[Kde-kiosk] Is there anybody there? :-) [RFC]

[Waldo Bastian]

--------------Boundary-00=_UT3HPQ9BSKE0F1I58R6U
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

[And yet again, this time _with_ the promised attachment]
On Monday 04 March 2002 04:29 pm, Sean McGlynn wrote:
> Hello,
>
> Just found this list by accident and noticed that it hadn't actually be=
en
> used since a brief flurry of postings last October. I was wondering if =
it
> was still the place for discussion of 'locking down' KDE issues?

Yes, it has been a bit quiet but that shouldn't stop you :-)

> Waldo (if you're there), I read part one of your "Support for kiosk
> operation" draft, and noticed you've got a TODO against KDE3.1 for all =
this
> stuff. Did you ever write a part two or have you got any other general =
info
> on all this?

Yes, in kdelibs/kdecore there is a file README.kiosk that has been update=
d=20
from time to time. I will attach the latest version for your convenience.=
=20

Apart from "authorizeURLAction(QString, referringURL, destinationURL)"=20
everything described there is part of KDE 3.0. This is pretty much the ba=
sics=20
though. In later versions of KDE I hope to use this in more places in KDE=
,=20
ideally based on feedback from people who actually use it.

There should also come some sort of GUI tool to set this stuff up somewhe=
n.

> However, it would be nicer to have a specific mailing list (and possibl=
y a
> kiosk.kde.org site) to discuss all the issues/questions raised, in orde=
r to=20
> cut down the
> signal/noise ratio on the more general lists. I'd obviously be happy to
> help out, doing documentation and perhaps maintaining the site or whate=
ver,
> as I'm interested in this area.

This list would be appropriate for that. As far as website, there is=20
enterprise.kde.org and I think that would be a good place to host additio=
nal=20
information.

[Snip]
>  I'm sorry, I was just re-reading your note and I realized that I did n=
ot
>  respond to your question about our environment.  1300 users on 100
>  servers (all remote) located in 100 counties throughout the state.
>  These servers are on slow links mostly (56k to 128k to T1 lines) -- th=
us
>  the one server per site model booting from the server with diskless
>  xterminals.  We have only 2.5 fulltime support people for these sites =
so
>  simple is good.
>  </quote>
>
> Comments please.

Sounds very cool :-)
I would love to hear improvement suggestions from projects like these.
(Which reminds me, I still need to add a "No custom wallpaper" switch for=
 the=20
City of Largo :-)

Cheers,
Waldo
--=20
Advanced technology only happens when people take a basic idea and add to=
 it.
 -- Bob Bemer

--------------Boundary-00=_UT3HPQ9BSKE0F1I58R6U
Content-Type: text/plain;
  charset="iso-8859-1";
  name="README.kiosk"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="README.kiosk"

In KDE3 a kiosk-framework gets introduced. 

On of the drving forces behind KDE is to put the user in control and
give him or her a large amount of possibilities to adjust KDE to his or her 
liking. However, in some situations it is required to reduce the possibilities
of KDE, e.g. because the system is to be used for one or more specific 
dedicated tasks only.

The kiosk-framework provides an easy way to disable certain features within
KDE to create a more controlled environment.

KDE's kiosk-framework builds on KDE's configuration framework and adds a
simple application API that applications can query to get authorisation
for certain operations.

The KDE kiosk-framework should be used IN ADDITION to the standard UNIX
security measures. 

The configuration framework in KDE3
===================================

Since the very beginning KDE makes use of file-hierarchy to store resources
for its applications. Resources range from icons, wallpapers, fonts to 
sounds, menu-descriptions and configuration files. 

In KDE1 there were two locations were resources could be located: the 
resources provided by the system where located under $KDEDIR and user-
specific resources where located under $HOME/.kde.

In KDE2 resource management has been largely abstracted by the introduction
of the KStandardDirs class and has become much more flexible. The user /
administrator can now specify a variable number of locations where resources
can be found. A list of locations can either be specified via $KDEDIRS
(notice the extra 'S'), via /etc/kderc and even via the kdeglobals config 
file. The location where user-specific resources can be found can be
set with $KDEHOME (The default is $HOME/.kde). Changes made by the user
are always written back to $KDEHOME.

Both KDE1 and KDE2 feature so called "cascading configuration files": There
can be multiple configuration files with the same name in the various 
locations for (config) resources, when that is the case, the information of 
all these configuration files is combined on a key by key basis. If the same
key (within a certain group) is defined in more than one place, the value
of the key for the config file that was read last will override any previously
read values. Configuration files under $KDEHOME are always read last. This
ensures that after a configuration entry is written, the same value wil be
read back.

In KDE3 two important changes have been made:

* Default values are no longer written.
When a configuration file in a location other than $KDEHOME defines a value 
for a key and the application subsequently writes out a new configuration file
to $KDEHOME, that configuration file will only contain an entry for the key
if its value differs from the value read from the other file.

This counters the problem that changing default configuration files under 
$KDEDIR would not take effect for users, since these users would most likely
have their own copy of these settings under $KDEHOME. KDE3 will make sure 
not to copy these settings so changes made under $KDEDIR will affect all users
that haven't explicitly changed the affected settings to something else.

* Configuration entries can be marked "immutable".
Starting with KDE3, configuration entries can be marked "immutable". When a
configuration entry is immutable it means that configurations files that are
read later will not be able to override its value. Immutable entries can not
be changed via KConfig and if the entry is present under $KDEHOME it will 
be ignored.

Entries can be marked immutable on 4 different levels:

- On an entry by entry basis by appending "[$i]" after the key.

Example:
[MyGroup]
someKey[$i]=42

- On a group by group basis by appending "[$i]" after the group. All entries
specified in the group will be marked immutable and no new entries can be
added to the group.

Example:
[MyGroup][$i]
someKey=42

- On a file by file basis by starting the file with [$i].

Example:
[$i]
[MyGroup]
someKey=42
[MyOtherGroup]
someOtherKey=11

- On a directory basis. [Not yet implemented]

- The filesystem can also be used to mark files immutable. If KDE does not 
have write-access to the user's version of a configuration file, the file
will be automatically considered immutable.

Example:
chown root.root /home/user/.kde/share/config/kickerrc
chmod 644 /home/user/.kde/share/config/kickerrc

Note that this example is not fool-proof, the user can potentially still 
rename either the root-owned kickerrc file or any of the directories in 
the path to another name and create a new kickerrc _with_ write-access.

KDE3 Kiosk Application API
==========================

Two new methods will be added to KApplication:

- bool authorize(QString action); // Generic actions
- bool authorizeKAction(QString action); // For KActions exclusively
- bool authorizeURLAction(QString, referringURL, destinationURL)

.desktop files can have an additional field "X-KDE-AuthorizeAction". If this
field is present the .desktop file is only considered if the action(s) 
mentioned in this field get(s) authorized. If multiple actions are listed
they should be seperated by commas (','). 

To restrict access to function the kdeglobals file should contain the 
group "[KDE Action Restrictions]", each action can then restricted by 
adding <action>="true". E.g. to disable the action "shell access" one 
would add:
[KDE Action Restrictions]
shell access=false

Actions that refer to menu and toolbar actions are prefixed with action/' the
following standard actions are defined:

action/file_new
action/file_open
action/file_open_recent
action/file_save
action/file_save_as
action/file_revert
action/file_close
action/file_print
action/file_print_preview
action/file_mail
action/file_quit
action/edit_undo
action/edit_redo
action/edit_cut
action/edit_copy
action/edit_paste
action/edit_select_all
action/edit_deselect
action/edit_find
action/edit_find_next
action/edit_find_last
action/edit_replace
action/view_actual_size
action/view_fit_to_page
action/view_fit_to_width
action/view_fit_to_height
action/view_zoom_in
action/view_zoom_out
action/view_zoom
action/view_redisplay
action/go_up
action/go_back
action/go_forward
action/go_home
action/go_previous
action/go_next
action/go_goto
action/go_goto_page
action/go_goto_line
action/go_first
action/go_last
action/bookmark_add
action/bookmark_edit
action/tools_spelling
action/options_show_menubar
action/options_show_toolbar
action/options_show_statusbar
action/options_save_options
action/options_configure_keybinding
action/options_configure
action/options_configure_toolbars
action/help
action/help_contents
action/help_whats_this
action/help_report_bug
action/help_about_app
action/help_about_kde

Applications may use additional actions that they defined themselves.
You can get a list of the actions used by a certain applications by using the
following dcop command:

dcop <dcopid> qt objects | grep KActionCollection/ | cut -d '/' -f 3

or with

dcop <dcopid> <maindwindowid> actions


The most important task is to define a managable number of actions that can be 
disabled. Actions should be defined in a generic way, "open konsole" would be
too specific, a better definition of an action would be "shell access". 
It should be noted that such an action might affect KDE features which aren't
directly associated with "shell access". There are various locations in the 
file system where creating a .desktop file would effectively allow the user to 
execute arbitrary commands. This raises the question whether such features 
should be disabled as part of the "shell access" action or whether it should 
get its own action definition, e.g. "custom .desktop files".

Another interesting question is what the exact scope of a certain action should
be. Looking at the "custom .desktop files" action there are two ways to prevent
the user from executing "custom .desktop files". The first way would be to
make use of unix file permissions to make it impossible for the user to
create .desktop files at e.g. the desktop. The second way would be to ignore,
at the KDE level, any .desktop files that are found under the users home
directory.


In addition KConfigBase (the baseclass of KConfig) has functions to query whether 
config options/groups or files are immutable. This can be used in applications to
disable configuration options when such options can't be changed anyway.




The following applications currently have support for this:


* kicker - By marking the kickerrc config file as immutable, the panel will be 
"locked down" and it will not be possible to make any changes to it.

* kdesktop - By marking the kdesktoprc config file as immutable, the desktop
will be "locked down" and it will no longer be possible to select
"Configure Desktop" from its menus.

--------------Boundary-00=_UT3HPQ9BSKE0F1I58R6U--