Enforcing screen lock policies for RHEL 7 / KDE 4?
Ignaz Forster
ignaz.forster at muenchen.de
Thu Jun 22 11:15:59 UTC 2017
Hi Kodiak,
this is working for me:
/etc/kde4rc:
[Directories-default]
prefixes=/etc/kde/
/etc/kde/share/config/kscreensaverrc:
[ScreenSaver][$i]
LegacySaverEnabled=true
PlasmaEnabled=false
Timeout=60
Enabled=true
Lock=true
LockGrace=1000
Saver=kblank.desktop
Ignaz
Am 21.06.2017 16:23, schrieb Kodiak Firesmith:
> Hello Reinhard, thanks for the reply.
>
> The odd thing with path searching in KDE 4 is that it doesn't seem to
> work the way I would think based on the output of the kde4-config
> command. For example:
>
> kde4-config --path config
> /home/kodiak/.kde/share/config/:/etc/kde/:/usr/share/kde-settings/kde-profile/default/share/config/:/usr/share/config/
>
> ^^The above made me think I could just put a file called kscreensaverrc
> in /etc/kde/ and have it be read. Not so. But despite not being in the
> config path, I *can* put the required stanza into /etc/kde4rc and have
> it read in properly and apply.
>
> In the Red Hat way of doing things at least, not sure on Debian and
> such, we use /etc/ extensively so my hope was that I could at least add
> custom config files in /etc/kde/share/config/ that would be global for
> an entire host.
>
> I'm not sure I understand completely about your statement on setting a
> custom config path for all users, I am guessing a supplemental script in
> addition to /etc/profile.d/kde.sh, that sets something similar to what
> is exported for QT_PLUGIN_PATH but for config files?
>
> If that is the case, then wouldn't a user be able to easily break out of
> that by modifying their own environment variables for the configuration
> path after logging in? I really think the key to being able to
> confidently assert that settings are forced would be to have these
> settings set, enforced, and immutable completely separate from the
> user's particular environment (thus an augment to /etc/kde4rc or similar)...
>
> But regardless of where I end up setting them, there is absolutely
> something wonky that I can't sort out where 'LockGrace=$milliseconds" is
> simply not working (the simple lock comes on w/ a password prompt, but
> no matter how much time passes, the screen just opens right up at the
> first mouse movement...)
>
> Thanks again!
> - Kodiak
>
>
> On Wed, Jun 21, 2017 at 5:42 AM, Reinhard Hennig
> <reinhard.hennig at ofd-z.niedersachsen.de
> <mailto:reinhard.hennig at ofd-z.niedersachsen.de>> wrote:
>
> Am 20.06.2017 um 17:53 Uhr schrieb Kodiak Firesmith:
>
> Hi Folks,
> I support a 95% Gnome 3 environment and am currently working on
> policies
> to help lock down alternate desktop managers.
>
> I spent a few minutes googling and came up empty, so I set the
> preferred
> settings I wanted manually and looked for the corresponding
> ~/.kde/ file
> that it changed, discovered kscreensaverrc. That gave me the
> format I
> wanted.
>
> Then I skimmed the KDE kiosk guidance and found out about the [$i]
> thing, eg: [ScreenSaver][$i] to make the settings immutable.
>
> I looked for system-level configs for KDE in /etc and was
> saddened to
> discover no location in /etc/ to make a global override. Then I
> went
> digging through /usr/share/kde-settings and ended up putting
> this file:
>
> # cat
> /usr/share/kde-settings/kde-profile/default/share/config/kscreensaverrc
> [ScreenSaver][$i]
> Enabled=true
> LegacySaverEnabled=true
> Lock=true
> LockGrace=10
> PlasmaEnabled=false
> Saver=kblank.desktop
> Timeout=1200
>
> It did succeed in graying out these settings in the GUI for users
> globally, but it doesn't ever seem to force the blank locking
> screensaver to come on and lock.
>
> So my questions are:
> 1. Does anyone have advice on making this work?
> 2. Is there a reason I am missing for these sorts of things not
> living
> in /etc/kde somewhere? It is my understanding that config files
> should
> always live in /etc/. That's where we tell Puppet to put most
> things of
> this nature.
>
> Thanks!
> - Kodiak Firesmith
>
> Hi,
>
> our administration is using kde3.5 and will be switching to kde5.8
> in a couple of months, so kde4 isn´t on the plan anymore but I am
> experienced using it. First you should check you config-path:
>
> kde4-config --path config
>
> to enforce global settings you should rather lock down your
> configuration using a user profile that provides its own config-path
> that is located before the users config path ($HOME/.kde4/share...) than
> modifying system files like /etc/kde4/share/config/kscreensaverrc
> that will spoil your distribution and cause some problems with updates.
>
> Locking down using a user config file
> ($HOME/.kde4/share/config/kscreensaverrc) will not be save because
> the user might edit the file and remove the immutable flag.
>
> /etc/kde4rc is not suitable for setting screensaver options.
>
> B.R.
>
> --
> Reinhard Hennig
> --------------------------------------------------
> Oberfinanzdirektion Niedersachsen
> - IuK 381 -
> Am Waterlooplatz 3
> 30169 Hannover
>
> Tel: 0511/101-3417
> mailto: reinhard.hennig at ofd-z.niedersachsen.de
> <mailto:reinhard.hennig at ofd-z.niedersachsen.de>
>
>
>
--
Ignaz Forster
Landeshauptstadt München
it at M - Dienstleister für Informations- und Telekommunikationstechnik
Geschäftsbereich Werkzeuge und Infrastruktur
Servicebereich Städtische Arbeitsplätze
Serviceteam Limux-Arbeitsplatz
Entwicklung
Büro: Agnes-Pockels-Bogen 21, Raum A2.054, 80992 München
Postanschrift: Agnes-Pockels-Bogen 21, 80992 München
Telefon: +49 89 233 782218
Fax: +49 89 233 989 782218
E-Mail: ignaz.forster at muenchen.de
Bitte denken Sie an die Umwelt, bevor Sie diese E-Mail ausdrucken. Pro
Blatt sparen Sie durchschnittlich 15g Holz, 260ml Wasser, 0,05kWh Strom
und 5g CO2.
More information about the Enterprise
mailing list