Ubuntu Laptops in Schools
I'm currently working on a project that's putting computers into Zambian schools to try to revolutionise education, making it more fun and interactive for kids, and reducing the problems of teacher absence.
They're using Intel Classmate style PCs, currently running Windows 7 Home Starter. I'm investigating whether Ubuntu would provide a better experience. It might be faster, more reliable, more manageable and easier to lock down than Windows.
Ubuntu 10.10 (Maverick) doesn't boot on these computers, probably due to problems with the HPET. I don't like Unity so I don't want to try 11.04 just yet, which left me falling back to 10.04 (Lucid) with long-term support.
The computers should be in a kiosk-like mode for student use, where no login is required but they are locked down. They should also be used by teachers (with a password and fewer restrictions) and administrators (with another password and no restrictions). So I created three user accounts. Student is set to log in by default with no password.
While this works, there are other places where a password is requested and none works, because the Student account doesn't have a valid password:
- unlocking from screensaver
- switching users
- sudo from the command line
The last one is less important because students should not be able to access the command line anyway, or have any administrative rights. But they need to unlock the screensaver and be able to switch users.
We solved the screensaver problem by telling the screensaver not to lock the screen for this user, just as we did for Camfed in the Zambia SRC with LTSP:
# Disable locking the screen for users with no password to unlock it sudo -u student gconftool-2 \ --type boolean \ --set /apps/gnome-screensaver/lock_enabled false
However the user switching was more tricky. Luckily I found a very helpful question and answer on SuperUser. I improved on it slightly by reusing Ubuntu's builtin
nopasswdlogin group, so that users who can log in with no password can also be switched to with no password.
To achieve this, just add the following line at the beginning of
auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
Firefox Kiosk Mode
We want the browser to be fullscreen all the time, so we need to use some extensions:
- Full Fullscreen to make it start in fullscreen mode;
- Keyconfig to stop them exiting full screen mode with F11, or closing the browser with Alt-F4.
We also change some preferences using about:config:
- xpinstall.enabled: false
- to prevent installing more extensions;
- app.update.auto: false
- to stop Firefox checking for updates by itself;
- browser.sessionstore.resume_from_crash: false
- to prevent the Restore previous session prompt when starting Firefox;
- extensions.update.enabled: false
- to stop Firefox checking for updates to its installed extensions;
- extensions.update.notifyUser: false
- to avoid a prompt if an extension update is discovered;
- browser.tabs.warnOnClose: false
- to avoid the prompt to save your tabs on browser exit;
We want the students to have access to a restricted set of applications. The user interface also needs to be unbreakable (child-proof). Windows should always be maximised, as the laptops have quite small screens. All of this points to using a custom window manager/desktop instead of the standard Gnome or KDE.
Fluxbox and Openbox were recommended, but they seem to be aimed at highly-customised desktop environments (for geeks) rather than locked-down kiosks or embedded systems. Matchbox looks like quite a good fit. It has a very simple front menu and an everything-maximised window manager, which sounds great for ease of use.
We're using GDM for the user login, which offers users a choice of which session (window manager) to run. This is OK, and even quite good for administrators, as it provides a failsafe option in case the usual window manager is borked. But I can't see how to disable or override this for particular users. Students have no-password logins, so they don't even get the opportunity to choose a window manager.
The DefaultSession in
/etc/gdm/custom.conf (chosen using
gdmsetup) changes their window manager, but affects all users, and we don't want to force everyone to use the restrictive kiosk window manager.
I found that GDM lets you specify your own Xsession script, which gdm uses to actually start the session selected by the user. So I wrote a replacement:
if [ "$USER" = "student" ]; then /etc/gdm/Xsession /usr/bin/matchbox-session else /etc/gdm/Xsession "$@" fi
All it does is call the original Xsession, overriding the name of the session manager if the current user is the special
student user, and otherwise behaves exactly as normal.
Save it in
/usr/local/bin/GdmKioskSession, make it executable, and add the following line to
If you don't even want the application menu, but want to force a particular application such as a web browser (true kiosk mode), replace
/usr/local/bin/kiosk-session, create that file with the following contents and make it executable:
#!/bin/sh matchbox-window-manager -use_titlebar no & exec /usr/bin/chromium-browser -kiosk -app=http://staging.ischool.zm/
More lockdown tips to follow.