Enforcing screen lock policies for RHEL 7 / KDE 4?

Kodiak Firesmith kfiresmith at gmail.com
Thu Jun 22 11:49:03 UTC 2017 

Thanks so much, Ignaz.  Having a working real-world example is a big help.
Unfortunately setting those settings on RHEL 7.4 and switching to a new
user session doesn't seem to pick up the new [Directories-default] path,
despite the new path showing up:

# kde4-config --path config
/root/.kde/share/config/:/etc/kde/:/etc/kde/share/config/:/usr/share/config/

# cat /etc/kde4rc
[Directories]
kioskAdmin=root:
profileDirsPrefix=/usr/share/kde-settings/kde-profile/
## a non-emtpy userProfileMapFile induces errors in kde4 apps atm
#userProfileMapFile=/etc/kde-user-profile

[Directories-default]
prefixes=/etc/kde/
#prefixes=/usr/share/kde-settings/kde-profile/default/

# cat /etc/kde/share/config/kscreensaverrc
[ScreenSaver][$i]
Enabled=true
LegacySaverEnabled=true
Lock=true
LockGrace=1000
PlasmaEnabled=false
Timeout=60
Saver=kblank.desktop

Very much appreciate the lead.  Since you've been able to confirm those
settings work for you, I'm going to expand out my test base on this beyond
my main work workstation and load a couple baseline workstations to test on.

 - Kodiak Firesmith



On Thu, Jun 22, 2017 at 7:15 AM, Ignaz Forster <ignaz.forster at muenchen.de>
wrote:

> Hi Kodiak,
>
> this is working for me:
>
>
> /etc/kde4rc:
> [Directories-default]
> prefixes=/etc/kde/
>
>
> /etc/kde/share/config/kscreensaverrc:
> [ScreenSaver][$i]
> LegacySaverEnabled=true
> PlasmaEnabled=false
> Timeout=60
> Enabled=true
> Lock=true
> LockGrace=1000
> Saver=kblank.desktop
>
>
> Ignaz
>
>
>
> Am 21.06.2017 16:23, schrieb Kodiak Firesmith:
>
>> Hello Reinhard,  thanks for the reply.
>>
>> The odd thing with path searching in KDE 4 is that it doesn't seem to
>> work the way I would think based on the output of the kde4-config
>> command.  For example:
>>
>> kde4-config --path config
>> /home/kodiak/.kde/share/config/:/etc/kde/:/usr/share/kde-
>> settings/kde-profile/default/share/config/:/usr/share/config/
>>
>> ^^The above made me think I could just put a file called kscreensaverrc
>> in /etc/kde/ and have it be read.  Not so.  But despite not being in the
>> config path, I *can* put the required stanza into /etc/kde4rc and have
>> it read in properly and apply.
>>
>> In the Red Hat way of doing things at least, not sure on Debian and
>> such, we use /etc/ extensively so my hope was that I could at least add
>> custom config files in /etc/kde/share/config/ that would be global for
>> an entire host.
>>
>> I'm not sure I understand completely about your statement on setting a
>> custom config path for all users, I am guessing a supplemental script in
>> addition to /etc/profile.d/kde.sh, that sets something similar to what
>> is exported for QT_PLUGIN_PATH but for config files?
>>
>> If that is the case, then wouldn't a user be able to easily break out of
>> that by modifying their own environment variables for the configuration
>> path after logging in?  I really think the key to being able to
>> confidently assert that settings are forced would be to have these
>> settings set, enforced, and immutable completely separate from the
>> user's particular environment (thus an augment to /etc/kde4rc or
>> similar)...
>>
>> But regardless of where I end up setting them, there is absolutely
>> something wonky that I can't sort out where 'LockGrace=$milliseconds" is
>> simply not working (the simple lock comes on w/ a password prompt, but
>> no matter how much time passes, the screen just opens right up at the
>> first mouse movement...)
>>
>> Thanks again!
>>   - Kodiak
>>
>>
>> On Wed, Jun 21, 2017 at 5:42 AM, Reinhard Hennig
>> <reinhard.hennig at ofd-z.niedersachsen.de
>> <mailto:reinhard.hennig at ofd-z.niedersachsen.de>> wrote:
>>
>>     Am 20.06.2017 um 17:53 Uhr schrieb Kodiak Firesmith:
>>
>>         Hi Folks,
>>         I support a 95% Gnome 3 environment and am currently working on
>>         policies
>>         to help lock down alternate desktop managers.
>>
>>         I spent a few minutes googling and came up empty, so I set the
>>         preferred
>>         settings I wanted manually and looked for the corresponding
>>         ~/.kde/ file
>>         that it changed, discovered kscreensaverrc.  That gave me the
>>         format I
>>         wanted.
>>
>>         Then I skimmed the KDE kiosk guidance and found out about the [$i]
>>         thing, eg: [ScreenSaver][$i] to make the settings immutable.
>>
>>         I looked for system-level configs for KDE in /etc and was
>>         saddened to
>>         discover no location in /etc/ to make a global override.  Then I
>>         went
>>         digging through /usr/share/kde-settings and ended up putting
>>         this file:
>>
>>         # cat
>>         /usr/share/kde-settings/kde-profile/default/share/config/ksc
>> reensaverrc
>>         [ScreenSaver][$i]
>>         Enabled=true
>>         LegacySaverEnabled=true
>>         Lock=true
>>         LockGrace=10
>>         PlasmaEnabled=false
>>         Saver=kblank.desktop
>>         Timeout=1200
>>
>>         It did succeed in graying out these settings in the GUI for users
>>         globally, but it doesn't  ever seem to force the blank locking
>>         screensaver to come on and lock.
>>
>>         So my questions are:
>>         1.  Does anyone have advice on making this work?
>>         2.  Is there a reason I am missing for these sorts of things not
>>         living
>>         in /etc/kde somewhere?  It is my understanding that config files
>>         should
>>         always live in /etc/.  That's where we tell Puppet to put most
>>         things of
>>         this nature.
>>
>>         Thanks!
>>           - Kodiak Firesmith
>>
>>     Hi,
>>
>>     our administration is using kde3.5 and will be switching to kde5.8
>>     in a couple of months, so kde4 isn´t on the plan anymore but I am
>>     experienced using it. First you should check you config-path:
>>
>>     kde4-config --path config
>>
>>     to enforce global settings you should rather lock down your
>>     configuration using a user profile that provides its own config-path
>>     that is located before the users config path ($HOME/.kde4/share...)
>> than
>>     modifying system files like /etc/kde4/share/config/kscreensaverrc
>>     that will spoil your distribution and cause some problems with
>> updates.
>>
>>     Locking down using a user config file
>>     ($HOME/.kde4/share/config/kscreensaverrc) will not be save because
>>     the user might edit the file and remove the immutable flag.
>>
>>     /etc/kde4rc is not suitable for setting screensaver options.
>>
>>     B.R.
>>
>>     --
>>     Reinhard Hennig
>>     --------------------------------------------------
>>     Oberfinanzdirektion Niedersachsen
>>     - IuK 381 -
>>     Am Waterlooplatz 3
>>     30169 Hannover
>>
>>     Tel: 0511/101-3417
>>     mailto: reinhard.hennig at ofd-z.niedersachsen.de
>>     <mailto:reinhard.hennig at ofd-z.niedersachsen.de>
>>
>>
>>
>>
>
> --
>
> Ignaz Forster
>
> Landeshauptstadt München
> it at M - Dienstleister für Informations- und Telekommunikationstechnik
>
> Geschäftsbereich Werkzeuge und Infrastruktur
> Servicebereich Städtische Arbeitsplätze
> Serviceteam Limux-Arbeitsplatz
> Entwicklung
>
> Büro: Agnes-Pockels-Bogen 21, Raum A2.054, 80992 München
> Postanschrift: Agnes-Pockels-Bogen 21, 80992 München
>
> Telefon:   +49 89 233 782218
> Fax: +49 89 233 989 782218
> E-Mail: ignaz.forster at muenchen.de
>
> Bitte denken Sie an die Umwelt, bevor Sie diese E-Mail ausdrucken. Pro
> Blatt sparen Sie durchschnittlich 15g Holz, 260ml Wasser, 0,05kWh Strom und
> 5g CO2.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/enterprise/attachments/20170622/ec12dcf7/attachment-0001.html>

More information about the Enterprise mailing list