[Kde-kiosk] locking things down
Janyne Kizer
kde-kiosk@mail.kde.org
Tue, 19 Mar 2002 16:06:40 -0500
I was also wondering about using symbollic links to the files that we
are rc files that we are tweaking. Thoughts? Experiences?
Janyne Kizer wrote:
>
> Unfortunately I need to have my servers ready before KDE3 is likely to
> be out of beta
>
> This is what we are experimenting with now. It may be way off base so
> please excuse me:
>
> Set things up
> - remove screensavers from share/applnk/System/ScreenSavers/ and
> /usr/bin (leaving Blank Screen)
> - set up the KMenu the way we want in /usr/share/applnk directory and
> the /etc/X11/applnk/
> - copy the Star Office 5.2 menu items to
> /etc/skel/.kde/share/applnk/staroffice_52
> - copy appropriately tweaked files to /etc/skel/.kde/share/config
> (kcmartsrc, kickerrc, kpersonalizerrc)
> - tweak $KDEDIR/share/config/kdesktoprc, $KDEDIR/share/config/kdeglobals
> - remove klipper.desktop from /usr/share/autostart/
>
> Lock them down
> ~/.kde/share/config <- chmod 444 *
> ~/.kde/share/config <- chown root *
> ~/.kde/share/config <- chgrp root *
>
> chmod 555 ~/.kde/share/applnk/staroffice_52/
> chmod 555 ~/.kde/share/applnk
>
> Basially, on the menus, we just don't want people to be able to write to
> the applnk directories (except for the Star Office mini-install). We
> want users to get the menus and kicker that we deliver. I don't
> particularly care if they customize their desktop a bit though. For
> example, we may want to allow some changes in the ~/.kde/share/config
> directory, though. For example, changing backgrounds, putting icons on
> desktop. That's pretty much it though. I guess after writing this I
> should change the permissions on kdesktoprc :-)
>
> Andreas Pour wrote:
> >
> > Martijn Klingens wrote:
> > >
> > > On Monday 18 March 2002 19:14, Janyne Kizer wrote:
> > > > I would love to hear how others have locked down their KDE
> > > > installations. We would like to lock down the kicker and menu.
> > > > StarOffice seems to be complicating things a bit though. If I get it
> > > > working the way that I want before others post, I'll be sure to post my
> > > > setup. I locked things down a bit *too* much last time and I had some
> > > > login issue :-) Thanks again for this list.
> > >
> > > I think Waldo's new Kiosk framework in KDE 3 will allow you to lock down most
> > > of the settings stuff. Much more complicated will be to prevent users from
> > > accessing the shell, since there are a _lot_ of ways to launch external
> > > commands from a Unix app. No idea how (or even if) you could lock that down.
> > >
> > > Martijn
> >
> > Make /bin/sh a link to a setguid pre-shell program that denies
> > interactive shells and (1) compares scripts to a set of permitted
> > scripts, and/or (2) only runs scripts that are owned by root and in some
> > configurable PATH (/usr/bin, /bin, /opt/kde2/bin, etc.), and make the
> > actual shell only executable by that group (i.e., "chmod o -x
> > /bin/real_shell)? Of course the admins would be in this special group
> > and so be able to execute shell commands.
> >
> > Just a thought.
> >
> > Dre
> > _______________________________________________
> > kde-kiosk mailing list
> > kde-kiosk@mail.kde.org
> > http://mail.kde.org/mailman/listinfo/kde-kiosk
>
> --
>
> Janyne Kizer
> CNE-3, CNE-4, CNE-5
> Systems Programmer Administrator I
> NC State University, College of Agriculture & Life Sciences
> Extension and Administrative Technology Services
> Phone: (919) 515-3609
> _______________________________________________
> kde-kiosk mailing list
> kde-kiosk@mail.kde.org
> http://mail.kde.org/mailman/listinfo/kde-kiosk
--
Janyne Kizer
CNE-3, CNE-4, CNE-5
Systems Programmer Administrator I
NC State University, College of Agriculture & Life Sciences
Extension and Administrative Technology Services
Phone: (919) 515-3609