Enforcing screen lock policies for RHEL 7 / KDE 4?

Wed Jun 21 14:23:20 UTC 2017

Hello Reinhard,  thanks for the reply.

The odd thing with path searching in KDE 4 is that it doesn't seem to work
the way I would think based on the output of the kde4-config command.  For
example:

kde4-config --path config
/home/kodiak/.kde/share/config/:/etc/kde/:/usr/share/kde-settings/kde-profile/default/share/config/:/usr/share/config/

^^The above made me think I could just put a file called kscreensaverrc in
/etc/kde/ and have it be read.  Not so.  But despite not being in the
config path, I *can* put the required stanza into /etc/kde4rc and have it
read in properly and apply.

In the Red Hat way of doing things at least, not sure on Debian and such,
we use /etc/ extensively so my hope was that I could at least add custom
config files in /etc/kde/share/config/ that would be global for an entire
host.

I'm not sure I understand completely about your statement on setting a
custom config path for all users, I am guessing a supplemental script in
addition to /etc/profile.d/kde.sh, that sets something similar to what is
exported for QT_PLUGIN_PATH but for config files?

If that is the case, then wouldn't a user be able to easily break out of
that by modifying their own environment variables for the configuration
path after logging in?  I really think the key to being able to confidently
assert that settings are forced would be to have these settings set,
enforced, and immutable completely separate from the user's particular
environment (thus an augment to /etc/kde4rc or similar)...

But regardless of where I end up setting them, there is absolutely
something wonky that I can't sort out where 'LockGrace=$milliseconds" is
simply not working (the simple lock comes on w/ a password prompt, but no
matter how much time passes, the screen just opens right up at the first
mouse movement...)

Thanks again!
 - Kodiak

On Wed, Jun 21, 2017 at 5:42 AM, Reinhard Hennig <
reinhard.hennig at ofd-z.niedersachsen.de> wrote:

> Am 20.06.2017 um 17:53 Uhr schrieb Kodiak Firesmith:
>
>> Hi Folks,
>> I support a 95% Gnome 3 environment and am currently working on policies
>> to help lock down alternate desktop managers.
>>
>> I spent a few minutes googling and came up empty, so I set the preferred
>> settings I wanted manually and looked for the corresponding ~/.kde/ file
>> that it changed, discovered kscreensaverrc.  That gave me the format I
>> wanted.
>>
>> Then I skimmed the KDE kiosk guidance and found out about the [$i]
>> thing, eg: [ScreenSaver][$i] to make the settings immutable.
>>
>> I looked for system-level configs for KDE in /etc and was saddened to
>> discover no location in /etc/ to make a global override.  Then I went
>> digging through /usr/share/kde-settings and ended up putting this file:
>>
>> # cat
>> /usr/share/kde-settings/kde-profile/default/share/config/kscreensaverrc
>> [ScreenSaver][$i]
>> Enabled=true
>> LegacySaverEnabled=true
>> Lock=true
>> LockGrace=10
>> PlasmaEnabled=false
>> Saver=kblank.desktop
>> Timeout=1200
>>
>> It did succeed in graying out these settings in the GUI for users
>> globally, but it doesn't  ever seem to force the blank locking
>> screensaver to come on and lock.
>>
>> So my questions are:
>> 1.  Does anyone have advice on making this work?
>> 2.  Is there a reason I am missing for these sorts of things not living
>> in /etc/kde somewhere?  It is my understanding that config files should
>> always live in /etc/.  That's where we tell Puppet to put most things of
>> this nature.
>>
>> Thanks!
>>  - Kodiak Firesmith
>>
> Hi,
>
> our administration is using kde3.5 and will be switching to kde5.8 in a
> couple of months, so kde4 isn´t on the plan anymore but I am experienced
> using it. First you should check you config-path:
>
> kde4-config --path config
>
> to enforce global settings you should rather lock down your configuration
> using a user profile that provides its own config-path that is located
> before the users config path ($HOME/.kde4/share...) than
> modifying system files like /etc/kde4/share/config/kscreensaverrc
> that will spoil your distribution and cause some problems with updates.
>
> Locking down using a user config file
> ($HOME/.kde4/share/config/kscreensaverrc) will not be save because the
> user might edit the file and remove the immutable flag.
>
> /etc/kde4rc is not suitable for setting screensaver options.
>
> B.R.
>
> --
> Reinhard Hennig
> --------------------------------------------------
> Oberfinanzdirektion Niedersachsen
> - IuK 381 -
> Am Waterlooplatz 3
> 30169 Hannover
>
> Tel: 0511/101-3417
> mailto:  reinhard.hennig at ofd-z.niedersachsen.de
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/enterprise/attachments/20170621/9a9a05f9/attachment.html>