[Kde-kiosk] how to make KDE kiosk work
Claudio Henrique Fortes Felix
chffelix at terra.com.br
Mon Jan 10 13:50:00 CET 2005
>Yup, there's one more thing that was added rather recently (KDE 3.2.2 if I'm
>not mistaken) and that's not in most documentation: user profiles.
>
>In all older KDE 3.x versions you needed to export KDEDIRS to apply a profile.
>The problem with this approach (besides being more work for the
>administrator) is that it's usually possible for users to override the
>profile by executing 'KDEDIRS=/opt/kde3 konqueror'. All a user needs is the
>ability to either dump a shell script or have direct shell access and the
>result is that he or she can run Konqueror in its full mode rather than the
>locked down version.
>
>Of course there will always be ways to circumvent Kiosk restrictions on
>loosely locked down systems[1] (if all else fails one could put self-compiled
>binaries there), but it doesn't hurt if it's at least somewhat challenging to
>do so.
>
>This is where the user profiles come into play. Those are handled directly by
>the files in /etc (kde3rc, kde-user-profile, kde-profile) and special code in
>the KDE libraries. The only way to bypass them without messing with files
>that only root should have access to or using custom binaries is to get
>listed in the 'kioskAdmin' field of /etc/kde3rc. In case you're listed there
>you can set $KDE_KIOSK_NO_PROFILES to temporarily bypass the profiles.
>
>Hope this helps,
>
>Martijn
>
>[1] The less your users should be able to do, the more you can do to secure
> the system. You can't take the ability to store executable programs from a
> developer, nor can you take his shell access. However, many other people
> can work perfectly fine with a home dir that's mounted noexec and without
> shell access.
>
>
Thanks Martijn!
That explains a lot :) Since you guys are more into it than the docs -
it appears there´s really work in progress right now - what can I, at
this point, make just through the "kiosktool"? Is there stuff I still
can´t achieve through it, having to edit the profile files manually
instead?
In my case, particularly, I need to lock some application settings like
the sound server used by arts (ESD), and maybe the visual settings, for
making sure the users don´t come later saying the sound stopped working,
or the program that was there is not anymore, u know... I´m already
taking a look at kiosktool, for I guess it´s supposed to do those
things, but is it possible to say wether it´s actually "enough" without
tweaking the profiles? By the way, if I do have to tweak, let´s say,
specific application settings to lock them down, do I have to edit the
config files on /opt/kde/share or somewhere else?
Thanks a lot for your attention.. and I totally agree with you on [1] :)
Claudio
More information about the kde-kiosk
mailing list