10.3 Kiosk User Accounts

10.3.1 Characteristics
10.3.2 Restrictions and Safe Guards
10.3.3 Administering the Kiosk User Pool

All computer applications must run under some type of user account and kiosk sessions are no different. To enable real users to access applications without requiring the need to authenticate to the underlying operating system of the Sun Ray Software, kiosk mode manages a pool of local user accounts. If the kiosk service determines that an administrator has configured the system policy or the current token ID to run a kiosk session, unauthenticated access to the system is granted.

While kiosk user accounts do not correspond to a real user, their role in kiosk mode allows a real user to use the applications defined by the administrator in a unauthenticated manner. Without a kiosk user account, a kiosk session cannot run.

See Section 10.5, “How to Configure Kiosk Mode and User Accounts” for details on setting up kiosk mode user accounts.

10.3.1 Characteristics

Kiosk user accounts have the following characteristics:

  • A default naming scheme of utkux, where x is a range from 0 to N-1 and N is the specified number of kiosk user accounts to create.

  • A different naming prefix can be chosen if the default of utku has risk of a collision. If you need to change the existing kiosk mode user accounts due to a collision problem, you can use the kioskuseradm command.

  • UID by default starts at 150000 (starting UID can be specified).

  • UID range must be contiguous.

  • Home directories are located in /var/opt/SUNWkio/home/$USER.

  • Local accounts only (/etc/passwd). Centralized NIS or LDAP kiosk user accounts are not supported.

10.3.2 Restrictions and Safe Guards

To limit the impact a kiosk user can have on the system and prevent unauthenticated access from becoming uncontrolled access, the following restrictions and safe guards are placed on kiosk user accounts:

  • Kiosk user accounts are locked for normal logins (GDM, SSH, Telnet, etc).

  • Kiosk user accounts belong to a local Unix group (utkiosk) that has minimal rights on the system.

  • No two sessions use the same kiosk user account at the same time on the same server.

  • The home directory associated with a kiosk user account is completely cleared after a session ends.

  • The home directory associated with a kiosk user account is created and then populated from the prototypes directory when a session is started.

  • Residual processes owned by the kiosk user account are killed when a kiosk session ends and before a new session is started.

  • All files in the /tmp and /var/tmp directories owned by the kiosk user account are deleted when a kiosk session ends and before a new session is started.

10.3.3 Administering the Kiosk User Pool

If you need to change the number of kiosk user accounts after the initial Sun Ray Software installation and configuration, you can manage the user pool after the initial configuration using the kioskuseradm command located in the /opt/SUNWkio/bin directory. With this command, you can view the pool settings, see how many kiosk user accounts are in use, and modify the pool settings such as adding or decreasing the number of kiosk user accounts. You can increase or decrease the pool of users while kiosk sessions are active, but changing other pools settings such as group membership or UID range requires that no kiosk sessions are active.

Note

The kiosk user accounts in the kiosk user pool must have contiguous user IDs. If any user accounts were added after the configuration of the initial pool of kiosk user accounts, you cannot use the kioskuseradm extend command. The extend option relies on kiosk user accounts with contiguous user IDs.

To work around this issue, you must delete all the kiosk user accounts and recreate them by using the kioskuseradm modify command. This process requires you to stop the Sun Ray services on the Sun Ray server. If you have a failover group, performing these steps on each Sun Ray server separately will avoid user downtime.