[Kde-kiosk] how to make KDE kiosk work

Claudio Henrique Fortes Felix chffelix at terra.com.br
Mon Jan 10 13:50:00 CET 2005 

>Yup, there's one more thing that was added rather recently (KDE 3.2.2 if I'm 
>not mistaken) and that's not in most documentation: user profiles.
>
>In all older KDE 3.x versions you needed to export KDEDIRS to apply a profile. 
>The problem with this approach (besides being more work for the 
>administrator) is that it's usually possible for users to override the 
>profile by executing 'KDEDIRS=/opt/kde3 konqueror'. All a user needs is the 
>ability to either dump a shell script or have direct shell access and the 
>result is that he or she can run Konqueror in its full mode rather than the 
>locked down version.
>
>Of course there will always be ways to circumvent Kiosk restrictions on 
>loosely locked down systems[1] (if all else fails one could put self-compiled 
>binaries there), but it doesn't hurt if it's at least somewhat challenging to 
>do so.
>
>This is where the user profiles come into play. Those are handled directly by 
>the files in /etc (kde3rc, kde-user-profile, kde-profile) and special code in 
>the KDE libraries. The only way to bypass them without messing with files 
>that only root should have access to or using custom binaries is to get 
>listed in the 'kioskAdmin' field of /etc/kde3rc. In case you're listed there 
>you can set $KDE_KIOSK_NO_PROFILES to temporarily bypass the profiles.
>
>Hope this helps,
>
>Martijn
>
>[1] The less your users should be able to do, the more you can do to secure
>    the system. You can't take the ability to store executable programs from a
>    developer, nor can you take his shell access. However, many other people
>    can work perfectly fine with a home dir that's mounted noexec and without
>    shell access.
>  
>

Thanks Martijn!

That explains a lot :) Since you guys are more into it than the docs - 
it appears there´s really work in progress right now - what can I, at 
this point, make just through the "kiosktool"? Is there stuff I still 
can´t achieve through it, having to edit the profile files manually 
instead?

In my case, particularly, I need to lock some application settings like 
the sound server used by arts (ESD), and maybe the visual settings, for 
making sure the users don´t come later saying the sound stopped working, 
or the program that was there is not anymore, u know... I´m already 
taking a look at kiosktool, for I guess it´s supposed to do those 
things, but is it possible to say wether it´s actually "enough" without 
tweaking the profiles? By the way, if I do have to tweak, let´s say, 
specific application settings to lock them down, do I have to edit the 
config files on /opt/kde/share or somewhere else?

Thanks a lot for your attention.. and I totally agree with you on [1] :)


        Claudio

More information about the kde-kiosk mailing list