# LOGOUT_TIMER_ACTUAL: +LOGOUT_TIMER_ACTUAL="/usr/share/os2borgerpc/bin/logout_timer_actual.sh" +LOGOUT_TIMER_ACTUAL_LAUNCHER="/usr/share/os2borgerpc/bin/logout_timer_actual_launcher.sh" +# They might have automatic login enabled or not. We add it to all lightdm programs just in case. +LIGHTDM_PAM="/etc/pam.d/lightdm" +LIGHTDM_GREETER_PAM="/etc/pam.d/lightdm-greeter" +LIGHTDM_AUTOLOGIN_PAM="/etc/pam.d/lightdm-autologin" +LIGHTDM_FILES="$LIGHTDM_PAM $LIGHTDM_GREETER_PAM $LIGHTDM_AUTOLOGIN_PAM" +GRACE_PERIOD_MULTIPLIER="1.07" # The root timer has this added to it, to be more certain that it doesn't run out before the gnome extension. Effectively this means thta if the logout timer is set to 60 minutes, the root timer will ensure the user is logged out after around 64 minutes + +# EXTENSION ADDITIONAL SETTINGS: +REPO_NAME="os2borgerpc-gnome-extensions" +EXTENSION_GIT_URL=https://github.com/OS2borgerPC/$REPO_NAME/archive/refs/heads/main.zip + +# TODO: Consider not handling this here, and instead running install.sh with False to remove an extension. But then the repo +# either needs to remain on disk or be downloaded anew just to delete an extension...? +# It seems better to handle it there once for all extensions, instead of re-implementing installation/removal in every +# single extensi1n script +EXTENSION_ACTIVATION_DESKTOP_FILE="/home/$SHADOW/.config/autostart/logout-timer-user.desktop" + +# CLEANUP AFTER PREVIOUS RUNS OF THIS SCRIPT +rm --force /usr/share/os2borgerpc/logout_timer.conf /usr/share/os2borgerpc/bin/logout_timer_visual.sh /home/$SHADOW/.config/autostart/logout-timer_user.desktop +# - This next line is handled in LOGOUT_TIMER_SESSION_CLEANUP_FILE instead +sed --in-place "/pkill -f $(basename $LOGOUT_TIMER_ACTUAL)/d" $SESSION_CLEANUP_FILE +sed --in-place "/pkill -f logout_timer_visual.sh/d" $SESSION_CLEANUP_FILE + +[ $# -lt 2 ] && printf "%s\n" "This script takes at least 2 arguments. Exiting." && exit 1 + +if [ "$ACTIVATE" = 'True' ]; then + # TODO: Do we need to install bc or is come preinstalled? + apt-get install --assume-yes jq + + # Fetch and install gnome extension + BRANCH=main + wget $EXTENSION_GIT_URL + unzip $BRANCH.zip + $REPO_NAME-$BRANCH/install.sh whatever $EXTENSION_NAME true true true + rm -r $BRANCH.zip $REPO_NAME-$BRANCH + + # Now overwrite the testing config with what the user inputted/defaults in this script + cat <<- EOF > $LOGOUT_TIMER_CONF + { + "timeMinutes": $MINUTES_TO_LOGOUT, + "preTimerText": "$PRE_TIMER_TEXT", + "headsUpSecondsLeft": $HEADS_UP_SECONDS_LEFT, + "headsUpMessage": "$HEADS_UP_MESSAGE" + } + EOF + + # A backup timer used to logout if the user-run gnome extension is disabled/killed, running as root + cat <<- EOF > $LOGOUT_TIMER_ACTUAL + #! /usr/bin/env sh + + TIME_MINUTES=\$(jq < $LOGOUT_TIMER_CONF '.timeMinutes') + + # Adding a little to this so they're warned a bit before they're actually logged out + # This is even more important since currently the timers might get out of sync + COUNT=\$(bc <<< "\$TIME_MINUTES * 60 * $GRACE_PERIOD_MULTIPLIER") + + until [ "\$COUNT" -eq "0" ]; do # Countdown loop. + COUNT=\$((COUNT-1)) # Decrement seconds. + sleep 1 + done + + runuser --login user --command "XDG_RUNTIME_DIR=/run/user/$(id -u user) gnome-session-quit --logout --no-prompt" + # Alternate, less graceful approaches: + # 1. PID=who -u && kill OR killall lightdm OR killall gnome-session + EOF + + # Simply a small script that launches the timer in the background and immediately exits + # so the PAM stack continues instead of it waiting for the timer to run out + # Using bash as disown is undefined in sh + cat <<- EOF > $LOGOUT_TIMER_ACTUAL_LAUNCHER + #! /usr/bin/env bash + + $LOGOUT_TIMER_ACTUAL & + disown + EOF + + # Make PAM run LOGOUT_TIMER_ACTUAL_LAUNCHER for user, so it's run as root + # Idempotency: Don't add it multiple times if this script is run more than once + if ! grep -q "# OS2borgerPC Timer" $LIGHTDM_GREETER_PAM; then + for f in $LIGHTDM_FILES; do + sed --in-place "/@include common-session/i# OS2borgerPC Timer\nsession [success=1 default=ignore] pam_succeed_if.so user != user\nsession optional pam_exec.so $LOGOUT_TIMER_ACTUAL_LAUNCHER" "$f" + done + fi + + # Modify the cleanup run at logout to also kill remaining timers so they don't persist, affecting + # the next login + # Create a new script to handle cleanup after the logout timer + cat <<- EOF > $LOGOUT_TIMER_SESSION_CLEANUP_FILE + #! /usr/bin/env sh + + pkill -f "$(basename $LOGOUT_TIMER_ACTUAL)" + runuser --login $OUR_USER --command "XDG_RUNTIME_DIR=/run/user/$(id -u $OUR_USER) gnome-extensions disable $EXTENSION_NAME" + EOF + + # Finally append this new cleaner script to the end of user-cleanup + if ! grep -q "$LOGOUT_TIMER_SESSION_CLEANUP_FILE" $SESSION_CLEANUP_FILE; then + echo "$LOGOUT_TIMER_SESSION_CLEANUP_FILE" >> $SESSION_CLEANUP_FILE + fi + + chmod u+x $LOGOUT_TIMER_ACTUAL $LOGOUT_TIMER_ACTUAL_LAUNCHER $LOGOUT_TIMER_SESSION_CLEANUP_FILE + +else # Stop the timers and delete everything related to them + pkill -f "$(basename $LOGOUT_TIMER_ACTUAL)" + gnome-extensions disable $EXTENSION_NAME # Note: Don't do this if we make "disable" run "gnome-session-quit --logout" as well! + + sed --in-place "\@$LOGOUT_TIMER_SESSION_CLEANUP_FILE@d" $SESSION_CLEANUP_FILE + rm -r $LOGOUT_TIMER_ACTUAL $LOGOUT_TIMER_ACTUAL_LAUNCHER $EXTENSION_ACTIVATION_DESKTOP_FILE "$(dirname $LOGOUT_TIMER_CONF)" $LOGOUT_TIMER_SESSION_CLEANUP_FILE + + # Alternate solution: Kill all processes started by user in user-cleanup.sh? Maybe that's a better idea anyway, + # which we should do for everyone in the future? + + for f in $LIGHTDM_FILES; do + sed --in-place "/# OS2borgerPC Timer/d" "$f" + sed --in-place "/session \[success=1 default=ignore\] pam_succeed_if.so user != user/d" "$f" + sed --in-place "\@session optional pam_exec.so $LOGOUT_TIMER_ACTUAL_LAUNCHER@d" "$f" + done +fi diff --git a/scripts/apt_periodic_control.sh b/scripts/apt_periodic_control.sh new file mode 100755 index 0000000..10d740c --- /dev/null +++ b/scripts/apt_periodic_control.sh @@ -0,0 +1,89 @@ +#!/bin/bash + +#================================================================ +# HEADER +#================================================================ +#% SYNOPSIS +#+ apt_periodic_control.sh [false|security|all] +#+ apt_periodic_control.sh [falsk|sikkerhed|alt] +#% +#% DESCRIPTION +#% This script controls automatic upgrades and updates. +#% +#% It takes one optional parameter. If this parameter is missing (or if it's +#% either "false" or "falsk"), automatic upgrades will be disabled; if it's +#% "security" or "sikkerhed", automatic security upgrades will be enabled; +#% and if it's anything else, automatic upgrades for all packages will be +#% enabled. +#% +#================================================================ +#- IMPLEMENTATION +#- version apt_periodic_control.sh (magenta.dk) 1.0.0 +#- author Alexander Faithfull +#- copyright Copyright 2019, Magenta ApS +#- license GNU General Public License +#- email af@magenta.dk +#- +#================================================================ +# HISTORY +# 2019/10/16 : af : Script created +# +#================================================================ +# END_OF_HEADER +#================================================================ + +set -ex + +# Stop Debconf from doing anything +export DEBIAN_FRONTEND=noninteractive + +CONF="/etc/apt/apt.conf.d/90os2borgerpc-automatic-upgrades" + +if [ "$1" != "" ] && [ "$1" != "false" ] && [ "$1" != "falsk" ]; then + # Check (quietly) that the unattended-upgrades package is installed, and + # install it if it isn't + if ! dpkg -s unattended-upgrades > /dev/null 2>&1; then + apt-get -y install unattended-upgrades + fi + + # Start building the configuration file with two settings, one for + # switching unattended upgrades on and one for automatically downloading + # updated package indexes + cat > "$CONF" <<-END + APT::Periodic::Enable "1"; + APT::Periodic::Unattended-Upgrade "1"; + APT::Periodic::Update-Package-Lists "1"; + END + + # Now empty the list of allowed origins and start by populating it with + # only security-related entries + cat >> "$CONF" <<-END + #clear Unattended-Upgrade::Allowed-Origins; + Unattended-Upgrade::Allowed-Origins { + "\${distro_id}:\${distro_codename}-security" + ; "\${distro_id}ESM:\${distro_codename}" + ; "Google LLC:stable" + END + + # Unless we've been explicitly told we should only add security-related + # entries, then also add everything else + if [ "$1" != "security" ] && [ "$1" != "sikkerhed" ]; then + cat >> "$CONF" <<-END + ; "\${distro_id}:\${distro_codename}" + END + fi + + # Finally, close this scope and conclude the configuration file + cat >> "$CONF" <<-END + }; + END +else + # Switch automatic upgrades off entirely + cat > "$CONF" <<-END + APT::Periodic::Enable "0"; + APT::Periodic::Unattended-Upgrade "0"; + APT::Periodic::Update-Package-Lists "0"; + + #clear Unattended-Upgrade::Allowed-Origins; + END +fi diff --git a/scripts/autostart_program.sh b/scripts/autostart_program.sh new file mode 100755 index 0000000..58bd746 --- /dev/null +++ b/scripts/autostart_program.sh @@ -0,0 +1,59 @@ +#!/usr/bin/env sh + +# DESCRIPTION +# This script either copies a given installed .desktop file to the autostart directory +# or removes a given file from the autostart directory. +# +# To check which scripts are installed on a machine run the script +# "desktop_print_program_list.sh" AKA "Desktop - Vis programliste" with paremeter +# "mulige" to print a full list of eligible files to add to autostart. +# +# PARAMENTERS +# 1. String. The given file's name, e.g. firefox, without the .desktop extension. +# This parameter IS case-sensitive as some applications have +# capitalized characters in their filename. +# 2. Checkbox. Check this box to add the file to the autostart folder. +# Leave it empty to delete the file from the autostart folder instead. + +set -x + +PROGRAM="$1" +ADD="$2" + +AUTOSTART_DIR="/home/.skjult/.config/autostart" +LOCAL_COPY_DIR="/home/.skjult/.local/share/applications" + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +if [ -f "/var/lib/snapd/desktop/applications/${PROGRAM}_$PROGRAM.desktop" ]; then + + INSTALLED_APP_FILE="/var/lib/snapd/desktop/applications/${PROGRAM}_$PROGRAM.desktop" + AUTOSTART_FILE="$AUTOSTART_DIR/${PROGRAM}_$PROGRAM.desktop" + LOCAL_COPY_FILE="$LOCAL_COPY_DIR/${PROGRAM}_$PROGRAM.desktop" +else + INSTALLED_APP_FILE="/usr/share/applications/$PROGRAM.desktop" + AUTOSTART_FILE="$AUTOSTART_DIR/$PROGRAM.desktop" + LOCAL_COPY_FILE="$LOCAL_COPY_DIR/$PROGRAM.desktop" +fi + +mkdir --parents $AUTOSTART_DIR $LOCAL_COPY_DIR + +# Ensure that the local copy exists +if [ ! -f "$LOCAL_COPY_FILE" ]; then + cp "$INSTALLED_APP_FILE" "$LOCAL_COPY_FILE" +fi + +# Remove it first, partially because ln even with --force cannot replace it if it's a regular file +rm --force "$AUTOSTART_FILE" + +if [ "$ADD" = "True" ]; then + + echo "Adding $PROGRAM to autostart directory" + + ln --symbolic --force "$LOCAL_COPY_FILE" "$AUTOSTART_FILE" + + exit "$?" +fi diff --git a/scripts/browser_set_default.sh b/scripts/browser_set_default.sh new file mode 100755 index 0000000..dbb1a3d --- /dev/null +++ b/scripts/browser_set_default.sh @@ -0,0 +1,50 @@ +#! /usr/bin/env bash + +# Sets the default browser on a OS2borgerPC for the regular user +# +# Arguments: +# 1: Which browser to set as default. + +set -ex + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +# Expected browsers are either firefox, google-chrome, microsoft-edge +BROWSER=$1 +ALTERNATIVE_BROWSER=$2 +FILE="/etc/xdg/mimeapps.list" + +lower() { + echo "$@" | tr '[:upper:]' '[:lower:]' +} + +# If the alternative browser is set, use that instead +if [ -n "$ALTERNATIVE_BROWSER" ]; then + BROWSER=$(lower "$ALTERNATIVE_BROWSER") +fi + +# Handle snaps, which have names like firefox_firefox.desktop +if [ -d "/snap/$BROWSER" ]; then + DESKTOP_FILE=${BROWSER}_$BROWSER.desktop +else + DESKTOP_FILE=${BROWSER}.desktop +fi + +# Make sure the file exists and has the correct header +if [ ! -f "$FILE" ]; then + cat << EOF > $FILE +[Default Applications] +EOF +fi +# Cleanup the file to prevent duplicate lines +sed -i "\@text/html\|application/xhtml+xml\|x-scheme-handler/http\|x-scheme-handler/https@d" $FILE +# Now set the new default: +cat << EOF >> $FILE +application/xhtml+xml=$DESKTOP_FILE +text/html=$DESKTOP_FILE +x-scheme-handler/http=$DESKTOP_FILE +x-scheme-handler/https=$DESKTOP_FILE +EOF diff --git a/scripts/browser_update_launcher.sh b/scripts/browser_update_launcher.sh new file mode 100755 index 0000000..f3ae34e --- /dev/null +++ b/scripts/browser_update_launcher.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +TARGET_BROWSER=$1 + +DCONF_POLICY="/etc/dconf/db/os2borgerpc.d/02-launcher-favorites" + + +# In 22.04 Firefox is a snap, in 20.04 it's an apt package. +# Once everyone has upgraded, support for the latter can be removed +# Chromium is a snap in both 20.04 and 22.04 +if [ -d "/snap/$TARGET_BROWSER" ]; then + TARGET_BROWSER="${TARGET_BROWSER}_$TARGET_BROWSER" +fi + +if [ -d "/snap/firefox" ]; then + FIREFOX_REPLACEMENT="firefox_firefox" +else + FIREFOX_REPLACEMENT="firefox" +fi + +sed --in-place \ + --expression "s/$FIREFOX_REPLACEMENT/$TARGET_BROWSER/g" \ + --expression "s/google-chrome/$TARGET_BROWSER/g" \ + --expression "s/microsoft-edge/$TARGET_BROWSER/g" \ + --expression "s/chromium_chromium/$TARGET_BROWSER/g" \ + $DCONF_POLICY + +dconf update diff --git a/scripts/change_login_timeout.sh b/scripts/change_login_timeout.sh new file mode 100755 index 0000000..f5f1e47 --- /dev/null +++ b/scripts/change_login_timeout.sh @@ -0,0 +1,15 @@ +#! /usr/bin/env sh + +# Change the automatic login timeout. Default is 15 seconds. + +# Author: mfm@magenta.dk + +# Needs to be an integer +NEW_TIMEOUT_IN_SECONDS=$1 + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +sed -i "s/\(autologin-user-timeout=\).*/\1$NEW_TIMEOUT_IN_SECONDS/" /etc/lightdm/lightdm.conf diff --git a/scripts/chrome_chromium_add_remove_extension.sh b/scripts/chrome_chromium_add_remove_extension.sh new file mode 100644 index 0000000..8ccab3b --- /dev/null +++ b/scripts/chrome_chromium_add_remove_extension.sh @@ -0,0 +1,64 @@ +#! /bin/bash + +# Ref: https://chromeenterprise.google/policies/#ExtensionSettings + +# This script can: +# 1. Create an ExtensionSettings policy if none exists. +# 2. Add/remove a list(1..*) of Chrome Extensions to/from the ExtensionSettings file. +# 3. Remove the ExtensionSettings policy. + +# Authors: Heini Leander Ovason + +set -x + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +ACTIVATE=$1 +EXTENSIONS_ARRAY=$2 + +POLICIES_DIR="/etc/opt/chrome/policies/managed" +POLICY_FILE="os2borgerpc-extension-settings.json" + +if [ "$ACTIVATE" = 'True' ]; then + + if [ ! -d "$(dirname "$POLICY_FILE")" ]; then + mkdir --parents "$(dirname "$POLICY_FILE")" + fi + + EXTENSIONS_DICT="" + if [ -n "$EXTENSIONS_ARRAY" ]; then + IFS=',' read -ra EXTENSIONS_ARRAY <<< "$EXTENSIONS_ARRAY" + ARR_LEN="${#EXTENSIONS_ARRAY[@]}" + + C=0 + for EXTENSION in "${EXTENSIONS_ARRAY[@]}" + do + DICT_TEMPLATE="\"$EXTENSION\": { + \"installation_mode\": \"force_installed\", + \"toolbar_pin\": \"force_pinned\", + \"update_url\": \"https://clients2.google.com/service/update2/crx\" + }" + C=$((C+1)) + if [ "$C" -eq "$ARR_LEN" ]; then + EXTENSIONS_DICT+=" $DICT_TEMPLATE" + else + EXTENSIONS_DICT+="$DICT_TEMPLATE, +" + fi + done + fi + + cat << EOF > "$POLICIES_DIR/$POLICY_FILE" +{ + "ExtensionSettings": { + $EXTENSIONS_DICT + } +} +EOF + +else + rm "$POLICIES_DIR/$POLICY_FILE" +fi diff --git a/scripts/chrome_chromium_policy_homepage.sh b/scripts/chrome_chromium_policy_homepage.sh new file mode 100755 index 0000000..b7d9405 --- /dev/null +++ b/scripts/chrome_chromium_policy_homepage.sh @@ -0,0 +1,69 @@ +#!/usr/bin/env bash + +# SYNOPSIS +# chrome_policy_homepage.sh [URL] +# +# DESCRIPTION +# This script adds a Google Chrome policy that defines a homepage, adds +# the "Home" button to the main browser bar, and causes the homepage to +# be opened automatically when the browser starts. +# +# Adding a Google Chrome policy does not require that Google Chrome is +# already installed, although obviously the policy won't take effect +# until it has been. +# +# It takes one optional parameter: the URL to set as the homepage. If +# this parameter is missing or empty, the existing policy will be +# deleted, if there is one. +# +# IMPLEMENTATION +# version chrome_policy_homepage.sh (magenta.dk) 1.0.0 +# author Alexander Faithfull +# copyright Copyright 2019, Magenta ApS +# license GNU General Public License +# email af@magenta.dk +# +# DEVELOPER NOTES +# The policies we set and why: +# +# ShowHomeButton: A button to go back to the home page. Not crucial. +# HomepageIsNewTabPage: Don't allow someone to override the homepage with the new tab page +# HomepageLocation: Sets the page the HomeButton links to, if visible. Confusingly this does not set the homepage that Chrome opens on startup! +# RestoreOnStartup: Controls what happens on startup. Also prevents users from changing the startup URLs when reopening the browser without logging out of the OS first. Possibly not needed with Guest mode, incognito or ephemeral. +# RestoreOnStartupURLs: This is, confusingly, what can actually control the homepage, but only if RestoreOnStartup is set to "4". + +set -x + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +HOMEPAGE_POLICY="/etc/opt/chrome/policies/managed/os2borgerpc-homepage.json" +mkdir --parents "$(dirname "$HOMEPAGE_POLICY")" + +STARTPAGE="$1" +ADDITIONAL_PAGES="$2" + +PAGES_STRING="" +if [ -n "$ADDITIONAL_PAGES" ]; then + IFS='|' read -ra PAGES_ARRAY <<< "$ADDITIONAL_PAGES" + + for PAGE in "${PAGES_ARRAY[@]}" + do + PAGES_STRING+="\"$PAGE\"," + done +fi + +cat > "$HOMEPAGE_POLICY" < POLICIES: + # + # The policies we set and why + # + # Lockdown: + # AutofillAddressEnabled: Disable Autofill of addresses + # AutofillCreditCardEnabled: Disable Autofill of payment methods + # BrowserAddPersonEnabled: Make it impossible to add a new Profile. Doesn't lock down editing a Profile, but it gets some of the way. + # BrowserSignin: Disable sync/login with own google account + # DeveloperToolsAvailability: Disables access to developer tools, where someone could make changes to a website + # EnableMediaRouter: Disable Chrome Cast support + # ExtensionInstallBlocklist: With the argument * it blocks installing any extension + # ForceEphemeralProfiles: Clear Profiles on browser close automatically, for privacy reasons + # PaymentMethodQueryEnabled: Prevent websites from checking if the user has saved payment methods + # + # Various: + # BrowserGuestModeEnabled: Allow people to start a guest session, if they want, so history isn't even temporarily recorded. Not crucial. + # BrowsingDataLifetime: Continuously remove all browsing data after 1 hour (the minimum possible), + # except "cookies_and_other_site_data" and "password_signin", + # because the visitor might be at the computer and still signed in to something. + # DefaultBrowserSettingEnabled: Don't check if it's default browser. Irrelevant for visitors, and maybe you want Firefox as default. + # MetricsReportingEnabled: Disable some of Googles metrics, for privacy reasons + # PasswordManagerEnabled: Don't try to save passwords on a public machine used by many people + # PrivacySandboxPromptEnabled: Don't prompt about enabling (some) ad tracking + # PrivacySandboxSiteEnabledAdsEnabled: Disable (some) ad tracking + + # Additional info on the many policies that can be set: + # https://support.google.com/chrome/a/answer/187202?hl=en + # + # Blocked URLs + # + # chrome://accessibility: It seems to have what's essentially a builtin keylogger?! + # chrome://extensions: Extension settings can be changed here, and extensions enabled/disabled + # chrome://flags: Experimental features can be enabled/disabled here. + + # Cleanup our previous policies if they're around (except the homepage) + rm --force /etc/opt/chrome/policies/managed/os2borgerpc-default-hp.json /etc/opt/chrome/policies/managed/os2borgerpc-login.json + + # Create the new policies + POLICY="/etc/opt/chrome/policies/managed/os2borgerpc-defaults.json" + + mkdir --parents "$(dirname "$POLICY")" + + cat > "$POLICY" << END +{ + "AutofillAddressEnabled": false, + "AutofillCreditCardEnabled": false, + "BrowserAddPersonEnabled": false, + "BrowserGuestModeEnabled": true, + "BrowserSignin": 0, + "BrowsingDataLifetime": [ + { + "data_types": [ + "autofill", + "browsing_history", + "cached_images_and_files", + "download_history", + "hosted_app_data", + "site_settings" + ], + "time_to_live_in_hours": 1 + } + ], + "DefaultBrowserSettingEnabled": false, + "DeveloperToolsAvailability": 2, + "EnableMediaRouter": false, + "ExtensionInstallBlocklist": [ + "*" + ], + "ForceEphemeralProfiles": true, + "MetricsReportingEnabled": false, + "PasswordManagerEnabled": false, + "PaymentMethodQueryEnabled": false, + "PrivacySandboxPromptEnabled": false, + "PrivacySandboxSiteEnabledAdsEnabled": false, + "URLBlocklist": [ + "chrome://accessibility", + "chrome://extensions", + "chrome://flags" + ] +} +END + + # This entire policy file is overwritten if you later run the script to change the homepage + # We set it here too so all machines have a startpage set, to prevent someone from manually setting the homepage to + # some malicious site + HOMEPAGE_POLICY="/etc/opt/chrome/policies/managed/os2borgerpc-homepage.json" + if [ ! -f $HOMEPAGE_POLICY ]; then +cat > "$HOMEPAGE_POLICY" <<- END +{ + "HomepageLocation": "https://borger.dk", + "RestoreOnStartup": 4, + "ShowHomeButton": true, + "HomepageIsNewTabPage": false, + "RestoreOnStartupURLs": [ + "https://borger.dk" + ] +} +END + fi + + # Set the default search provider to Google so Chrome stops asking every time + # the browser is opened. + # Chrome will default to using Google if we leave DefaultSearchProviderSearchURL + # blank + SEARCH_POLICY="/etc/opt/chrome/policies/managed/os2borgerpc-search-provider.json" + if [ ! -f "$SEARCH_POLICY" ]; then + cat > "$SEARCH_POLICY" <<- END +{ + "DefaultSearchProviderEnabled": true, + "DefaultSearchProviderSearchURL": "" +} +END + fi +} +### END SHARED BLOCK BETWEEN CHROMIUM BROWSERS: CHROMIUM, CHROME ### + +# Takes a parameter to add to Chrome and a list of .desktop files to add it to +add_to_desktop_files() { + PARAMETER="$1" + shift # Now remove the parameter so we can loop over what remains: The files + for FILE in "$@"; do + # Only continue if the particular file exists + if [ -f "$FILE" ]; then + # Don't add the parameter multiple times (idempotency) + if ! grep --quiet -- "$PARAMETER" "$FILE"; then + # Note: Using a different delimiter here than in the maximized script, + # as "," is part of the string + sed --in-place "s@\(Exec=/usr/bin/google-chrome-stable\)\(.*\)@\1 $PARAMETER\2@" "$FILE" + fi + fi + done +} + +# Determine the name of the user desktop directory. This is done via xdg-user-dir, +# which checks the /home/user/.config/user-dirs.dirs file. To ensure this file exists, +# we run xdg-user-dirs-update, which generates it based on the environment variable +# LANG. This variable is empty in lightdm so we first export it +# based on the value stored in /etc/default/locale +export "$(grep LANG= /etc/default/locale | tr -d '"')" +runuser -u user xdg-user-dirs-update +DESKTOP=$(basename "$(runuser -u user xdg-user-dir DESKTOP)") + +DESKTOP_FILE_PATH_1=/usr/share/applications/google-chrome.desktop +# In case a Chrome shortcut has been added to the desktop +DESKTOP_FILE_PATH_2=/home/$USER/$DESKTOP/google-chrome.desktop +# In case chrome_autostart.sh has been executed +DESKTOP_FILE_PATH_3=/home/$USER/.config/autostart/chrome.desktop +FILES="$DESKTOP_FILE_PATH_1 $DESKTOP_FILE_PATH_2 $DESKTOP_FILE_PATH_3" + +PACKAGE="google-chrome-stable" + +if [ "$INSTALL" = "True" ]; then + + wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - + echo "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google-chrome.list + apt-get update --assume-yes + # If the package manager is in an inconsistent state fix that first + apt-get install --assume-yes --fix-broken + apt-get install --assume-yes $PACKAGE + + setup_policies + + # Chrome: Disable its own check for updates + # It would be more elegant to control this via a policy, but unfortunately that does not seem to be possible currently + # Add this launch argument to all desktop files in case the customer's + # already have e.g. a desktop shortcut for it, which would otherwise launch + # Chrome without disabling its check for updates + # shellcheck disable=SC2086 # We want to split the files back into separate arguments + add_to_desktop_files "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" $FILES + dconf update # Extra insurance that the change takes effect +else + # Not removing the policies because Chromium may use them, and rerunning Chrome - Install overwrites them anyway. + apt-get remove --assume-yes $PACKAGE +fi diff --git a/scripts/chromium_autostart.sh b/scripts/chromium_autostart.sh new file mode 100644 index 0000000..cb83509 --- /dev/null +++ b/scripts/chromium_autostart.sh @@ -0,0 +1,345 @@ +#!/bin/bash + +# Make Chromium autostart, fx. in preparation for OS2Display. + +# Policies: +# AutofillAddressEnabled: Disable Autofill of addresses +# AutofillCreditCardEnabled: Disable Autofill of payment methods +# AutoplayAllowed: Allow auto-playing content. Relevant for displaying videos without user input? +# PasswordManagerEnabled: Disables the password manager, which should also prevent autofilling passwords +# TranslateEnabled: Don't translate or prompt for translation of content that isn't in the current locale on a computer that's often userless +# +# Launch args: +# Note: Convert these to policies if it is or becomes possible! +# --enable-offline-auto-reload: This should reload all pages if the browser lost internet access and regained it +# --password-store=basic: Don't prompt user to unlock GNOME keyring on a computer that's often userless + +set -ex + +# Separates the programmatic value from the text description +get_value_from_option() { + echo "$1" | cut --delimiter ":" --fields 1 +} + +TIME=$1 +URL=$2 +WIDTH=$3 +HEIGHT=$4 +ORIENTATION=$5 +LOCK_DOWN_KEYBINDS=$(get_value_from_option "$6") # 0: No binds removed, 1: Most binds removed, 2: All binds removed (specifically most + binds for printing, reloading and changing zoom) + +CUSER="chrome" +XINITRC="/home/$CUSER/.xinitrc" +BSPWM_CONFIG="/home/$CUSER/.config/bspwm/bspwmrc" +CHROMIUM_SCRIPT='/usr/share/os2borgerpc/bin/start_chromium.sh' +ROTATE_SCREEN_SCRIPT_PATH="/usr/share/os2borgerpc/bin/rotate_screen.sh" +OLD_ROTATE_SCREEN_SCRIPT_PATH="/usr/local/bin/rotate_screen.sh" +ENVIRONMENT_FILE="/etc/environment" +AUTOLOGIN_SCRIPT="/usr/share/os2borgerpc/bin/autologin.sh" +AUTOLOGIN_COUNTER="/etc/os2borgerpc/login_counter.txt" +COUNTER_RESET_SERVICE="/etc/systemd/system/reset_login_counter.service" +REBOOT_SCRIPT="/usr/share/os2borgerpc/bin/chromium_error_reboot.sh" +MAXIMUM_CONSECUTIVE_AUTOLOGINS=3 +# We use xbindkeys to disable some keyboard shortcuts in case people connect a keyboard to their Kiosk computer. +XBINDKEYS_CONFIG=/home/$CUSER/.xbindkeysrc + +if ! get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en regulær OS2borgerPC-maskine." + exit 1 +fi + +# Create user. +# TODO: This is now built into the image instead, but for now it's kept here for backwards compatibility with old images +# Remove this after 2025-04, when 20.04 is out of support. +# useradd will fail on multiple runs, so prevent that +if ! id $CUSER > /dev/null 2>&1; then + useradd $CUSER --create-home --password 12345 --shell /bin/bash --user-group --comment "Chrome" +fi + +# Autologin default user +mkdir --parents /etc/systemd/system/getty@tty1.service.d + +# Note: The empty ExecStart is not insignificant! +# By default the value is appended, so the empty line changes it to an override +# We make agetty use our own login-program instead of /bin/login +# so we can customize the behavior +cat << EOF > /etc/systemd/system/getty@tty1.service.d/override.conf +[Service] +ExecStart= +ExecStart=-/sbin/agetty --noissue --login-program $AUTOLOGIN_SCRIPT --autologin $CUSER %I $TERM +Type=idle +EOF + +# Create the autologin script + +# Ensure that the folder exists +mkdir --parents "$(dirname $AUTOLOGIN_SCRIPT)" + +cat << EOF > $AUTOLOGIN_SCRIPT +#! /usr/bin/env bash +COUNTER=\$(cat $AUTOLOGIN_COUNTER) +COUNTER=\$((COUNTER+1)) +echo \$COUNTER > $AUTOLOGIN_COUNTER +if [ \$COUNTER -le $MAXIMUM_CONSECUTIVE_AUTOLOGINS ]; then + if [ \$COUNTER -gt 1 ]; then + # Sleep before autologin attempts other than the first + sleep 10 + fi + # Autologin as $CUSER + /bin/login -f $CUSER +else + # Regular login prompt + /bin/login +fi +EOF + +# To maintain the functionality of the error reboot script +if [ -f "$REBOOT_SCRIPT" ]; then + sed --in-place --expression "\@else@{ n; n; s@/bin/login@$REBOOT_SCRIPT@ }" \ + --expression "s/Regular login prompt/Reboot the computer/" $AUTOLOGIN_SCRIPT +fi + +chmod 700 $AUTOLOGIN_SCRIPT + +# Create login counter +echo "0" > $AUTOLOGIN_COUNTER + +# Create service to reset counter when +# the computer is booted +cat << EOF > $COUNTER_RESET_SERVICE +[Unit] +Description=Reset the autologin counter when the computer starts + +[Service] +Type=oneshot +ExecStart=sh -c 'echo "0" > $AUTOLOGIN_COUNTER' + +[Install] +WantedBy=multi-user.target +EOF + +systemctl enable --now "$(basename $COUNTER_RESET_SERVICE)" + +# Create script to rotate screen + +# ...remove the rotate script from its previous location +rm --force $OLD_ROTATE_SCREEN_SCRIPT_PATH + +cat << EOF > $ROTATE_SCREEN_SCRIPT_PATH +#!/usr/bin/env sh + +set -x + +TIME=\$1 +ORIENTATION=\$2 + +sleep \$TIME + +export XAUTHORITY=/home/$CUSER/.Xauthority + +# --listactivemonitors lists the primary monitor first +ALL_MONITORS=\$(xrandr --listactivemonitors | tail -n +2 | cut --delimiter ' ' --fields 6) + +# Make all connected monitors display what the first monitor displays, rather than them extending the desktop +PRIMARY_MONITOR=\$(echo "\$ALL_MONITORS" | head -n 1) +OTHER_MONITORS=\$(echo "\$ALL_MONITORS" | tail -n +2) +echo "\$OTHER_MONITORS" | xargs -I {} xrandr --output {} --same-as "\$PRIMARY_MONITOR" + +# Rotate screen - and if more than one monitor, rotate them all. +echo "\$ALL_MONITORS" | xargs -I {} xrandr --output {} --rotate \$ORIENTATION +EOF + +chmod +x $ROTATE_SCREEN_SCRIPT_PATH + + +# Kiosk mode cannot currently be set via policy +# so we set the value in the environment file +# To prevent overwriting changes made by other scripts +# we only set the value if it does not exist +if ! grep --quiet "BPC_KIOSK" $ENVIRONMENT_FILE; then + echo 'BPC_KIOSK="--kiosk"' >> $ENVIRONMENT_FILE +fi + +# Create a script dedicated to launch chromium, which both xinit or any wm +# launches, to avoid logic duplication, fx. having to update chromium settings +# in multiple files +# If this script's path/name is changed, remember to change it in +# wm_keyboard_install.sh as well +mkdir --parents "$(dirname "$CHROMIUM_SCRIPT")" + +# TODO: Make URL a policy instead ("RestoreOnStarupURLs", see chrome_install.sh) +# password-store=basic and enable-offline-auto-reload do not exist as policies so we add them as flags. +cat << EOF > "$CHROMIUM_SCRIPT" +#!/bin/sh + +DIMENSIONS=\$(xrandr | grep '*' | awk '{print \$1}') + +WM=\$1 +IURL="$URL" + +# Check if WIDTH is provided; if not, fall back to default from xrandr +if [ "$WIDTH" = "auto" ]; then + IWIDTH="\$(echo \$DIMENSIONS | cut -d'x' -f1)" +else + IWIDTH="$WIDTH" +fi + +# Check if HEIGHT is provided; if not, fall back to default from xrandr +if [ "$HEIGHT" = "auto" ]; then + IHEIGHT="\$(echo \$DIMENSIONS | cut -d'x' -f2)" +else + IHEIGHT="$HEIGHT" +fi + +COMMON_SETTINGS="--password-store=basic --enable-offline-auto-reload" + + +if [ "$WIDTH" = "auto" ] || [ "$HEIGHT" = "auto" ]; then + if [ "$ORIENTATION" = "left" ] || [ "$ORIENTATION" = "right" ] ; then + TEMP=\$IWIDTH + IWIDTH=\$IHEIGHT + IHEIGHT=\$TEMP + fi +fi + + +if [ "\$WM" == "wm" ]; then + chromium-browser "\$BPC_KIOSK" "\$IURL" "\$COMMON_SETTINGS" +else + exec chromium-browser "\$BPC_KIOSK" "\$IURL" --window-size="\$IWIDTH,\$IHEIGHT" --window-position=0,0 "\$COMMON_SETTINGS" +fi +EOF +chmod +x "$CHROMIUM_SCRIPT" + +if [ "$LOCK_DOWN_KEYBINDS" -lt "1" ]; then + rm --force $XBINDKEYS_CONFIG +else + XBINDKEYS_MAYBE='xbindkeys &' + # Attempt at preventing everything except reload, print and zoom + cat << EOF > $XBINDKEYS_CONFIG +# Prevent saving the page +"" + control + s + +# Prevent closing tabs/windows/the browser +"" + control + w +"" + control + shift + w + +# Prevent opening new tabs +"" + control + t +"" + control + shift + t + +# Prevent opening new windows +"" + control + n +"" + control + shift + n + +# Prevent opening the tab selection window +"" + control + shift + a + +# Prevent bookmarking +"" + control + d +"" + control + shift + d +"" + control + shift + o + +# Prevent opening a file from disk +"" + control + o + +# Prevent opening history +"" + control + h + +# Prevent opening download history +"" + control + j + +# Prevent closing the browser, f has to be uppercase for it to work +"" + alt + F4 + +# Prevent selecting all text +"" + control + 7 +EOF + # Additionally prevent print, reload and zoom + if [ "$LOCK_DOWN_KEYBINDS" -gt "1" ]; then + cat << EOF >> $XBINDKEYS_CONFIG +# Additionally prevent reloading, printing and changing zoom + +# Prevent reloading +"" + control + r + +# Prevent printing +"" + control + p + +# Prevent changing zoom +"" + control + 0 +"" + control + shift + 0 +"" + control + plus +"" + control + shift + plus +"" + control + minus +"" + control + shift + minus +"" + control + KP_Add +"" + control + KP_Subtract +EOF + fi +fi + +# Launch chromium upon starting up X +cat << EOF > $XINITRC +#!/bin/sh + +xset s off +xset s noblank +xset -dpms + +$ROTATE_SCREEN_SCRIPT_PATH $TIME $ORIENTATION + +$XBINDKEYS_MAYBE + +# Launch chromium with its non-WM settings +exec $CHROMIUM_SCRIPT nowm +EOF + +# If bspwm config (for the onscreen keyboard) is found, restore starting it up instead of starting chromium directly +if [ -f $BSPWM_CONFIG ]; then +# Don't auto-start chromium from xinitrc + sed -i "s,\(.*$CHROMIUM_SCRIPT.*\),#\1," $XINITRC + + # Instead autostart bspwm + cat <<- EOF >> $XINITRC + exec bspwm + EOF +fi + +# Start X upon login +PROFILE="/home/$CUSER/.profile" +if ! grep --quiet -- 'exit' $PROFILE; then # Ensure idempotency + # This first line cleans up after previous versions of the script + sed --in-place --expression "/startx/d" --expression "/for i in/d" --expression "/sleep/d" \ + --expression "/done/d" --expression "/chromium_error_reboot/d" $PROFILE + cat << EOF >> $PROFILE +startx +exit +EOF +fi diff --git a/scripts/chromium_install.sh b/scripts/chromium_install.sh new file mode 100644 index 0000000..aa251b6 --- /dev/null +++ b/scripts/chromium_install.sh @@ -0,0 +1,101 @@ +#! /usr/bin/env sh + +# Minimal install of X and Chromium and connectivity. + +# Not set -x because otherwise it prints out the contents of LOG_OUT as well, and so the output XML is invalid again... +set -e + +if ! get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en regulær OS2borgerPC-maskine." + exit 1 +fi + +# Log output in English, please. More useable as search terms when debugging. +export LANG=en_US.UTF-8 +export DEBIAN_FRONTEND=noninteractive + +apt-get update --assume-yes + +apt-get install --assume-yes xinit xserver-xorg-core x11-xserver-utils --no-install-recommends --no-install-suggests +apt-get install --assume-yes xdg-utils xserver-xorg-video-qxl xserver-xorg-video-intel xserver-xorg-video-all xserver-xorg-input-all libleveldb-dev xbindkeys + +# This section is a workaround to handle an error in Ubuntu server 22.04 +# that causes certain snap installs to trigger DNS problems on wifi. +# Chromium is only available as a snap and is one of the affected snaps. +# The workaround installs a service that periodically restarts +# systemd-resolved if it fails to ping google.com. +# If "snap install chromium" can run via wifi without causing DNS problems +# then the workaround is no longer necessary +if lsb_release -d | grep --quiet 22; then + DNS_FIX_SCRIPT="/usr/local/lib/os2borgerpc/DNS_fix.py" + DNS_FIX_SERVICE="/etc/systemd/system/os2borgerpc-DNS_fix.service" + mkdir --parents "$(dirname $DNS_FIX_SCRIPT)" + cat << EOF > $DNS_FIX_SCRIPT +#! /usr/bin/env python3 + +import os +import subprocess +import time + +def main(): + while True: + time.sleep(20) + wifi_check = os.system("ping -c 1 google.com") + # If ping fails, restart systemd-resolved + if wifi_check != 0: + subprocess.run(["systemctl", "restart", "systemd-resolved"]) + +if __name__ == '__main__': + main() +EOF + + chmod 700 $DNS_FIX_SCRIPT + + cat < $DNS_FIX_SERVICE +[Unit] +Description=OS2borgerPC Kiosk restart systemd-resolved service + +[Service] +Type=simple +ExecStart=$DNS_FIX_SCRIPT + +[Install] +WantedBy=multi-user.target +EOF + + systemctl enable --now "$(basename "$DNS_FIX_SERVICE")" +fi + +printf '%s\n' "The following output from chromium install is base64 encoded. Why?:" \ + "Chromium-install writes 'scroll'-comments to keep progress to a single line instead of taking up the entire screen," \ + "and this currently results in invalid XML, when the answer is sent back to the server" +printf '\n' + +# Chromium is only available as a snap and will also be installed as +# a snap when using apt-get install +LOG_OUTPUT=$(apt-get install --assume-yes chromium-browser) +# Save exit status so we get the exit status of apt rather than from base64 +EXIT_STATUS=$? +echo "$LOG_OUTPUT" | base64 + +CHROMIUM_POLICY_FILE="/var/snap/chromium/current/policies/managed/os2borgerpc-defaults.json" +mkdir --parents "$(dirname "$CHROMIUM_POLICY_FILE")" +cat << EOF > $CHROMIUM_POLICY_FILE +{ + "AutofillAddressEnabled": false, + "AutofillCreditCardEnabled": false, + "AutoplayAllowed": true, + "PasswordManagerEnabled": false, + "TranslateEnabled": false +} +EOF + +# This section is related to the above workaround +# and removes the related service once it is no longer needed +if lsb_release -d | grep --quiet 22; then + systemctl disable --now "$(basename "$DNS_FIX_SERVICE")" + systemctl restart systemd-resolved + rm --force "$DNS_FIX_SCRIPT" "$DNS_FIX_SERVICE" +fi + +exit $EXIT_STATUS diff --git a/scripts/dconf_change_login_bg.sh b/scripts/dconf_change_login_bg.sh new file mode 100755 index 0000000..0b5113e --- /dev/null +++ b/scripts/dconf_change_login_bg.sh @@ -0,0 +1,45 @@ +#! /usr/bin/env sh + +# Sets new background image on login-screen + +set -x + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +ACTIVATE=$1 +IMAGE_UPLOAD=$2 +IMAGE_NAME=$(basename "$IMAGE_UPLOAD") + +mv "$IMAGE_UPLOAD" "/usr/share/backgrounds/" + +# Change these three to set a different policy to another value +POLICY_PATH="com/canonical/unity-greeter" +POLICY="background" +POLICY_VALUE="'/usr/share/backgrounds/$IMAGE_NAME'" + +POLICY_FILE="/etc/dconf/db/os2borgerpc.d/06-login-screen-bg-image" +POLICY_LOCK_FILE="/etc/dconf/db/os2borgerpc.d/locks/06-login-screen-bg-image" + + +if [ "$ACTIVATE" = 'True' ]; then + + cat > "$POLICY_FILE" <<-END + [$POLICY_PATH] + draw-user-backgrounds=false + $POLICY=$POLICY_VALUE + END + # Tell the system that the values of the dconf keys we've just set can no + # longer be overridden by the user + cat > "$POLICY_LOCK_FILE" <<-END + /$POLICY_PATH/$POLICY + END +else + rm --force "$POLICY_FILE" "$POLICY_LOCK_FILE" + rm POLICY_VALUE +fi + +# Incorporate all of the text files we've just created into the system's dconf databases +dconf update diff --git a/scripts/dconf_desktop_background.sh b/scripts/dconf_desktop_background.sh new file mode 100755 index 0000000..abb21a3 --- /dev/null +++ b/scripts/dconf_desktop_background.sh @@ -0,0 +1,69 @@ +#!/usr/bin/env sh + +# SYNOPSIS +# dconf_policy_desktop.sh [FILE] +# +# DESCRIPTION +# This script changes and locks the desktop background for all users on the +# system using a dconf lock. +# +# It requires one parameter: the path to the desktop background. +# The second parameter is optional and relates to picture option, it defaults to "zoom". +# Picture options accept: zoom, centered, stretched, spanned, wallpaper, scaled +# +# IMPLEMENTATION +# copyright Copyright 2022, Magenta ApS +# license GNU General Public License + +set -x + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +lower() { + echo "$@" | tr '[:upper:]' '[:lower:]' +} + +IMAGE_FILE=$1 +OPTION_VALUE=$(lower "$2") +POLICY_FILE="/etc/dconf/db/os2borgerpc.d/00-background" +POLICY_LOCK_FILE="/etc/dconf/db/os2borgerpc.d/locks/00-background" + +# Delete the previous lock file (its name has changed) +rm --force /etc/dconf/db/os2borgerpc.d/locks/background + +if [ -n "$IMAGE_FILE" ]; then + + if [ -n "$OPTION_VALUE" ]; then + if ! echo "$OPTION_VALUE" | grep --ignore-case --extended-regexp "^(zoom|centered|stretched|wallpaper|scaled|none)$"; then + echo "The second parameter must be one of: zoom, centered, stretched, wallpaper, scaled, none" + exit 1 + fi + else + OPTION_VALUE="zoom" + fi + + # Copy the new desktop background into the appropriate folder + LOCAL_PATH="/usr/share/backgrounds/$(basename "$IMAGE_FILE")" + cp "$IMAGE_FILE" "$LOCAL_PATH" + + cat > "$POLICY_FILE" <<-END + [org/gnome/desktop/background] + picture-uri='file://$LOCAL_PATH' + picture-options='$OPTION_VALUE' + END + # Tell the system that the values of the dconf keys we've just set can no + # longer be overridden by the user + cat > "$POLICY_LOCK_FILE" <<-END + /org/gnome/desktop/background/picture-uri + /org/gnome/desktop/background/picture-options + END +else + printf "This script requires one parameter: The path to a file to be set as background" + exit 1 +fi + +# Incorporate all of the text files we've just created into the system's dconf databases +dconf update diff --git a/scripts/dconf_gnome_lock_menu_editing.sh b/scripts/dconf_gnome_lock_menu_editing.sh new file mode 100755 index 0000000..b09d959 --- /dev/null +++ b/scripts/dconf_gnome_lock_menu_editing.sh @@ -0,0 +1,21 @@ +#! /usr/bin/env sh + +ACTIVATE=$1 + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +POLICY_LOCK_FILE=/etc/dconf/db/os2borgerpc.d/locks/02-launcher-favorites + +# Locks the menu so it can't be edited (adding/removing/moving items in the menu) +if [ "$ACTIVATE" = 'True' ]; then + cat <<- EOF > $POLICY_LOCK_FILE + /org/gnome/shell/favorite-apps + EOF +else + rm $POLICY_LOCK_FILE +fi + +dconf update diff --git a/scripts/dconf_run_prompt_toggle.sh b/scripts/dconf_run_prompt_toggle.sh new file mode 100755 index 0000000..efac23c --- /dev/null +++ b/scripts/dconf_run_prompt_toggle.sh @@ -0,0 +1,38 @@ +#! /usr/bin/env sh + +set -x + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +ACTIVATE=$1 + +# Change these three to set a different policy to another value +POLICY_PATH="org/gnome/desktop/wm/keybindings" +POLICY="panel-run-dialog" +POLICY_VALUE_NO_BIND="@as []" +# This is the value it has when setting it back to Alt-F2, but from tests +# it seems sufficient to delete the policy file: +#POLICY_VALUE_BIND="['F2']" + +POLICY_FILE="/etc/dconf/db/os2borgerpc.d/05-run-prompt" +POLICY_LOCK_FILE="/etc/dconf/db/os2borgerpc.d/locks/05-run-prompt" + +if [ "$ACTIVATE" = 'True' ]; then + cat > "$POLICY_FILE" <<-END + [$POLICY_PATH] + $POLICY=$POLICY_VALUE_NO_BIND + END + # Tell the system that the values of the dconf keys we've just set can no + # longer be overridden by the user + cat > "$POLICY_LOCK_FILE" <<-END + /$POLICY_PATH/$POLICY + END +else + rm --force "$POLICY_FILE" "$POLICY_LOCK_FILE" +fi + +# Incorporate all of the text files we've just created into the system's dconf databases +dconf update diff --git a/scripts/dconf_ubuntu_dock_adjust.sh b/scripts/dconf_ubuntu_dock_adjust.sh new file mode 100755 index 0000000..0482a99 --- /dev/null +++ b/scripts/dconf_ubuntu_dock_adjust.sh @@ -0,0 +1,39 @@ +#! /usr/bin/env sh + +# Moves the Ubuntu dock system wide to an edge of your choosing, and possibly the app launcher to the start of the menu instead of the end (default) +# If it doesn't take effect immediately, try restarting. +# +# Arguments: +# 1: Where the dock/menu should be located. Valid options are: top, left, right, bottom. +# 2: Where the app launcher should be located in the menu. Valid options are: true (top), false (bottom - which is default) +# +# Author: mfm@magenta.dk +# Credits: Gladsaxe Kommune + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "This script is not designed to be run on a Kiosk machine." + exit 1 +fi + +lower() { + echo "$@" | tr '[:upper:]' '[:lower:]' +} + +# gsettings equivalent: gsettings set org.gnome.shell.extensions.dash-to-dock dock-position BOTTOM +POSITION="$1" +APPS_LAUNCHER_AT_TOP="$(lower "$2")" # Expects True/False, case insensitively + +POLICY_FILE_NAME="03-menu-position" + +cat <<- EOF > /etc/dconf/db/os2borgerpc.d/$POLICY_FILE_NAME + [org/gnome/shell/extensions/dash-to-dock] + dock-position='$POSITION' + show-apps-at-top=$APPS_LAUNCHER_AT_TOP +EOF + +cat <<- EOF > /etc/dconf/db/os2borgerpc.d/locks/$POLICY_FILE_NAME + /org/gnome/shell/extensions/dash-to-dock/dock-position + /org/gnome/shell/extensions/dash-to-dock/show-apps-at-top +EOF + +dconf update diff --git a/scripts/desktop_launcher_logout_button_icon.sh b/scripts/desktop_launcher_logout_button_icon.sh new file mode 100755 index 0000000..67849a1 --- /dev/null +++ b/scripts/desktop_launcher_logout_button_icon.sh @@ -0,0 +1,79 @@ +#! /usr/bin/env sh + +# Arguments: +# 1: Whether to add or remove the logout button from the menu. 'True' adds it. +# 2: The name the shortcut should have in the menu (display when you hover over the icon) +# 3: Whether to put the icon at the start of the end of the menu. 'True' for start, 'False' for end. +# 4: An optional icon to use for the shortcut. Ideally SVG, but PNG and JPG work as well. + +set -x + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +ADD="$1" +SHORTCUT_NAME="$2" +MENU_START="$3" +ICON_UPLOAD="$4" + +DESKTOP_FILE=/usr/share/applications/os2borgerpc-menu-logout.desktop +DESKTOP_FILE_NAME=$(basename $DESKTOP_FILE) +LAUNCHER_FAVORITES_FILE=/etc/dconf/db/os2borgerpc.d/02-launcher-favorites + +remove_logout_buttons_from_menu() { + # Remove it from the start of the list + sed -i "s/\['$DESKTOP_FILE_NAME', /\[/" $LAUNCHER_FAVORITES_FILE + # Remove it from the end of the list + sed -i "s/, '$DESKTOP_FILE_NAME'//" $LAUNCHER_FAVORITES_FILE +} + +if [ "$ADD" = False ]; then + remove_logout_buttons_from_menu +else + + if [ -z "$ICON_UPLOAD" ]; then + ICON="system-log-out" + else + + # HANDLE ICON HERE + if ! echo "$ICON_UPLOAD" | grep --quiet '.png\|.svg\|.jpg\|.jpeg'; then + printf "Error: Only .svg, .png, .jpg and .jpeg are supported as icon-formats." + exit 1 + else + ICON_BASE_PATH=/usr/local/share/icons + ICON_NAME="$(basename "$ICON_UPLOAD")" + mkdir --parents "$ICON_BASE_PATH" + # Copy icon from the default destination to where it should actually be + # Two ways to reference an icons: + # 1. As a full path to the icon including it's extension. This works for PNG, SVG, JPG + # 2. As a name without path and extension, likely as long as it's within an icon cache path. This works for PNG, SVG - but not JPG! + cp "$ICON_UPLOAD" $ICON_BASE_PATH + ICON=$ICON_BASE_PATH/$ICON_NAME + + update-icon-caches $ICON_BASE_PATH + fi + fi + + cat <<- EOF > $DESKTOP_FILE + [Desktop Entry] + Type=Application + Name=$SHORTCUT_NAME + Icon=$ICON + Exec=gnome-session-quit --logout + EOF + + # Idempotency: First remove the shortcut if it's already there (if not it has no effect), before adding adding it + remove_logout_buttons_from_menu + + # ...and now add it: + if [ "$MENU_START" = "True" ]; then + sed -i "s/favorite-apps=\[/favorite-apps=\['$DESKTOP_FILE_NAME', /" $LAUNCHER_FAVORITES_FILE + else + sed -i "s/'\]/', '$DESKTOP_FILE_NAME'\]/" $LAUNCHER_FAVORITES_FILE + fi + +fi + +dconf update diff --git a/scripts/desktop_launcher_program_shortcut.sh b/scripts/desktop_launcher_program_shortcut.sh new file mode 100755 index 0000000..e64629a --- /dev/null +++ b/scripts/desktop_launcher_program_shortcut.sh @@ -0,0 +1,39 @@ +#! /usr/bin/env sh + +# Adds/Removes programs from the launcher (menu) in Ubuntu 20.04 +# Author: mfm@magenta.dk +# +# Arguments: +# 1: Use a boolean, if left unchecked the script removes the given program shortcut. +# 2: The name of the program you want to add/remove. + +ADD=$1 +PROGRAM=$2 + +CONFIG="/etc/dconf/db/os2borgerpc.d/02-launcher-favorites" + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +if [ -f "/var/lib/snapd/desktop/applications/${PROGRAM}_$PROGRAM.desktop" ]; then + PROGRAM="${PROGRAM}_$PROGRAM" +fi + +if [ "$ADD" = "True" ]; then + + # Append the program specified above to the menu/launcher + # Why ']? To not also match the first (title) line. + sed --in-place "s/'\]/', '$PROGRAM.desktop'\]/" $CONFIG + +else + + # Remove the program specified above from the menu/launcher + # First handle the case where it's the first program in the list + # Then handle the cases where it's anything except the first + sed --in-place --expression "s/\['$PROGRAM.desktop', /\[/" --expression "s/, '$PROGRAM.desktop'//g" $CONFIG + +fi + +dconf update diff --git a/scripts/desktop_logout_button_icon.sh b/scripts/desktop_logout_button_icon.sh new file mode 100755 index 0000000..db42680 --- /dev/null +++ b/scripts/desktop_logout_button_icon.sh @@ -0,0 +1,80 @@ +#! /usr/bin/env sh + +# Arguments: +# 1: A boolean to decide whether to add or remove the button +# 2: The name the shortcut should have on the desktop. +# 3: A boolean to decide whether to prompt before logging out or log out immediately +# 4: An optional icon to use for the shortcut. Ideally SVG, but PNG and JPG work as well. + +set -x + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +ACTIVATE=$1 +SHORTCUT_NAME="$2" +PROMPT=$3 +ICON_UPLOAD="$4" + +# Determine the name of the user desktop directory. This is done via xdg-user-dir, +# which checks the /home/user/.config/user-dirs.dirs file. To ensure this file exists, +# we run xdg-user-dirs-update, which generates it based on the environment variable +# LANG. This variable is empty in lightdm so we first export it +# based on the value stored in /etc/default/locale +export "$(grep LANG= /etc/default/locale | tr -d '"')" +runuser -u user xdg-user-dirs-update +DESKTOP=$(basename "$(runuser -u user xdg-user-dir DESKTOP)") + +OLD_DESKTOP_FILE=/home/.skjult/"$DESKTOP"/Logout.desktop +DESKTOP_FILE=/home/.skjult/"$DESKTOP"/logout.desktop + +rm --force "$OLD_DESKTOP_FILE" + +if [ "$ACTIVATE" = 'True' ]; then + + mkdir --parents "$(dirname "$DESKTOP_FILE")" + + TO_PROMPT_OR_NOT=--no-prompt + + if [ "$PROMPT" = "True" ]; then + # If they DO want the prompt + unset TO_PROMPT_OR_NOT + fi + + if [ -z "$ICON_UPLOAD" ]; then + ICON="system-log-out" + else + # HANDLE ICON HERE + if ! echo "$ICON_UPLOAD" | grep --quiet '.png\|.svg\|.jpg\|.jpeg'; then + printf "Error: Only .svg, .png, .jpg and .jpeg are supported as icon-formats." + exit 1 + else + ICON_BASE_PATH=/usr/local/share/icons + ICON_NAME="$(basename "$ICON_UPLOAD")" + mkdir --parents "$ICON_BASE_PATH" + # Copy icon from the default destination to where it should actually be + cp "$ICON_UPLOAD" $ICON_BASE_PATH + # Two ways to reference an icons: + # 1. As a full path to the icon including it's extension. This works for PNG, SVG, JPG + # 2. As a name without path and extension, likely as long as it's within an icon cache path. This works for PNG, SVG - but not JPG! + ICON=$ICON_BASE_PATH/$ICON_NAME + + update-icon-caches $ICON_BASE_PATH + fi + fi + +cat <<- EOF > "$DESKTOP_FILE" + [Desktop Entry] + Version=1.0 + Type=Application + Name=$SHORTCUT_NAME + Comment=Logud + Icon=$ICON + Exec=sh -c "sleep 0.1 && gnome-session-quit --logout $TO_PROMPT_OR_NOT" +EOF + +else + rm "$DESKTOP_FILE" +fi diff --git a/scripts/desktop_toggle_writable.sh b/scripts/desktop_toggle_writable.sh new file mode 100755 index 0000000..1c255e8 --- /dev/null +++ b/scripts/desktop_toggle_writable.sh @@ -0,0 +1,77 @@ +#! /usr/bin/env sh + +set -x + +# This will not work if they have disabled user cleanup, +# at least not if lightdm is configured to not use it + +# Use a boolean as parameter. A checked box will restrict write access +# an unchecked will restore default + +# Why not use a .config/autostart file? Because the user isn't allowed to chown to root +# ...even if they are the current owner. + +# chattr on DESKTOP is to prevent mv'ing DESKTOP to another name, and then creating a new one +# which they DO have write permissions to +# Another option considered was chowning /home/user itself (not recursively), +# but then login didn't work. (maybe due to .xauthority?) + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +USERNAME="user" +# Determine the name of the user desktop directory. This is done via xdg-user-dir, +# which checks the /home/user/.config/user-dirs.dirs file. To ensure this file exists, +# we run xdg-user-dirs-update, which generates it based on the environment variable +# LANG. This variable is empty in lightdm so we first export it +# based on the value stored in /etc/default/locale +export "$(grep LANG= /etc/default/locale | tr -d '"')" +runuser -u $USERNAME xdg-user-dirs-update +DESKTOP="$(runuser -u $USERNAME xdg-user-dir DESKTOP)" +USER_CLEANUP=/usr/share/os2borgerpc/bin/user-cleanup.bash +COMMENT="# Make the desktop read only to user" + +ACTIVATE=$1 + +make_desktop_writable() { + # All of the matched lines are deleted. This function thus serves to undo write access removal + # shellcheck disable=SC2016 + sed --in-place --expression "/chattr [-+]i/d" --expression "/chown -R root:/d" \ + --expression "/$COMMENT/d" --expression '/runuser/d' --expression '/export/d' \ + --expression "/chown \$USERNAME/d" --expression "/.config/d" --expression "/The exact cause/d" \ + --expression "/The lines below/d" --expression "/login issues/d" $USER_CLEANUP + chattr -i "$DESKTOP" +} + +# Make sure that DESKTOP dir exists under .skjult as otherwise this script will not work correctly +mkdir --parents "/home/.skjult/$(basename "$DESKTOP")" + +# Undo write access removal - always do this to prevent adding the same lines multiple times (idempotency) +make_desktop_writable + +if [ "$ACTIVATE" = 'True' ]; then + # Prepend temporarily setting DESKTOP mutable before copying new files in, as otherwise that will fail + # We first determine the name of the user desktop directory as before + sed -i "/USERNAME=\"$USERNAME\"/a \ +export \$(grep LANG= \/etc\/default\/locale | tr -d \'\"\')\n\ +runuser -u $USERNAME xdg-user-dirs-update\n\ +DESKTOP=\$(runuser -u $USERNAME xdg-user-dir DESKTOP)\n\ +chattr -i \$DESKTOP" $USER_CLEANUP + + # Append setting the more restrictive permissions + cat <<- EOF >> $USER_CLEANUP + $COMMENT + chown -R root:\$USERNAME \$DESKTOP + chattr +i \$DESKTOP + # The exact cause is unclear, but xdg-user-dir will rarely fail in such + # a way that DESKTOP=/home/user. The lines below prevent this error + # from causing login issues. + chattr -i /home/user/ + chown \$USERNAME:\$USERNAME /home/\$USERNAME + chown -R \$USERNAME:\$USERNAME /home/\$USERNAME/.config /home/\$USERNAME/.local + EOF + # Make sure that DESKTOP is immutable immediately after running this script + chattr +i "$DESKTOP" +fi diff --git a/scripts/desktop_url_shortcut.sh b/scripts/desktop_url_shortcut.sh new file mode 100755 index 0000000..9bbe6af --- /dev/null +++ b/scripts/desktop_url_shortcut.sh @@ -0,0 +1,86 @@ +#! /usr/bin/env sh + +# Creates a customly named shortcut on the desktop for the normal user, which +# opens the URL given as an argument in the default browser. +# +# After the script has run log out or restart the computer for the changes to +# take effect. +# +# Arguments: +# 1: A boolean to decide whether to add or not. A checked box will +# add the shortcut and an unchecked will remove it +# 2: The URL to visit when clicked +# 3: The name the shortcut should have - it needs to be a valid filename! +# 4: The path to an icon. If empty an icon from the current theme is used, specified below + +set -x + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +ACTIVATE=$1 +URL=$2 +SHORTCUT_NAME="$3" +ICON_UPLOAD="$4" + +# Determine the name of the user desktop directory. This is done via xdg-user-dir, +# which checks the /home/user/.config/user-dirs.dirs file. To ensure this file exists, +# we run xdg-user-dirs-update, which generates it based on the environment variable +# LANG. This variable is empty in lightdm so we first export it +# based on the value stored in /etc/default/locale +export "$(grep LANG= /etc/default/locale | tr -d '"')" +runuser -u user xdg-user-dirs-update +DESKTOP=$(basename "$(runuser -u user xdg-user-dir DESKTOP)") + +SHADOW=".skjult" +DESKTOP_FILE="/home/$SHADOW/$DESKTOP/$SHORTCUT_NAME.desktop" + +if [ "$ACTIVATE" = 'True' ]; then + + if [ -z "$ICON_UPLOAD" ]; then + ICON="preferences-system-network" + else + # HANDLE ICON HERE + if ! echo "$ICON_UPLOAD" | grep --quiet '.png\|.svg\|.jpg\|.jpeg'; then + printf "Error: Only .svg, .png, .jpg and .jpeg are supported as icon-formats." + exit 1 + else + ICON_BASE_PATH=/usr/local/share/icons + ICON_NAME="$(basename "$ICON_UPLOAD")" + mkdir --parents "$ICON_BASE_PATH" + # Copy icon from the default destination to where it should actually be + cp "$ICON_UPLOAD" $ICON_BASE_PATH/ + # Two ways to reference an icons: + # 1. As a full path to the icon including it's extension. This works for PNG, SVG, JPG + # 2. As a name without path and extension, likely as long as it's within an icon cache path. This works for PNG, SVG - but not JPG! + ICON=$ICON_BASE_PATH/$ICON_NAME + + + update-icon-caches $ICON_BASE_PATH + fi + fi + + mkdir --parents /home/$SHADOW/"$DESKTOP" + + # Originally used: Type=Link and URL=$URL and no Exec line, but seemingly that doesn't work in 20.04 + cat <<- EOF > "$DESKTOP_FILE" + [Desktop Entry] + Encoding=UTF-8 + Name=$SHORTCUT_NAME + Type=Application + Exec=xdg-open $URL + Icon=$ICON + EOF + + chmod +x "$DESKTOP_FILE" +else + rm "$DESKTOP_FILE" + # Backwards compatibility: + # In case they have an URL shortcut made with the previous version of this script, + # this version should still allow them to remove that (it was an extensionless shell script) + # Don't add recursive here, as otherwise with an empty argument it could delete the Skrivebord + # directory itself + rm --force "$(dirname "$DESKTOP_FILE")/$(basename -s ".desktop" "$DESKTOP_FILE")" +fi diff --git a/scripts/disable_network_connectivity_check.sh b/scripts/disable_network_connectivity_check.sh new file mode 100755 index 0000000..e7ba758 --- /dev/null +++ b/scripts/disable_network_connectivity_check.sh @@ -0,0 +1,9 @@ +#! /usr/bin/env sh + +# Relevant info: +# https://unix.stackexchange.com/questions/419422/wifi-disable-hotspot-login-screen +# +# Or you can do it manually like this: +# https://www.ubuntubuzz.com/2018/03/disable-hotspot-login-on-ubuntu-1710-and-1804.html + +apt-get remove --assume-yes network-manager-config-connectivity-ubuntu diff --git a/scripts/firefox_global_policies.sh b/scripts/firefox_global_policies.sh new file mode 100755 index 0000000..7873892 --- /dev/null +++ b/scripts/firefox_global_policies.sh @@ -0,0 +1,110 @@ +#!/bin/bash + +: << 'COMMENT' +Policy-script developed by Magenta ApS for Aarhus Municipal. +Learn more about Firefox "Policy Names" here: +https://github.com/mozilla/policy-templates/blob/master/README.md +It's only possible to have ONE policy-file. In the future this script +should have to evolve to be a more dynamic solution if we want to be +able to, e.g. use the same script accross machines and handpick which +Policies we want to use. Until then there will be set some default static +Policies with OS2borgerPC in mind. +Author: Heini L. Ovason +COMMENT + +set -x + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +STARTPAGE="$1" +ADDITIONAL_PAGES="$2" + +POLICY_DIR="/etc/firefox/policies" +POLICY_FILE="policies.json" + +if [ -z "$STARTPAGE" ]; then + echo "WARNING: Missing argument. Not able to set Firefox startpage." + exit 1 +fi + +if [ ! -d "$POLICY_DIR" ]; then + mkdir -p "$POLICY_DIR"; +fi + +PAGES_STRING="" +if [ -n "$ADDITIONAL_PAGES" ]; then + IFS='|' read -ra PAGES_ARRAY <<< "$ADDITIONAL_PAGES" + + PAGES_STRING="\"Additional\": [" # start array-string + for PAGE in "${PAGES_ARRAY[@]}" + do + PAGES_STRING+="\"$PAGE\"," + done + PAGES_STRING=${PAGES_STRING::-1} # remove comma at end of list + PAGES_STRING+="]," # finish array-string +fi + +cat << EOF > "$POLICY_DIR/$POLICY_FILE" +{ + "policies": { + "Homepage": { + "URL": "$STARTPAGE", + "Locked": true, + $PAGES_STRING + "StartPage": "homepage" + }, + "DisableFirefoxAccounts": true, + "InstallAddonsPermission": { + "Default": false + }, + "OverrideFirstRunPage": "", + "OverridePostUpdatePage": "", + "Preferences": { + "datareporting.policy.dataSubmissionPolicyBypassNotification": true + }, + "BlockAboutAddons": true, + "BlockAboutConfig": true, + "BlockAboutProfiles": true, + "BlockAboutSupport": true, + "DownloadDirectory": "/home/user/Hentet", + "PromptForDownloadLocation": false, + "DisableFirefoxAccounts": true, + "DisableFormHistory": true, + "DisableProfileImport": true, + "OfferToSaveLogins": false, + "OfferToSaveLoginsDefault": false, + "PasswordManagerEnabled": false, + "SanitizeOnShutdown": { + "Cache": true, + "Cookies": true, + "Downloads": false, + "FormData": true, + "History": true, + "Sessions": true, + "SiteSettings": true, + "OfflineApps": true, + "Locked": true + }, + "SearchEngines": { + "PreventInstalls": true + }, + "EnableTrackingProtection": { + "Value": true, + "Locked": true, + "Cryptomining": true, + "Fingerprinting": true + }, + "DisableDeveloperTools": true + } +} + +EOF + +# Attempting to remove policy from former standard location. +OLD_POLICY="/usr/lib/firefox/distribution/policies.json" +if [ -f "$OLD_POLICY" ]; then + rm -f "$OLD_POLICY" +fi diff --git a/scripts/get_daily_login_count.sh b/scripts/get_daily_login_count.sh new file mode 100755 index 0000000..3eefac3 --- /dev/null +++ b/scripts/get_daily_login_count.sh @@ -0,0 +1,101 @@ +#!/bin/sh + +set -x + +LOGIN_COUNT_SCRIPT="/usr/local/lib/os2borgerpc/count_daily_logins.sh" +LOGIN_COUNT_SERVICE="/etc/systemd/system/os2borgerpc-count_daily_logins.service" +DATE_FILE="/etc/os2borgerpc/last_on_date.txt" +CONFIG_NAME="login_counts" +DATA_LIMIT=89 # This is one less than the number of days that are stored +ROOTCRON_TMP="/tmp/rootcron" + +ACTIVATE=$1 + +mkdir --parents "$(dirname $LOGIN_COUNT_SCRIPT)" "$(dirname $DATE_FILE)" + +crontab -l > $ROOTCRON_TMP + +sed -i "/count_daily_logins/d" $ROOTCRON_TMP + +if [ "$ACTIVATE" = "False" ]; then + systemctl disable "$(basename $LOGIN_COUNT_SERVICE)" + crontab $ROOTCRON_TMP + rm --force $LOGIN_COUNT_SCRIPT $LOGIN_COUNT_SERVICE \ + $DATE_FILE $ROOTCRON_TMP + exit 0 +fi + +echo "0 * * * * $LOGIN_COUNT_SCRIPT" >> $ROOTCRON_TMP + +crontab $ROOTCRON_TMP + +rm --force $ROOTCRON_TMP + +# When the script is run, get value for the day before +# This might not be necessary, but it's convenient for testing +date -d "yesterday" +%F > $DATE_FILE + +cat < $LOGIN_COUNT_SCRIPT +#!/usr/bin/env bash + +LAST_ON_DATE_FULL=\$(cat $DATE_FILE) +# Convert to the date format used in auth.log +LAST_ON_DATE=\$(LANG=en_US.UTF-8 date -d "\$LAST_ON_DATE_FULL" "+%b %_d") +TODAY_DATE_FULL=\$(date -d "today" +%F) + +# Stop if the date to be checked is today +if [ "\$LAST_ON_DATE_FULL" = "\$TODAY_DATE_FULL" ]; then + exit 0 +fi + +LOG_FILE="/var/log/auth.log" + +OLD_LOGIN_COUNTS=\$(/usr/local/bin/get_os2borgerpc_config "$CONFIG_NAME") + +if ! grep --quiet "\$LAST_ON_DATE" \$LOG_FILE; then + LOG_FILE="/var/log/auth.log.1" +fi + +LOGIN_COUNT=\$(grep --text "\$LAST_ON_DATE" "\$LOG_FILE" | grep -c "New session c[^ ]* of user user") + +if [ -z "\$OLD_LOGIN_COUNTS" ]; then + CONFIG_VALUE=\$(echo "\$LAST_ON_DATE_FULL: \$LOGIN_COUNT") +else + # Remove old values to ensure that we never save more than DATA_LIMIT+1 days + IFS="," read -ra OLD_COUNTS_ARRAY <<< "\$(echo "\$OLD_LOGIN_COUNTS" | sed "s/, /,/g")" + if [ \${#OLD_COUNTS_ARRAY[@]} -gt $DATA_LIMIT ]; then + OLD_LOGIN_COUNTS=\$(IFS="," ; echo "\${OLD_COUNTS_ARRAY[*]: -$DATA_LIMIT}" | sed "s/,/, /g") + fi + CONFIG_VALUE=\$(echo "\$OLD_LOGIN_COUNTS, \$LAST_ON_DATE_FULL: \$LOGIN_COUNT") +fi + +if grep --quiet "\$LAST_ON_DATE_FULL" <<< "\$OLD_LOGIN_COUNTS"; then + echo \$TODAY_DATE_FULL > $DATE_FILE + exit 0 +fi + +OLD_CONFIG_VALUE=\$(/usr/local/bin/get_os2borgerpc_config "$CONFIG_NAME") +/usr/local/bin/set_os2borgerpc_config "$CONFIG_NAME" "\$CONFIG_VALUE" +PUSH_OUTPUT=\$(/usr/local/bin/os2borgerpc_push_config_keys "$CONFIG_NAME") +if grep --quiet "The following keys were pushed to the admin system:" <<< "\$PUSH_OUTPUT"; then + echo \$TODAY_DATE_FULL > $DATE_FILE +else + /usr/local/bin/set_os2borgerpc_config "$CONFIG_NAME" "\$OLD_CONFIG_VALUE" +fi +EOF + +chmod 700 $LOGIN_COUNT_SCRIPT + +cat < $LOGIN_COUNT_SERVICE +[Unit] +Description=OS2borgerPC count daily logins service + +[Service] +Type=simple +ExecStart=$LOGIN_COUNT_SCRIPT + +[Install] +WantedBy=multi-user.target +EOF + +systemctl enable --now "$(basename $LOGIN_COUNT_SERVICE)" \ No newline at end of file diff --git a/scripts/hard_shutdown_lockdown.sh b/scripts/hard_shutdown_lockdown.sh new file mode 100755 index 0000000..5a125b7 --- /dev/null +++ b/scripts/hard_shutdown_lockdown.sh @@ -0,0 +1,123 @@ +#!/bin/sh + +# SYNOPSIS +# hard_shutdown_lockdown.sh [ENFORCE] +# +# DESCRIPTION +# This script installs two system services: +# +# shutdown_monitor.service & shutdown_monitor.timer - checks +# for a shutdown_lockfile at boot, and if it does not exist, +# locks the user account +# +# create_shutdown_lockfile.service - creates a +# shutdown_lockfile during a normal reboot/poweroff +# +# Logins are disabled with the user account expiry mechanism. +# +# It takes one optional parameter: whether or not to enforce this policy. +# Use a boolean to decide whether or not to enforce the policy. A checked +# box will enable the script, an unchecked box will remove the policy +# +# For use with the "unexpire_user.sh" and +# "detect_user_expired_event.py" script +# +# IMPLEMENTATION +# copyright Copyright 2021 Magenta ApS +# license GNU General Public License + +# TECHNICAL NOTES +# You can check whether a user has been expired by checking the last column for the user in /etc/shadow + +set -x + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +ACTIVATE=$1 + + +if [ "$ACTIVATE" = "True" ]; then + mkdir -p /usr/local/lib/os2borgerpc + + cat <<"END" > /usr/local/lib/os2borgerpc/create_shutdown_lockfile.sh +#!/bin/sh + +touch /etc/os2borgerpc/shutdown_lockfile +END + chmod 700 /usr/local/lib/os2borgerpc/create_shutdown_lockfile.sh + + cat <<"END" > /etc/systemd/system/create_shutdown_lockfile.service +[Unit] +Description=Run create_shutdown_lockfile.sh when service stops + +[Service] +Type=oneshot +RemainAfterExit=true +ExecStop=/usr/local/lib/os2borgerpc/create_shutdown_lockfile.sh + +[Install] +WantedBy=multi-user.target +END + systemctl enable --now create_shutdown_lockfile.service + # Initially run create_shutdown_lockfile as the "OnBootSec" of check_shutdown_lockfile.py will fire immediately if the event was in the past: + # "If a timer configured with OnBootSec= or OnStartupSec= is already in the past when the timer unit is activated, it will immediately elapse and the configured unit is started." + /usr/local/lib/os2borgerpc/create_shutdown_lockfile.sh + + cat <<"END" > /usr/local/lib/os2borgerpc/check_shutdown_lockfile.py +#!/usr/bin/env python3 + +from os import remove +from os.path import exists +from subprocess import run + +SHUTDOWN_FILE = "/etc/os2borgerpc/shutdown_lockfile" + +# Old versions of this script expired to 1970-01-02 like lockdown_usb.sh +# They were changed to use different dates so we can distinguish which +# script locked the account from the security event directly +def main(): + """Check if shutdown_lockfile exists, if not, expire the user account.""" + if exists(SHUTDOWN_FILE): + remove(SHUTDOWN_FILE) + else: + run(["usermod", "-e", "1970-01-04", "user"]) + + +if __name__ == "__main__": + main() +END + chmod 700 /usr/local/lib/os2borgerpc/check_shutdown_lockfile.py + + cat <<"END" > /etc/systemd/system/shutdown_monitor.timer +[Unit] +Description=Run shutdown_monitor.service once at system boot + +[Timer] +OnBootSec=0min + +[Install] +WantedBy=timers.target +END + + cat <<"END" > /etc/systemd/system/shutdown_monitor.service +[Unit] +Description=OS2BorgerPC Shutdown monitoring service + +[Service] +Type=oneshot +ExecStart=/usr/local/lib/os2borgerpc/check_shutdown_lockfile.py +END + systemctl enable --now shutdown_monitor.timer + +else + systemctl disable --now shutdown_monitor.timer + systemctl disable --now create_shutdown_lockfile.service + rm -f /usr/local/lib/os2borgerpc/check_shutdown_lockfile.py \ + /etc/systemd/system/shutdown_monitor.service \ + /etc/systemd/system/shutdown_monitor.timer \ + /usr/local/lib/os2borgerpc/create_shutdown_lockfile.sh \ + /etc/systemd/system/create_shutdown_lockfile.service +fi diff --git a/scripts/inactivity_logout_after_time.sh b/scripts/inactivity_logout_after_time.sh new file mode 100755 index 0000000..f508c66 --- /dev/null +++ b/scripts/inactivity_logout_after_time.sh @@ -0,0 +1,124 @@ +#! /usr/bin/env sh + +# This script and "inactivity_suspend_after_time.sh" are mutually exclusive, and each of them +# are written to overwrite each other, so whichever was the last of them run takes effect. + +# PARAMETERS +# 1. Checkbox. Enables/disables the script. +# 2. Integer. How many minutes to wait before showing the warning dialog +# 3. Integer. How many minutes to wait before logging out +# 4. String. (optional) The text to be shown in the warning dialog. If no input is given, a default is used +# 5. String. (optional) The text to be shown on the dialog button. If no input is given, a default is used + +set -x + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +ENABLE=$1 +DIALOG_TIME_MINS=$2 +LOGOUT_TIME_MINS=$3 +DIALOG_TEXT=$4 +BUTTON_TEXT=$5 + +# Note: Currently this log is never rotated, so it'll grow and grow +INACTIVITY_SCRIPT="/usr/share/os2borgerpc/bin/inactive_logout.sh" +INACTIVITY_SCRIPT_LOG="/usr/share/os2borgerpc/bin/inactive_logout.log" +LIGHTDM_SCRIPT="/etc/lightdm/greeter-setup-scripts/suspend_after_time.sh" + +# Stop Debconf from interrupting when interacting with the package system +export DEBIAN_FRONTEND=noninteractive + +error() { + echo "$1" + exit 1 +} + +# If this is run after inactivity_suspend_after_time, ensure the suspend script +# hasn't left files behind +rm --force $LIGHTDM_SCRIPT + +# Handle deactivating inactivity logout +if [ "$ENABLE" = "False" ]; then + rm --force $INACTIVITY_SCRIPT $INACTIVITY_SCRIPT_LOG + OLDCRON="/tmp/oldcron" + crontab -l > $OLDCRON + if [ -f "$OLDCRON" ]; then + sed --in-place "\@$INACTIVITY_SCRIPT@d" $OLDCRON + crontab $OLDCRON + rm --force $OLDCRON + fi + exit +fi + +[ -z "$DIALOG_TIME_MINS" ] && error 'Please insert the time the user has to be inactive before dialog is shown.' +[ -z "$LOGOUT_TIME_MINS" ] && error 'Please insert the time the user has to be inactive before being logged out.' +[ "$DIALOG_TIME_MINS" -gt "$LOGOUT_TIME_MINS" ] && error 'Dialog time is greater than logout time and dialog will therefore not be shown. Edit dialog time!' +[ -z "$DIALOG_TEXT" ] && DIALOG_TEXT="Du er inaktiv og bliver logget ud om kort tid..." +[ -z "$BUTTON_TEXT" ] && BUTTON_TEXT="OK" + +# xprintidle uses milliseconds, so convert the user inputted minutes to that +LOGOUT_TIME_MS=$(( LOGOUT_TIME_MINS * 60 * 1000 )) +DIALOG_TIME_MS=$(( DIALOG_TIME_MINS * 60 * 1000 )) + +# Install xprintidle +apt-get update --assume-yes + +# Only try installing if it isn't already as otherwise it will exit with nonzero and stop the script +if ! dpkg --get-selections | grep -v deinstall | grep --quiet xprintidle; then + if ! apt-get install --assume-yes xprintidle; then + # apt install could fail due to debian frontend lock being unavailable + # during automatic updates + error "apt failed to install xprintidle" + fi +fi + +# if line already added to crontab: skip +if ! crontab -l | grep "$INACTIVITY_SCRIPT"; then + line="* * * * * $INACTIVITY_SCRIPT" + (crontab -l -u root; echo "$line") | crontab -u root - +fi + +# New auto_logout file, running as root +cat <<- EOF > $INACTIVITY_SCRIPT + #! /usr/bin/env sh + + # If the user is inactive for too long, a dialog will appear, warning the user that the session will end. + # If the user do not touch the mouse or press any keyboard key the session will end. + # Only have one dialog at a time, so remove preexisting ones. + # Create a new message every time, in case someone didn't close it but + # just put e.g. a browser in front, to ensure they or someone else gets a + # new warning when/if inactivity is reached again + + USER_DISPLAY=\$(who | grep -w 'user' | sed -rn 's/.*(:[0-9]*).*/\1/p') + + # These are used by xprintidle + export XAUTHORITY=/home/user/.Xauthority + export DISPLAY=\$USER_DISPLAY + su - user -c "DISPLAY=\$USER_DISPLAY xhost +localhost" + + LOG=$INACTIVITY_SCRIPT_LOG + + echo $LOGOUT_TIME_MS \$(xprintidle) >> \$LOG + + if [ \$(xprintidle) -ge $LOGOUT_TIME_MS ]; then + echo 'Logging user out' >> \$LOG + pkill -KILL -u user + exit 0 + fi + # if idle time is past the dialog time: show the dialog + if [ \$(xprintidle) -ge $DIALOG_TIME_MS ]; then + # Do spare the poor lives of potential other zenity windows. + PID_ZENITY="\$(pgrep --full 'Inaktivitet')" + if [ -n \$PID_ZENITY ]; then + kill \$PID_ZENITY + fi + # echo 'Running zenity...' >> \$LOG + # We use the --title to match against above + zenity --warning --text="$DIALOG_TEXT" --ok-label="$BUTTON_TEXT" --no-wrap --display=\$USER_DISPLAY --title "Inaktivitet" + fi +EOF + +chmod +x $INACTIVITY_SCRIPT diff --git a/scripts/lightdm_enable_numlock.sh b/scripts/lightdm_enable_numlock.sh new file mode 100644 index 0000000..5f5a2a2 --- /dev/null +++ b/scripts/lightdm_enable_numlock.sh @@ -0,0 +1,62 @@ +#!/bin/sh + +# DESCRIPTION +# Requires "lightdm_greeter_setup_scripts" to be run and enabled to take effect. +# +# This script will install numlockx and enable it when the pc reaches the login screen. +# Any changes made requires a reboot to take effect. +# +# PARAMETERS +# 1. Checkbox. Enables or disables numlock + +set -ex + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +NUMLOCK_ON=$1 + +SCRIPT_DIR="/etc/lightdm/greeter-setup-scripts" +SCRIPT="$SCRIPT_DIR/enable_numlock.sh" +POLICY="/etc/xdg/autostart/os2borgerpc-numlock.desktop" +# Stop Debconf from doing anything +export DEBIAN_FRONTEND=noninteractive + +if [ "$NUMLOCK_ON" = "True" ]; then + if [ ! -f "/usr/bin/numlockx" ]; then + apt-get update -qq > /dev/null + apt-get -yqq install numlockx + fi + + mkdir -p "$SCRIPT_DIR" + + cat << EOF > "$SCRIPT" +#!/bin/sh + +numlockx on +EOF + # Set the correct permissions on the file, so it can be executed by lightdm + chmod 700 "$SCRIPT" + echo "Added the script: $SCRIPT" + + + cat > "$POLICY" < $USB_MONITOR +#!/usr/bin/env python3 + +from os import mkfifo, unlink +from os.path import exists +import subprocess +import datetime + +PIPE = "/var/lib/os2borgerpc/usb-event" +USB_EVENT_LOG = "/var/log/usb-events.log" + + +# Old versions of this script expired to 1970-01-02 like hard_shutdown_lockdown.sh +# It was changed to different dates so we can distinguish which +# script locked the account from the security event directly +def lockdown(): + """Disable the user account.""" + subprocess.run(["usermod", "-e", "1970-01-05", "user"]) + subprocess.run(["loginctl", "terminate-user", "user"]) + +def get_current_devices(): + """Get the ids of the currently connected usb devices.""" + encoding = 'utf-8' + lsusb_output = subprocess.check_output("lsusb") + device_ids = [] + for info in lsusb_output.split(b'\n'): + if info: + device_ids.append(str(info, encoding)) + return device_ids + +def make_log_entry(device): + current_datetime = datetime.datetime.now() + entry = f"{current_datetime.day} {current_datetime.strftime('%B')} {current_datetime.year} " \ + f"{current_datetime.hour}:{current_datetime.minute} - USB-event caused by {device}\n" + return entry + +def main(): + # Make sure we always start with a fresh FIFO + try: + unlink(PIPE) + except FileNotFoundError: + pass + + mkfifo(PIPE) + try: + while True: + devices_before_event = get_current_devices() + with open(PIPE, "rt") as fp: + # Reading from a FIFO should block until the udev helper script + # gives us a signal. Lock the system immediately when that + # happens and then write the log + content = fp.read() + lockdown() + devices_after_event = get_current_devices() + changed_device = list(set(devices_before_event).symmetric_difference(set(devices_after_event))) + entries = "" + for device in changed_device: + entry = make_log_entry(device) + entries += entry + with open(USB_EVENT_LOG, "a") as log: + log.write(entries) + finally: + unlink(PIPE) + + +if __name__ == "__main__": + main() +END + chmod 700 $USB_MONITOR + + cat < $SERVICE_FILE +[Unit] +Description=OS2borgerPC USB monitoring service + +[Service] +Type=simple +ExecStart=$USB_MONITOR +# It's important that we stop the Python process, stuck in a blocking read, +# with SIGINT rather than SIGTERM so that its finaliser has a chance to run +KillSignal=SIGINT + +[Install] +WantedBy=display-manager.service +END + systemctl enable --now os2borgerpc-usb-monitor.service + + cat < $ON_USB_EVENT +#!/bin/sh + +if [ -p "/var/lib/os2borgerpc/usb-event" ]; then + # Use dd with oflag=nonblock to make sure that we don't append to the pipe + # if the reader isn't yet running + echo "\$@" | dd oflag=nonblock \ + of=/var/lib/os2borgerpc/usb-event status=none +fi +END + chmod 700 $ON_USB_EVENT + + cat < $USB_RULES +SUBSYSTEM=="usb", TEST=="/var/lib/os2borgerpc/usb-event", RUN{program}="$ON_USB_EVENT '%E{ACTION}' '\$sys\$devpath'" +END +else + rm --force $ON_USB_EVENT $USB_RULES $USB_MONITOR $SERVICE_FILE +fi + +udevadm control -R diff --git a/scripts/overwrite_libreoffice_config.sh b/scripts/overwrite_libreoffice_config.sh new file mode 100755 index 0000000..6813c60 --- /dev/null +++ b/scripts/overwrite_libreoffice_config.sh @@ -0,0 +1,42 @@ +#!/usr/bin/env bash + +# Overwrite the Libreoffice registrymodifications.xcu config with our own version. +# Takes two checkboxes as input. The first disables Tip of the day and displaying the changelog when you start the app. +# The second changes the default fileformats to Microsoft's (.docx, .pptx, .xlsx). + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +REMOVE_TIP_OF_THE_DAY=$1 +SET_FORMATS_TO_MICROSOFTS=$2 + +CONFIG_DIR="/home/.skjult/.config/libreoffice/4/user/" +FILE_PATH=$CONFIG_DIR"registrymodifications.xcu" + +mkdir -p $CONFIG_DIR + +rm -f $FILE_PATH + +cat << EOF >> $FILE_PATH + + +EOF + +if [ "$REMOVE_TIP_OF_THE_DAY" == "True" ]; then +cat << EOF >> $FILE_PATH + false + 30.0 +EOF +fi + +if [ "$SET_FORMATS_TO_MICROSOFTS" == "True" ]; then +cat << EOF >> $FILE_PATH + MS Word 2007 XML + Calc MS Excel 2007 XML + Impress MS PowerPoint 2007 XML +EOF +fi + +printf "" >> $FILE_PATH \ No newline at end of file diff --git a/scripts/polkit_policy_shutdown_suspend.sh b/scripts/polkit_policy_shutdown_suspend.sh new file mode 100644 index 0000000..69ea428 --- /dev/null +++ b/scripts/polkit_policy_shutdown_suspend.sh @@ -0,0 +1,83 @@ +#!/usr/bin/env bash + +#================================================================ +# HEADER +#================================================================ +#% SYNOPSIS +#+ polkit_policy_shutdown.sh [ENFORCE] +#% +#% DESCRIPTION +#% This script installs a mandatory PolicyKit policy that either prevents +#% the "user" or "lightdm" users from suspending the system or +#% prevents the "user" or "lightdm" users from suspending, restarting or shutting down +#% the system. +#% +#% It takes two optional parameters: whether to prevent suspending the system +#% and whether to also prevent restart/shutdown. +#% 1. Use a boolean to decide whether or not to prevent the "user" from +#% suspending the system. A checked box prevents suspend and an +#% unchecked box allows it +#% 2. Use a boolean to decide whether or not to also prevent the "user" from +#% restarting/shutting down the system. A checked box prevents +#% restart/shutdown and an unchecked box allows it. +#% Has no effect if input 1 is unchecked +#% +#================================================================ +#- IMPLEMENTATION +#- version polkit_policy_shutdown.sh (magenta.dk) 1.0.0 +#- author Alexander Faithfull +#- modified by Andreas Poulsen +#- copyright Copyright 2019, 2020 Magenta ApS +#- license GNU General Public License +#- email af@magenta.dk +#- +#================================================================ +# HISTORY +# 2019/09/25 : af : dconf_policy_shutdown.sh created +# 2020/01/27 : af : This script created based on dconf_policy_shutdown.sh +# 2022/11/01 : ap : This script modified to always disable hibernating/sleeping +# 2022/12/12 : ap : This script modified to allow separately +# disabling restart/shutdown or hibernating/sleeping +# +#================================================================ +# END_OF_HEADER +#================================================================ + +set -x + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +POLICY="/etc/polkit-1/localauthority/90-mandatory.d/10-os2borgerpc-no-user-shutdown.pkla" + +if [ ! -d "$(dirname "$POLICY")" ]; then + mkdir -p "$(dirname "$POLICY")" +fi + +if [ "$1" = "False" ]; then + rm -f "$POLICY" +elif [ "$1" = "True" ] && [ "$2" = "False" ]; then + cat > "$POLICY" < "$POLICY" </iOption orientation-requested $ORIENTATION" $CUPS_PRINTER_CONF + systemctl start cups +fi + +echo "Finally list all the settings after the changes, for verification that the changes succeeded:" +lpoptions -p "$PRINTER" -l +echo "Contents of $CUPS_PRINTER_CONF:" +cat $CUPS_PRINTER_CONF diff --git a/scripts/printer_princh_add.sh b/scripts/printer_princh_add.sh new file mode 100755 index 0000000..6ecbead --- /dev/null +++ b/scripts/printer_princh_add.sh @@ -0,0 +1,29 @@ +#! /usr/bin/env sh + +set -ex + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi +# lpadmin doesn't like spaces +NAME="$(echo "$1" | tr ' ' '_')" +PRINCH_ID="$2" +DESCRIPTION="$3" +SET_STANDARD="$4" + +# Delete the printer if a printer already exists by that NAME +lpadmin -x "$NAME" || true + +# No princh-cloud-printer binary in path, so checking for princh-setup +if which princh-setup > /dev/null; then + lpadmin -p "$NAME" -v "princh:$PRINCH_ID" -D "$DESCRIPTION" -E -P /usr/share/ppd/princh/princheu.ppd -L "$DESCRIPTION" +else + echo "Princh is not installed. Please run the script that installs Princh before this one." + exit 1 +fi + +if [ "$SET_STANDARD" = "True" ]; then + # Set the printer as standard printer + lpadmin -d "$NAME" && lpstat -d +fi diff --git a/scripts/printer_princh_install.sh b/scripts/printer_princh_install.sh new file mode 100644 index 0000000..2a92801 --- /dev/null +++ b/scripts/printer_princh_install.sh @@ -0,0 +1,43 @@ +#! /usr/bin/env sh + +set -ex + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +export DEBIAN_FRONTEND=noninteractive +URL="https://packages.princh.com/linux/debian/amd64/PrinchCloudPrinter/production/current" + +# This will return "" if not installed, which is also fine as that means it'll be installed +PRINCH_VERSION_AVAILABLE="$(curl --head --silent $URL | grep version | cut --delimiter ' ' --fields 2 | cut --delimiter '.' --fields 1,2,3)" +PRINCH_VERSION_INSTALLED="$(dpkg --status princh-cloud-printer | grep Version | cut --delimiter ' ' --fields 2)" + +[ -z "$PRINCH_VERSION_AVAILABLE" ] && printf "%s\n" "Failed to obtain the current Princh version from Princh's servers" && exit 1 + +# Remove the older versions of Princh, ignore if not existing +apt-get remove --assume-yes princh || true +# Remove their old PPA +add-apt-repository --remove --yes ppa:princh/stable || true + +# No princh-cloud-printer binary in path, so checking for princh-setup +if [ "$PRINCH_VERSION_AVAILABLE" != "$PRINCH_VERSION_INSTALLED" ]; then + + FILE="princh.deb" + # Change the file name of the download file to be something + # predictable for the command to install it below + curl $URL --output $FILE + dpkg --install $FILE + +else + printf '%s\n' "Princh is already installed and in the most recent version." +fi + +# Create Princh autostart +princh_autostart_dir=/home/.skjult/.config/autostart + +mkdir --parents $princh_autostart_dir + +# This will fail if the symlink already exists, but the exit status is still 0 so no problem +ln -sf /usr/share/applications/com-princh-print-daemon.desktop $princh_autostart_dir diff --git a/scripts/printer_toggle_network_discovery.sh b/scripts/printer_toggle_network_discovery.sh new file mode 100755 index 0000000..ea3d448 --- /dev/null +++ b/scripts/printer_toggle_network_discovery.sh @@ -0,0 +1,43 @@ +#! /usr/bin/env sh + +set -ex + +# Enable / Disable network printer discovery. +# Use a boolean to enable or disable. A checked box will disable +# network printer discovery and an unchecked one will enable it. +# As a side effect all network printers previously found are removed +# and any you want, have to be added manually. +# Log out or restart if changes don't take immediate effect. +# +# Attempted solutions that proved insufficient: +# 1. Disable fx. BrowseProtocols in /etc/cups/cupsd.conf AND +# /etc/cups/cups-browsed.conf +# 2. Completely disable cups-browsed: systemctl mask cups-browsed +# +# Author: mfm@magenta.dk + +ACTIVATE=$1 + +POLKIT_POLICY="/etc/polkit-1/localauthority/10-vendor.d/01-os2borgerpc-deny-user-managing-units.pkla" + +if [ "$ACTIVATE" = "True" ]; then + # Disable network printer discovery + systemctl mask avahi-daemon cups-browsed + # Mask vs. disable: https://askubuntu.com/a/816378/284161 + systemctl stop avahi-daemon cups-browsed + + cat <<- EOF > $POLKIT_POLICY + [User shan't manage units, to prevent simple-scan/saned from prompting for password trying to start avahi-daemon] + Identity=unix-user:user + Action=org.freedesktop.systemd1.manage-units + ResultAny=no + ResultInactive=no + ResultActive=no + EOF + +else # Enable network printer discovery + systemctl unmask avahi-daemon cups-browsed + systemctl start avahi-daemon cups-browsed + + rm --force $POLKIT_POLICY +fi diff --git a/scripts/protect_terminal.sh b/scripts/protect_terminal.sh new file mode 100755 index 0000000..62872cd --- /dev/null +++ b/scripts/protect_terminal.sh @@ -0,0 +1,59 @@ +#!/usr/bin/env sh + +set -ex + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +ACTIVATE=$1 +PROGRAM_PATH="/usr/bin/gnome-terminal" + +SKEL=".skjult" +SHORTCUT_NAME="org.gnome.Terminal.desktop" +SHORTCUT_GLOBAL_PATH="/usr/share/applications/$SHORTCUT_NAME" +SHORTCUT_LOCAL_PATH="/home/$SKEL/.local/share/applications/$SHORTCUT_NAME" + +# Also remove the gnome extension that can start gnome terminal, don't stop execution if it fails +apt-get remove --assume-yes nautilus-extension-gnome-terminal || true + +# Backwards compatibility - undo the effects of the previous script versions: +# Making sure we're not removing the actual gnome-terminal +if grep --quiet 'zenity' "$PROGRAM_PATH"; then + PROGRAM_HISTORICAL_PATH="$PROGRAM_PATH.real" + + dpkg-statoverride --remove "$PROGRAM_PATH" || true + # Remove the shell script that prints the error message + rm "$PROGRAM_PATH" + # Remove location override and restore gnome-terminal.real back to gnome-terminal + dpkg-divert --remove --no-rename "$PROGRAM_PATH" + # dpkg-divert can --rename it itself, but the problem with doing that is that in some images + # dpkg-divert is not used, it was simply moved/copied, so that won't restore it, leaving you + # with no gnome-control-center + mv "$PROGRAM_HISTORICAL_PATH" "$PROGRAM_PATH" +fi + + +if [ "$ACTIVATE" = "True" ]; then # Restore access + # Remove the permissions override and manually reset permissions to defaults + # Suppress error to prevent set -e exiting in case the override no longer exists + dpkg-statoverride --remove "$PROGRAM_PATH" || true + # statoverride remove can't change permissions and ownership back by itself currently, unfortunately + chown root:root "$PROGRAM_PATH" + chmod 755 "$PROGRAM_PATH" + + rm --force $SHORTCUT_LOCAL_PATH +else # Deny access + if ! dpkg-statoverride --list | grep --quiet "$PROGRAM_PATH"; then # Don't statoverride if it's already been done (idempotency) + dpkg-statoverride --update --add superuser root 770 "$PROGRAM_PATH" + fi + # Additionally remove the terminal from Borgers program list for UX/cosmetic reasons (rather than security) + mkdir --parents "$(dirname $SHORTCUT_LOCAL_PATH)" + cp $SHORTCUT_GLOBAL_PATH $SHORTCUT_LOCAL_PATH + chmod o-r $SHORTCUT_LOCAL_PATH +fi + +# For manual verification that there are no terminal diversions, but possibly a statoverride: +dpkg-divert --list | grep terminal || true +dpkg-statoverride --list | grep terminal || true diff --git a/scripts/shutdown_at_time.sh b/scripts/shutdown_at_time.sh new file mode 100755 index 0000000..e9c872a --- /dev/null +++ b/scripts/shutdown_at_time.sh @@ -0,0 +1,83 @@ +#!/usr/bin/env bash + +# SYNOPSIS +# shutdown_at_time.sh +# +# DESCRIPTION +# This is a script to make a OS2BorgerPC machine shutdown at a certain time. +# +# To disable the scheduled shutdown: +# shutdown_at_time.sh --off +# +# We'll suppose the user only wants to have regular shutdown once a day +# as specified by the and parameters. Thus, any line in +# crontab already specifying a shutdown will be deleted before a new one is +# inserted. +# +# IMPLEMENTATION +# author Danni Als +# copyright Copyright 2018, Magenta Aps" +# license GNU General Public License + +set -x + +WAKE_PLAN_FILE=/etc/os2borgerpc/plan.json + +if [ -f $WAKE_PLAN_FILE ]; then + echo "Dette script kan ikke anvendes på en PC, der er tilknyttet en tænd/sluk tidsplan." + exit 1 +fi + +ROOTCRON_TMP=/tmp/oldcron +USERCRON=/etc/os2borgerpc/usercron +if grep "LANG=" /etc/default/locale | grep "sv"; then + MESSAGE="Den här datorn stängs av om fem minuter" +elif grep "LANG=" /etc/default/locale | grep "en"; then + MESSAGE="This computer will shut down in five minutes" +else + MESSAGE="Denne computer lukker ned om fem minutter" +fi + +# Read and save current cron settings first +crontab -l > $ROOTCRON_TMP + +# Ensure that the usercron-file exists and has the correct permissions +touch $USERCRON +chmod 700 $USERCRON + +# Delete current crontab entries related to this script AND shutdown_and_wakeup.sh +sed --in-place --expression "/shutdown/d" --expression "/rtcwake/d" --expression "/scheduled_off/d" $ROOTCRON_TMP +sed --in-place "/notify-send/d" $USERCRON + +# If not called with --off: Determine the new crontab contents +if [ "$1" != "--off" ]; then + + if [ $# == 2 ]; then + HOURS=$1 + MINUTES=$2 + # Assume the parameters are already validated as integers. + echo "$MINUTES $HOURS * * * /sbin/shutdown -P now" >> $ROOTCRON_TMP + + MINM5P60=$(( $(( MINUTES - 5)) + 60)) + # Rounding minutes + MINS=$(( MINM5P60 % 60)) + HRCORR=$(( 1 - $(( MINM5P60 / 60)))) + HRS=$(( HOURS - HRCORR)) + HRS=$(( $(( HRS + 24)) % 24)) + # Now output to user's crontab as well + echo "$MINS $HRS * * * XDG_RUNTIME_DIR=/run/user/\$(id -u) /usr/bin/notify-send \"$MESSAGE\"" >> $USERCRON + else + echo "Usage: shutdown_at_time.sh [--off] [hours minutes]" + fi +fi + +# Update crontabs accordingly - either with an empty crontab or updated ones +crontab $ROOTCRON_TMP +crontab -u user $USERCRON + +# Ensure that user-cleanup resets the user crontab +if [ -f "$USER_CLEANUP" ] && ! grep --quiet "crontab" "$USER_CLEANUP"; then + echo "crontab -u user $USERCRON" >> "$USER_CLEANUP" +fi + +rm --force $ROOTCRON_TMP diff --git a/scripts/unexpire_user.sh b/scripts/unexpire_user.sh new file mode 100755 index 0000000..aec53b4 --- /dev/null +++ b/scripts/unexpire_user.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +#================================================================ +# HEADER +#================================================================ +#% SYNOPSIS +#+ unexpire_user.sh +#% +#% DESCRIPTION +#% This script unexpires the "user" account after it has been +#% set expired. +#% +#% For use with the "lockdown_usb.sh" and +#% "detect_user_expired_event.py" script. +#% +#================================================================ +#- IMPLEMENTATION +#- version unexpire_user.sh (magenta.dk) 1.0.0 +#- author Søren Howe Gersager +#- copyright Copyright 2021 Magenta ApS +#- license GNU General Public License +#- email shg@magenta.dk +#- +#================================================================ +# HISTORY +# 2021/08/30 : shg: Creation +#================================================================ +# END_OF_HEADER +#================================================================ + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +# Check if we should run user-cleanup.bash, +# i.e. if the user account has actually been expired +EXPIRED=$(chage -l user | grep 1970) + +# Unexpire user +usermod -e '' user + +# Run user-cleanup.bash after unexpiring user to avoid issues with gio +if [ -n "$EXPIRED" ]; then + /usr/share/os2borgerpc/bin/user-cleanup.bash +fi diff --git a/scripts/update_all.sh b/scripts/update_all.sh new file mode 100755 index 0000000..b11b81f --- /dev/null +++ b/scripts/update_all.sh @@ -0,0 +1,43 @@ +#!/usr/bin/env bash + +# SYNOPSIS +# update_all.sh +# +# DESCRIPTION +# This script updates all apt repositories and then applies all available +# upgrades, picking default values for all debconf questions. It takes no +# parameters. +# Snap packages are already updated automatically by default in Ubuntu. +# +# IMPLEMENTATION +# copyright Copyright 2022, Magenta ApS +# license GNU General Public License + +set -ex + +# Fix dpkg settings to avoid interactivity. +if ! grep --quiet "Dpkg::Lock" /etc/apt/apt.conf.d/local; then + cat <<- EOF > /etc/apt/apt.conf.d/local + Dpkg::Options { + "--force-confdef"; + "--force-confold"; + }; + Dpkg::Lock {Timeout "300";}; +EOF +fi + +# Stop Debconf from doing anything +export DEBIAN_FRONTEND=noninteractive + +# Update apt packages +apt-get update > /dev/null # Resync the local package index from its remote counterpart +# Configure any packages which have been unpacked but not configured, as otherwise --fix-broken might fail +# However, package configuration can also fail due to dependency issues that would be fixed by --fix-broken +# so if the command fails, try to run --fix-broken +dpkg --configure -a || apt-get --assume-yes --fix-broken install +# Attempt to fix broken or interrupted installations +# If this fails, try to configure any packages which have been unpacked but not configured +apt-get --assume-yes --fix-broken install || dpkg --configure -a +apt-get --assume-yes dist-upgrade # Upgrade all packages, and if needed remove packages preventing an upgrade +apt-get --assume-yes autoremove # Remove packages only installed as dependencies which are no longer dependencies +apt-get --assume-yes clean # Remove local repository of retrieved package files diff --git a/scripts/user_automatic_login.sh b/scripts/user_automatic_login.sh new file mode 100755 index 0000000..97a73be --- /dev/null +++ b/scripts/user_automatic_login.sh @@ -0,0 +1,40 @@ +#!/usr/bin/env bash +# +# Takes two boolean parameters. +# 1. True will enable automatic login while an unchecked one will disable it. +# 2. If the first argument is True, this determines if OUR_USER is required to type in their password or not. + +set -ex + +if get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en kiosk-maskine." + exit 1 +fi + +LIGHTDM_CONFIG="/etc/lightdm/lightdm.conf" +OUR_USER="user" + +ACTIVATE="$1" +REQUIRE_PASSWORD="$2" + +adduser $OUR_USER nopasswdlogin + +if [ "$ACTIVATE" = "False" ]; then + if [ "$REQUIRE_PASSWORD" = "True" ]; then + # Require password for User + if id --name --groups $OUR_USER | grep --quiet --word-regexp nopasswdlogin; then + # Remove the user from nopasswdlogin group + deluser $OUR_USER nopasswdlogin + fi + fi + # Disable autmatic login + sed --in-place "/autologin-user/d" $LIGHTDM_CONFIG +else # Enable automatic login incl. not requiring password from user on manual login before the timeout + # Idempotency check + if ! grep --quiet -- "autologin-user=$OUR_USER" $LIGHTDM_CONFIG; then + cat <<- EOF >> $LIGHTDM_CONFIG + autologin-user-timeout=10 + autologin-user=$OUR_USER + EOF + fi +fi diff --git a/scripts/vnc_and_ssh_install.sh b/scripts/vnc_and_ssh_install.sh new file mode 100755 index 0000000..36daccc --- /dev/null +++ b/scripts/vnc_and_ssh_install.sh @@ -0,0 +1,35 @@ +#!/usr/bin/env bash +# This script will set up a VNC server to listen on display :0 and will +# set a password given in the first parameter. + +VNC_PASSWORD=$1 + +XINETD_FILE=/etc/xinetd.d/x11vnc + +if ! get_os2borgerpc_config os2_product | grep --quiet kiosk; then + echo "Dette script er ikke designet til at blive anvendt på en regulær OS2borgerPC-maskine." + exit 1 +fi + +apt install -y ssh x11vnc xinetd + +cat << EOF > $XINETD_FILE +service x11vncservice +{ + port = 5900 + type = UNLISTED + socket_type = stream + protocol = tcp + wait = no + user = chrome + server = /usr/bin/x11vnc + server_args = -inetd -o /home/chrome/x11vnc.log -noxdamage -display :0 -auth /home/chrome/.Xauthority -passwd $VNC_PASSWORD + disable = no +} +EOF + +chmod 640 $XINETD_FILE + +rm --force /etc/os2borgerpc/vncpasswd /var/log/x11vnc.log + +service xinetd restart diff --git a/shutdown_at_time.md b/shutdown_at_time.md new file mode 100644 index 0000000..77fe266 --- /dev/null +++ b/shutdown_at_time.md @@ -0,0 +1,36 @@ +--- +title: "System - Luk ned dagligt" +parent: "System" +source: os2borgerpc-scripts/common/system/shutdown_at_time.sh +parameters: + - name: "Timer" + type: "string" + default: null + mandatory: true + - name: "Minutter" + type: "int" + default: null + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" + - "Kiosk" +--- + +## Beskrivelse +Lukker computeren ned på et bestemt tidspunkt hver dag. + +Inputparametre: + 1. Timer: Angiver hvilket timetal computeren lukker ned. + 2. Minutter: Angiver hvilket minuttal computeren lukker ned. + +Eksempel: +Du vælger henholdsvis parametrene "20" og "30" - og maskinen vil dagligt lukke ned kl. 20:30. + +Det er også muligt at angive "--off" som første parameter og et tomt andet parameter. Dette standser den daglige nedlukning. + +Brugeren varsles fem minutter før nedlukningen. + +NB: Brugeren har ingen mulighed for at undgå nedlukning. + +Dette script er blevet testet og virker på Ubuntu 22.04. \ No newline at end of file diff --git a/unexpire_user.md b/unexpire_user.md new file mode 100644 index 0000000..d6d8c36 --- /dev/null +++ b/unexpire_user.md @@ -0,0 +1,18 @@ +--- +title: "Sæt Borger som aktiv efter blokeret login (lås op)" +parent: "Sikkerhed" +source: os2borgerpc-scripts/os2borgerpc/sikkerhed/unexpire_user.sh +parameters: +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Dette script gør det muligt for Borger igen at logge ind efter blokeret login. + +Benyttes sammen med Scriptet "Bloker for login ved USB event" og Sikkerhedsscriptet "Detekter låst/udløbet bruger event". + +Udarbejdet af Alexander Faithfull og Søren Howe Gersager . + +Dette script er blevet testet og virker på Ubuntu 22.04. \ No newline at end of file diff --git a/update_all.md b/update_all.md new file mode 100644 index 0000000..e174051 --- /dev/null +++ b/update_all.md @@ -0,0 +1,19 @@ +--- +title: "System - Opdater alt nu" +parent: "System" +source: os2borgerpc-scripts/common/system/update_all.sh +compatibility: + - "22.04" + - "BorgerPC" + - "Kiosk" +--- + +## Beskrivelse +Dettte script opdaterer alle pakker på systemet "her og nu". + +Så det anbefales at køre dette script hvis en opdatering ude på maskinen er gået galt, eller hvis man kun har sat automatiske sikkerhedsopdateringer til. + +Da scriptet involverer overførsel af meget data kan det i nogle situationer godt fejle, hvis der i opdateringsperioden opstår netværksproblemer lokalt eller hos de servere, der opdateres fra. +Oplever du fejl, kan det derfor godt anbefales at prøve at køre scriptet én gang til. Fortsætter fejlen så kontakt os. + +Dette script er blevet testet og virker på Ubuntu 22.04. \ No newline at end of file diff --git a/user_automatic_login.md b/user_automatic_login.md new file mode 100644 index 0000000..232809e --- /dev/null +++ b/user_automatic_login.md @@ -0,0 +1,37 @@ +--- +title: "Automatisk borgerlogin til/fra" +parent: "Login" +source: os2borgerpc-scripts/os2borgerpc/login/user_automatic_login.sh +parameters: + - name: "Aktiver automatisk borgerlogin" + type: "boolean" + default: null + mandatory: false + - name: "Hvis ikke-automatisk login: Borger skal indtaste kodeord" + type: "boolean" + default: null + mandatory: false +compatibility: + - "22.04" + - "BorgerPC" +--- + +## Beskrivelse +Skift mellem automatisk login for publikum (Borger) eller ej. + +Automatisk login er som standard slået TIL på publikums-PC'er. + +Hvis man slår det FRA, og vælger at Borger skal indtaste kodeord ved login, skal man bruge scriptet "Skift kodeord for Borger" til at sætte et kendt kodeord for publikumsbrugeren. + +Scriptet tager oftest først effekt efter genstart. + +Dette script er blevet testet og virker på Ubuntu 22.04. + +## Parametre + Aktiver automatisk borgerlogin: + Sæt hak: Slår automatisk borgerlogin til + Lad stå tom: Slår automatisk borgerlogin fra + Borger skal indtaste kodeord: + Dette parameter har kun effekt, hvis hak er udeladt i første parameter. + Sæt hak: Borger skal indtaste kodeord for at logge ind + Lad stå tom: Borger logger ind ved at trykke på login-knappen, uden kodeord \ No newline at end of file diff --git a/vnc_and_ssh_install.md b/vnc_and_ssh_install.md new file mode 100644 index 0000000..232d8b9 --- /dev/null +++ b/vnc_and_ssh_install.md @@ -0,0 +1,22 @@ +--- +title: "Installer SSH og VNC" +parent: "Kiosk" +source: os2borgerpc-scripts/os2borgerpc/os2borgerpc_kiosk/vnc_and_ssh_install.sh +parameters: + - name: "VNC kodeord" + type: "string" + default: null + mandatory: true +compatibility: + - "22.04" + - "Kiosk" +--- + +## Beskrivelse +Installer SSH og VNC for fjernadgang. + +Du kan lave SSH-forbindelse med det almindelige Unix-password. + +Giv VNC-kodeordet med som parameter. + +Dette script er blevet testet og virker på Ubuntu 22.04. \ No newline at end of file