GUEST POST: HOW I SET UP GNU/LINUX AT MY LIBRARY

We’re really excited to share another post in our ongoing series of privacy success stories from librarians across the country. Today’s post is from Chuck McAndrew, IT Librarian at the Lebanon Libraries in Lebanon, New Hampshire. You might remember Chuck as the librarian with whom we worked to set up our Tor exit relay pilot just a few weeks ago. During our visit to Lebanon, we checked out Chuck’s fantastic GNU/Linux PC environment, and begged him to write up a why-and-how-to guide for this blog. We’re thrilled that he was gracious enough to oblige.

We hope Chuck’s success and his helpful how-to guide will inspire other librarians to introduce GNU/Linux into their libraries. Got your own success story to share? We’d love to hear it.

Open Source Patron Computing

How I set up GNU/Linux computers for patrons in my library

Why open source?
Providing internet access to the public has come to be an important service that libraries provide, but it can be quite a challenge to do so in a secure, cost-effective way. Maintaining patron privacy on a shared, public computer is one of the problems that librarians face every day.

When I came to my current job, we had Windows computers with expensive, proprietary software to roll back any changes that patrons made. This software had many problems from my point of view. Not only was the cost a problem, but it actually allowed monitoring of what our patrons were doing online at any time. This is a huge privacy problem.

Additionally, the software was set up in such a way that it undid any updates except for Windows updates. This created major security risks as it forced our patrons to use old and vulnerable versions of Flash, Java, Chrome, Firefox, and more. My solution to all of these problems was to switch to an open source platform for our patron computing.

I have been an open source enthusiast for many years now in my personal life, but this was the first time that I had the opportunity to bring it into my professional life. It was exciting to be able to prove many of the arguments that I had been using to advocate for switching to open source software.

The process
No matter how much I wish it were otherwise, the fact is that most people don’t really care about open source software. The good news is that they don’t really care about proprietary software either. They just want something that is easy to use and works to accomplish what they are trying to do, so that became my priority when searching for a GNU/Linux distribution to use for our public computers: first and foremost, it had to just work.

The majority of our patrons use our computers for web browsing. A smaller number do word processing or work on presentations etc. With this in mind my requirements list was:

1. Must work reliably on my hardware (older desktop computers that originally ran Windows XP)
2. Must support modern web browsers and all needed plugins
3. Must have a full office suite capable of handling MS Office documents
4. Must be reasonably secure and protect patron’s privacy
5. Must look reasonably familiar for patrons

Distribution
To satisfy those requirements I settled on GNU/Linux Mint with the Cinnamon Desktop. This is a modern distribution with access to huge repositories (Mint is based on Ubuntu which is in turn based on Debian. This means that any software available for Debian or Ubuntu can be run on Mint) so finding any software that I needed would not be a problem.

Mint also has a reputation for good hardware compatibility. I think that most modern GNU/Linux distributions have very good hardware support, but Mint is known for being particularly easy to work with. Finally, Cinnamon has a look that is familiar to any Windows XP/7 user. A menu button in the bottom left hand corner and desktop icons make getting online or to the word processor very simple for patrons.

Web browsing
GNU/Linux Mint comes with Firefox as its default web browser. This is a modern browser that allows for decent security with a little tweaking and should work well for everything that patrons want to do online.

A note about my selections
Not all of the things that I chose to include on these computers are FLOSS. My distribution uses some proprietary codecs (mp3) and drivers (some Broadcom wireless cards require proprietary drivers for example). My job as a public librarian is not to be an ideological purist. It is to serve my patrons and meet their needs in the best way that I am able.

I firmly believe that using open source software is better in almost all cases. It is philosophically much more in line with the values of librarianship than closed source, proprietary software. Typically, it is at least as functional and cheaper (in many cases free) which I believe is a more responsible use of public funds than paying large sums of money to Redmond WA (among others).

All of that being said, open source software isn’t perfect and there are still some cases where we need to make allowances for proprietary software in order to make sure that our patrons have a great experience. Mp3 is the default format for music files and providing support for it on our public computers is a no brainer in my mind. Even basic functionality for printers or wireless cards may require closed source browsers. We don’t always have the luxury of choosing our hardware.

In the long run, it does more to for the open source movement to use open source whenever and wherever you can, while making the compromises necessary to ensure that patrons have a good experience, than to stick to an ideological position and insist that everyone must adapt to it.

How I did it
The following instructions are tested to work with GNU/Linux Mint 17.1. Any future releases may or may not work as with these specific instructions. However, they should still provide a good outline of the process that can be adapted without too much heartache.

Download and install GNU/Linux Mint
The latest version of Mint can be downloaded from http://www.linuxmint.com/download.php. You can find installation instructions in the GNU/Linux Mint User Guide which is available at
http://www.linuxmint.com/documentation/user-guide/Cinnamon/english_17.1.pdf. If you have any trouble at this point, I highly recommend online searches. GNU/Linux Mint has a large and active user base who are very good at answering people’s questions. The only critical thing that you have to do in this process is to set up your admin account with a good strong password. Remember that password; you’ll need it to do any administration in the future!

Setting up a public user
This is the user account that the public will use. First we create the user. From the Linux Mint Desktop click on the menu button and open the Terminal. Do not be scared of command line. It lets you do all the really cool stuff in Linux. In the terminal type:

sudo adduser public

It will ask you for some information about the user that you just created. Go ahead and answer the questions.

Note: When you type passwords into a GNU/Linux terminal it will look like nothing is getting typed in. This is a security feature so people can’t see the length of your password.

Next, we will set up the public profile. This controls what your patrons see. Anything you set up here will be restored every time they log out.

Add new launcher
I like to add a new launcher to the desktop call Logout. This give patrons a quick and easy way to ensure that their privacy is preserved.

Right click on the desktop and select “Create a new launcher here”. In the new window that opens up add the following:

Name – LogOut
Command – /usr/bin/gnome-session-quit -force
Comment – Logout of this session and delete all data

Then click on the icon and change it to something more appropriate. I like the gnome-logout.svg icon.

Add any printers
Add any printers that you want your patrons to have access to and make sure that you print test pages to make sure they work. If they don’t work off the bat, try going to here and searching for your printer. There you can often find information and open source drivers for printers.

Customize Firefox
Add Firefox to the desktop
1. Click on the menu in the lower left hand corner
2. Hover over “Internet”
3. Left click on Firefox and select “Add to Desktop”

Make Firefox more private
Change Firefox’s settings
1. Open Firefox and click on the menu and on preferences.
2. Change to homepage to whatever you like.
3. Under the Privacy tab change the History selector to “Never remember history”
4. Close the preferences and select your search engine by clicking on the caret in the search box. I recommend using either Startpage or DuckDuckGo for privacy.

Enable privacy enhancing add-ons
Add the following add-ons for Firefox:
1. HTTPS Everywhere – This add-on from the EFF forces sites to use TLS/SSL encryption if it is available.
2. Privacy Badger – Privacy Badger blocks advertising trackers. Users can control who can see what about them on a granular level.
3. Adblock Plus – Ablock Plus blocks intrusive advertising while surfing the web. By default it allows some unobtrusive ads through, but this can be disabled in the settings if you wish to block all ads.

Customize LibreOffice
This step will set LibreOffice (the word processing software that comes with most GNU/Linux distributions) to save in a Microsoft format. This will prevent patrons from having problems opening their documents in Microsoft Office later. This is one of those compromises, and you may decide not to do this step. Ideally, everyone would use open standards for formatting (people don’t use proprietary formats for websites, they use html and css), but that isn’t the world we live in.
1. Open LibreOffice and click on Tools → Options
2. On the left hand side expand the Load/Save options and click on General
3. Under Default File Format, change the options as follows
1. Text Document → Microsoft Word 2007/2010/2013 XML
2. Spreadsheet → Microsoft Excel 2007/2010/2013 XML
4. Click on OK

Creating reboot script
This is a critical step to ensuring patron privacy. To start with, we copy the patron profile that we just setup to a secure location that the public profile does not have access to. Then we make a script that copies it back on every logout. This ensures that any changes made to the home folder are erased.

1. Copy the profile to a secure location

 sudo cp -Rp /home/public /opt 

This copies the profile that you just set up into a secure location that the public user can’t reach. This gives us a clean copy of the profile that we can restore on every log out.

2. create the script and make it executable

sudo nano /usr/local/bin/userlogin

This creates a script file called “userlogin” and opens it in the text editor Nano

Within the script type the following

#! /bin/bash
	rsync -qrpog --delete --exclude='.X*' /opt/public/ /home/public
	echo "" > /home/public/.local/share/recently-used.xbel

Then save and exit the file with Ctrl-X and type Y when it asks if you want to save

The first line tells GNU/Linux how to run the script.
The second line uses a program called Rsync to copy the clean copy back to the home directory, undoing any changes that the patron made.
The third line clears the recent documents file.

Now in the terminal type:

sudo chmod +x /usr/local/bin/userlogin

This makes the script that you just wrote executable

3. Make the script run on every login

sudo nano /etc/mdm/PreSession/Default

Add the line

userlogin

at the very end of the file just before line

exit 0

This will run the userlogin script every time a user logs in. This makes sure that every user starts with a clean profile.

Setting up Autologin
In the Terminal type:

sudo nano /etc/mdm/mdm.conf

This opens the Mint Display Manager configuration file.

In this file uncomment (delete the # in front of the line) the Autologin line and change autologin user to public

Cron
Cron allows you to schedule system tasks. In this case we will set it up to automatically run updates every night. This will make sure that our public systems always have the latest security patches. In the terminal type:

sudo nano /etc/anacrontab

First look at the section that says START_HOURS_RANGE
This is the time frame which Cron will run its jobs in(in military time). I recommend setting it to when you library is closed. For example, my library closes at eight so my file says START_HOURS_RANGE=20-23. This means it will run updates between 8 and 11 at night.

At the bottom of the file add a line that reads:

@daily 45 updates apt-get update && apt-get upgrade -y

This tells Cron to run the job daily. The 45 means that it will wait 45 minutes after the start of the start hours range. Updates is just the name of the job. It could be anything you want. The rest is the actual command to run. This updates the metadata of the repositories and then upgrades any packages that have updates available.

Summing up
This is how I set up our public computers. They have been running successfully for more than a year now. We are very happy with how they are working out. They kept our six year old desktop computers in service and allowed our patrons a more secure and private browsing experience. I welcome any questions or suggestions to improve my setup. To sum up, don’t be intimidated by open source. There are great communities out there willing to help. Open source offers great benefits to libraries and our patrons. Take advantage!

Guest post by Chuck McAndrew)