[Kde-kiosk] Preventing unset of default KDE configurations

[Martijn Klingens]

Taru Jain said:
> We can use the KDEDIRS variable to specify a directory which can
> contain the customized system wide default configuration. However, after
> a user logs in, the KDEDIRS value can be reset/unset in a shell.
> Subsequently, the the customized configuration will not longer take
> effect in this shell and in any programs launched from this shell.
>
> Is there a way of preventing this from happening? (We do not want to
> stop the user from using the shell)

Yes and no.

Yes, because from KDE 3.2 onwards there are user profiles that are
controlled through /etc/kderc and no longer rely on environment variables.

The 'old' style of applying Kiosk settings has the weakness you describe.

The easiest way to setup profiles is to use KioskTool, but you can also
manually setup the required components in /etc. (I don't have access to
the docs at the moment, but IIRC the README.kiosk file in kdelibs
describes the details.)

No, because a user with shell access can potentially still bypass Kiosk by
setting LD_PRELOAD to load a small library that intercepts the loading of
/etc/kderc and pretends there are no profiles specified.

This can be mostly avoided by mounting all filesystems where a user has
write access with 'noexec', but I am not convinced that is 100% foolproof.
(I'm open to examples that prove me right or wrong, so far it's just a
feeling.) Combining noexec and profiles does help against most attack
vectors and makes bypassing Kiosk significantly harder, so much more that
people are less inclined to try anymore. Only people who have intentions
that are more malicious than just 'working around the system' will likely
still bother.
-- 
Martijn