[Kde-kiosk] Kiosk under KDE 3.0

Waldo Bastian bastian at kde.org
Wed Sep 29 14:43:12 CEST 2004 

On Wednesday 29 September 2004 14:23, Mark Walker wrote:
> Hi,
>
> I'm running KDE 3.0 and now have a requirement to "lock down" the graphical
> environment.
>
> I've downloaded the notes on kiosk and on face value it looks like it will
> do the required job.
>
> I've create the entry [KDE Action Restrictions] under
> /home/user/.kde/share/config/kdeglobals and added the following options.
>
> shell_access=false
> action/kdesktop_rmb=false
> action/kicker_rmb=false
> action/kwin_rmb=false
> editable_desktop_icons=false
>
> I then touched the file /home/usr/.kde/share/services/update_ksycoca.
>
> However, when the user logs in no actions are restricted.
>
> So my questions are
>
> 1,    Is the above information correct ?
> 2,    Should it work under KDE 3.0
> 3,    Do I need to upgrade to KDE 3.3, and if so how do I perserve my
> current users settings.

The above actions where not yet implemented in KDE 3.0 I have attached the 
kiosk readme that is applicable to KDE 3.0.

Upgrading to KDE 3.3 should automatically preserve/upgrade all current users 
settings (but downgrading again back to KDE 3.0 does NOT!)

Cheers,
Waldo
-- 
bastian at kde.org  |  Wanted: Talented KDE developer  |  bastian at suse.com
  http://www.suse.de/de/company/suse/jobs/suse_pbu/developer_kde.html
-------------- next part --------------
In KDE3 a kiosk-framework gets introduced. 

One of the driving forces behind KDE is to put the user in control and
give him or her a large amount of possibilities to adjust KDE to his or her 
liking. However, in some situations it is required to reduce the possibilities
of KDE, e.g. because the system is to be used for one or more specific 
dedicated tasks only.

The kiosk-framework provides an easy way to disable certain features within
KDE to create a more controlled environment.

KDE's kiosk-framework builds on KDE's configuration framework and adds a
simple application API that applications can query to get authorisation
for certain operations.

The KDE kiosk-framework should be used IN ADDITION to the standard UNIX
security measures. 

The configuration framework in KDE3
===================================

Since the very beginning KDE makes use of file-hierarchy to store resources
for its applications. Resources range from icons, wallpapers, fonts to 
sounds, menu-descriptions and configuration files. 

In KDE1 there were two locations were resources could be located: the 
resources provided by the system where located under $KDEDIR and user-
specific resources where located under $HOME/.kde.

In KDE2 resource management has been largely abstracted by the introduction
of the KStandardDirs class and has become much more flexible. The user /
administrator can now specify a variable number of locations where resources
can be found. A list of locations can either be specified via $KDEDIRS
(notice the extra 'S'), via /etc/kderc and even via the kdeglobals config 
file. The location where user-specific resources can be found can be
set with $KDEHOME (The default is $HOME/.kde). Changes made by the user
are always written back to $KDEHOME.

Both KDE1 and KDE2 feature so called "cascading configuration files": There
can be multiple configuration files with the same name in the various 
locations for (config) resources, when that is the case, the information of 
all these configuration files is combined on a key by key basis. If the same
key (within a certain group) is defined in more than one place, the value
of the key for the config file that was read last will override any previously
read values. Configuration files under $KDEHOME are always read last. This
ensures that after a configuration entry is written, the same value wil be
read back.

In KDE3 two important changes have been made:

* Default values are no longer written.
When a configuration file in a location other than $KDEHOME defines a value 
for a key and the application subsequently writes out a new configuration file
to $KDEHOME, that configuration file will only contain an entry for the key
if its value differs from the value read from the other file.

This counters the problem that changing default configuration files under 
$KDEDIR would not take effect for users, since these users would most likely
have their own copy of these settings under $KDEHOME. KDE3 will make sure 
not to copy these settings so changes made under $KDEDIR will affect all users
that haven't explicitly changed the affected settings to something else.

* Configuration entries can be marked "immutable".
Starting with KDE3, configuration entries can be marked "immutable". When a
configuration entry is immutable it means that configurations files that are
read later will not be able to override its value. Immutable entries can not
be changed via KConfig and if the entry is present under $KDEHOME it will 
be ignored.

Entries can be marked immutable on 4 different levels:

- On an entry by entry basis by appending "[$i]" after the key.

Example:
[MyGroup]
someKey[$i]=42

- On a group by group basis by appending "[$i]" after the group. All entries
specified in the group will be marked immutable and no new entries can be
added to the group.

Example:
[MyGroup][$i]
someKey=42

- On a file by file basis by starting the file with [$i].

Example:
[$i]
[MyGroup]
someKey=42
[MyOtherGroup]
someOtherKey=11

- On a directory basis. [Not yet implemented]

- The filesystem can also be used to mark files immutable. If KDE does not 
have write-access to the user's version of a configuration file, the file
will be automatically considered immutable.

Example:
chown root.root /home/user/.kde/share/config/kickerrc
chmod 644 /home/user/.kde/share/config/kickerrc

Note that this example is not fool-proof, the user can potentially still 
rename either the root-owned kickerrc file or any of the directories in 
the path to another name and create a new kickerrc _with_ write-access.

KDE3 Kiosk Application API
==========================

Two new methods will be added to KApplication:

- bool authorize(QString action); // Generic actions
- bool authorizeKAction(QString action); // For KActions exclusively
- bool authorizeURLAction(QString, referringURL, destinationURL)

.desktop files can have an additional field "X-KDE-AuthorizeAction". If this
field is present the .desktop file is only considered if the action(s) 
mentioned in this field get(s) authorized. If multiple actions are listed
they should be seperated by commas (','). 

To restrict access to function the kdeglobals file should contain the 
group "[KDE Action Restrictions]", each action can then restricted by 
adding "<action>=false". E.g. to disable the action "shell access" one 
would add:
[KDE Action Restrictions]
shell access=false

Actions that refer to menu and toolbar actions are prefixed with action/' the
following standard actions are defined:

action/file_new
action/file_open
action/file_open_recent
action/file_save
action/file_save_as
action/file_revert
action/file_close
action/file_print
action/file_print_preview
action/file_mail
action/file_quit
action/edit_undo
action/edit_redo
action/edit_cut
action/edit_copy
action/edit_paste
action/edit_select_all
action/edit_deselect
action/edit_find
action/edit_find_next
action/edit_find_last
action/edit_replace
action/view_actual_size
action/view_fit_to_page
action/view_fit_to_width
action/view_fit_to_height
action/view_zoom_in
action/view_zoom_out
action/view_zoom
action/view_redisplay
action/go_up
action/go_back
action/go_forward
action/go_home
action/go_previous
action/go_next
action/go_goto
action/go_goto_page
action/go_goto_line
action/go_first
action/go_last
action/bookmark_add
action/bookmark_edit
action/tools_spelling
action/options_show_menubar
action/options_show_toolbar
action/options_show_statusbar
action/options_save_options
action/options_configure_keybinding
action/options_configure
action/options_configure_toolbars
action/help
action/help_contents
action/help_whats_this
action/help_report_bug
action/help_about_app
action/help_about_kde

Applications may use additional actions that they defined themselves.
You can get a list of the actions used by a certain applications by using the
following dcop command:

dcop <dcopid> qt objects | grep KActionCollection/ | cut -d '/' -f 3

or with

dcop <dcopid> <maindwindowid> actions


The most important task is to define a managable number of actions that can be 
disabled. Actions should be defined in a generic way, "open konsole" would be
too specific, a better definition of an action would be "shell access". 
It should be noted that such an action might affect KDE features which aren't
directly associated with "shell access". There are various locations in the 
file system where creating a .desktop file would effectively allow the user to 
execute arbitrary commands. This raises the question whether such features 
should be disabled as part of the "shell access" action or whether it should 
get its own action definition, e.g. "custom .desktop files".

Another interesting question is what the exact scope of a certain action should
be. Looking at the "custom .desktop files" action there are two ways to prevent
the user from executing "custom .desktop files". The first way would be to
make use of unix file permissions to make it impossible for the user to
create .desktop files at e.g. the desktop. The second way would be to ignore,
at the KDE level, any .desktop files that are found under the users home
directory.


In addition KConfigBase (the baseclass of KConfig) has functions to query whether 
config options/groups or files are immutable. This can be used in applications to
disable configuration options when such options can't be changed anyway.




The following applications currently have support for this:


* kicker - By marking the kickerrc config file as immutable, the panel will be 
"locked down" and it will not be possible to make any changes to it.

* kdesktop - By marking the kdesktoprc config file as immutable, the desktop
will be "locked down" and it will no longer be possible to select
"Configure Desktop" from its menus.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.kde.org/pipermail/kde-kiosk/attachments/20040929/2ec7da93/attachment.pgp

More information about the kde-kiosk mailing list