[Kde-kiosk] force logout from kde
Neil Munro
neil.munro at catalyse.net
Thu May 1 15:08:49 CEST 2003
> Does 'dcop --user kde ksmserver MainApplication-Interface
> quit' work for you?
>
> It requires KDE 3.1 or newer, but I added that switch to dcop
> for exactly
> these purposes.
Thanks for the replies - I'm having hassles updating to 3.1 (using rpms)
so I haven't tried it yet, but I found that with a small changes to
startkde (removing the "|| xmessage ..." after "kwrapper ksmserver
--restore") I can simply use "killall kwrapper"! This allows the
startkde script to continue to finish the cleanup and seems to be happy
logging in again repeatedly (I checked with "ps -A -H -f" as root, and
it looks like the same list of processes are running). As I am restoring
all files from a tar afterwards I'm not too bothered if this skips
saving open files etc, as long as it kills everything so there is no
memory leak.
For information, the reason I want this is to help with my approach to
"lock down" for use with distributed Internet access points. There is a
single account "kde" that is logged into Linux automatically and the
user then has to log into my web site which provides a centralised
authentication system. This then enables wider Internet access until
their time runs out, this being controlled using iptables routing. If
they don't enter a new token to top up within a minute or so, the system
throws them out. Hence the need for a forced logout to reset everthing,
in case they decide to try and use the PC for local editing or just to
screw around with it for fun.
1. I use KDE "kiosk" facilities to provide interface control, i.e. hide
things I don't want cluttering up the screen, but I don't count on it.
2. I use Linux itself for serious access control: i.e. set up
permissions so even if someone hacks through Konqueror restrictions,
they simply can't do any damage. For any private files, e.g. in my case
PHP local web pages, I ensure the .php and configuration files are
"Group read apache" and "Other none", so they cannot be read by the
"kde" user even if they guess the names.
3. This, in turn, generally requires the "kde" account files are reset
each time as I cannot be sure they won't find a way to trash some of the
config files. Often making them read-only doesn't work, as explained in
the KDE Kiosk outline (renaming). So I'm using "tar" from an archive
(owned by root!) saved with the correct settings, resetting after
logout. Hence the need to force a logout after each user's session.
I'm pretty happy with this arrangement now, I'll post details once it is
solid and I get 3.1 in to improve the user interface.
Neil.
More information about the kde-kiosk
mailing list