[Kde-kiosk] locking things down

Janyne Kizer kde-kiosk@mail.kde.org
Tue, 19 Mar 2002 15:58:07 -0500 

Unfortunately I need to have my servers ready before KDE3 is likely to
be out of beta

This is what we are experimenting with now.  It may be way off base so
please excuse me:

Set things up
- remove screensavers from share/applnk/System/ScreenSavers/ and
/usr/bin (leaving Blank Screen)
- set up the KMenu the way we want in /usr/share/applnk directory and
the /etc/X11/applnk/ 
- copy the Star Office 5.2 menu items to
/etc/skel/.kde/share/applnk/staroffice_52
- copy appropriately tweaked files to /etc/skel/.kde/share/config
(kcmartsrc, kickerrc, kpersonalizerrc)
- tweak $KDEDIR/share/config/kdesktoprc, $KDEDIR/share/config/kdeglobals
- remove klipper.desktop from /usr/share/autostart/ 

Lock them down
~/.kde/share/config <- chmod 444 *
~/.kde/share/config <- chown root *
~/.kde/share/config <- chgrp root *

chmod 555 ~/.kde/share/applnk/staroffice_52/ 
chmod 555 ~/.kde/share/applnk

Basially, on the menus, we just don't want people to be able to write to
the applnk directories (except for the Star Office mini-install).  We
want users to get the menus and kicker that we deliver.  I don't
particularly care if they customize their desktop a bit though.  For
example, we may want to allow some changes in the ~/.kde/share/config
directory, though.  For example, changing backgrounds, putting icons on
desktop.  That's pretty much it though.  I guess after writing this I
should change the permissions on kdesktoprc :-)

Andreas Pour wrote:
> 
> Martijn Klingens wrote:
> >
> > On Monday 18 March 2002 19:14, Janyne Kizer wrote:
> > > I would love to hear how others have locked down their KDE
> > > installations.  We would like to lock down the kicker and menu.
> > > StarOffice seems to be complicating things a bit though.  If I get it
> > > working the way that I want before others post, I'll be sure to post my
> > > setup.  I locked things down a bit *too* much last time and I had some
> > > login issue :-)  Thanks again for this list.
> >
> > I think Waldo's new Kiosk framework in KDE 3 will allow you to lock down most
> > of the settings stuff. Much more complicated will be to prevent users from
> > accessing the shell, since there are a _lot_ of ways to launch external
> > commands from a Unix app. No idea how (or even if) you could lock that down.
> >
> > Martijn
> 
> Make /bin/sh a link to a setguid pre-shell program that denies
> interactive shells and (1) compares scripts to a set of permitted
> scripts, and/or (2) only runs scripts that are owned by root and in some
> configurable PATH (/usr/bin, /bin, /opt/kde2/bin, etc.), and make the
> actual shell only executable by that group (i.e., "chmod o -x
> /bin/real_shell)?  Of course the admins would be in this special group
> and so be able to execute shell commands.
> 
> Just a thought.
> 
> Dre
> _______________________________________________
> kde-kiosk mailing list
> kde-kiosk@mail.kde.org
> http://mail.kde.org/mailman/listinfo/kde-kiosk

-- 

Janyne Kizer
CNE-3, CNE-4, CNE-5
Systems Programmer Administrator I
NC State University, College of Agriculture & Life Sciences
Extension and Administrative Technology Services
Phone: (919) 515-3609