[Kde-kiosk] KDE URL Restrictions Containg Variables
Martijn Klingens
klingens at kde.org
Fri Jun 3 09:31:01 CEST 2005
Murray Trainer said:
> On Thu, 2005-06-02 at 19:47, Waldo Bastian wrote:
>> On Monday 30 May 2005 16:30, Murray Trainer wrote:
>> > Hi All,
>> >
>> > I have a mount point for each user under /mnt and want to stop users
>> > browsing above their own directory. I tried adding a rule to the
>> > kdeglobals file like rule_4 below but it doesn't seem to work? Can I
>> > only use either a variable or a path and not a combination of both?
>> >
>> > Thanks
>> >
>> > Murray
>> >
>> >
>> > [KDE URL Restrictions][$i]
>> > rule_1=list,,,,file,,,false
>> > rule_2=list,,,,file,,$HOME,true
>> > rule_3=list,,,,file,,/shares,true
>> > rule_4=list,,,,file,,/mnt/$USER,true
>> > rule_count=4
>>
>> Only $HOME and $TMP are expanded by default. To expand other things you
>> can
>> use:
>> rule_4[$e]=list,,,,file,,/mnt/$USER,true
>>
>> Cheers,
>> Waldo
>
> Hi Waldo,
>
> Thanks for the above - it works well. I didn't see that documented
> anywhere?
>
> I have another general question. We have intend giving users access to
> shared directory based on membership of an appropriate unix group. We
> would be relying on making the directory security at present to secure
> it. I am trying to figure a way we could implement KDE URL restrictions
> for this group situation so we can stop user even seeing shared
> directories they are not members of. Can we do something like:
>
> rule_3[e]=list,,,,file,,/shares/group1,$GROUP1_ACCESS
> rule_4[e]=list,,,,file,,/shares/group2,$GROUP2_ACCESS
> rule_5[e]=list,,,,file,,/shares/group3,$GROUP3_ACCESS
> .
> .
>
> and have the GROUP?_ACCESS variable set to true or false depending on
> their group membership during the user's login process?
That's dangerous -- if a user is able to modify environment he/she can
enable access to folders that ought to be restricted. I would use normal
Unix rights (user/group/other, rwx) or perhaps ACLs, but not something
that is based on the user's environment.
Come to think of it, *ANY* use of environment vars in URI restrictions is
tricky, not sure if it's a good idea. If you need something variable at
all, then consider shell scripts and use $(...) instead, those cannot be
easily tampered with by unauthorized users.
--
Martijn
More information about the kde-kiosk
mailing list