status of kde/plasma kiosk framework in kf5

Thomas Weissel valueerror at gmail.com
Tue Dec 6 20:35:33 UTC 2016 

Hello mighty plasma developers!

I just wanted to give you a short update on the status of the kiosk 
framework in kde/plasma 5.8.4 and i'm hoping for a little feedback of 
yours ;-)


With all of the following restrictions in place my users are still able 
to see at least one context menu entry on every widget in the main panel.


Still showing context menus (or parts of it) are:

- Menu for "Edit Applications"  in the launcher called 
"Anwendungsübersicht" and "Anwendungsmenü" (its working in 
"Anwendungs-Starter")

- device manager

- date and time

- networksettings

- konsole (launcher icon )


these are the current restrictions:

------------------------------------------------------

[KDE Action Restrictions][$i]

action/switch_user=false
action/lock_screen=false
action/logout=false
action/kwin_rmb=false

action/plasma/containment_actions=false

action/run_command=false
action/options_show_toolbar=false
plasma/plasmashell/unlockedDesktop=false
plasma/allow_configure_when_locked=false
plasma-desktop/add_activities=false
unlockedDesktop=false
logout=false
movable_toolbars=false
run_command=false
start_new_session=false

shell_access=false
------------------------------------------------------


I also found out that restricting the user from entering any other 
folder than $home  (kde url restricitons) is working very well for 
typical kde applications.

libreoffice (even when using the kde file open dialogs - libreoffice kde 
integration ) still allows to enter any folder you like..


i also kinda hacked my own secure environment where shell access is not 
allowed by placing a .desktop file 
in .local/share/kservices5/ServiceMenus/ that allows me to open a 
terminal in the current folder ^^

dolphin shouldn't allow this.. right?

_______________________

[Desktop Entry]

Type=Service

Icon=konsole

Actions=openterminal

X-KDE-Priority=TopLevel

ServiceTypes=KonqPopupMenu/Plugin,inode/directory,inode/directory-locked


[Desktop Action openterminal]

Exec=/usr/bin/konsole --workdir %U

Icon=konsole

Name=Open Terminal Here

______________________________



i even placed an xorg.conf file  to supress opening ttys (works as 
expected) but this little desktop file above did the job :-)

__________________________

Section "ServerFlags"

     Option "DontVTSwitch" "true"

EndSection

__________________________



Should i make a bug report out of this ?

Getting "dolphins" places panel locked too when other toolbars are 
locked - is this a featurerequest or a bugreport?

it is really hard to lockdown a system completely..   if i'm done with 
it i'm definitely going to write an extensive howto and a little program :-)

thank you very much in advance.

thomas w.


PS: i am working on a plasma based "secure exam environment" (for 
austrian schools) which i'm going to present at the "day of digital 
education" at klagenfurt's university in 2 months.

nothing special...just a few shellscripts with a small UI (most of it is 
kdialog for now ) and a lot of preconfigured files - but it heavily 
relies on the kiosk framework and a the live usb installation i'm 
already using in my school..

i'm just working out the kinks.. it's almost ready to go..

wouldn't be possible without you.. so thx again!










On 25.05.2016 16:16, Mag. Weissel Thomas wrote:
> hello everybody..
>
> first of all... wow!   this list of fixes is awesome.. thank you!
>
> i have a question about this "hide toolbars" restriction..
>
>
> as you can see in the following screenshot  (testing with dolphin 
> 16.04.0)
>
> http://test.xapient.net/STUFF/dolphin.jpg 
> <http://test.xapient.net/STUFF/dolphin.jpg>
>
> i tried to restrict unocking the toolbar (look at the terminal)
> also visible in the screenshot is, that "lock toolbar positions" is 
> not checked but the handle for moving
> the toolbars is hidden..  so it works!  although the menu entry to 
> unlock is still there...
>
> you can also see that "show toolbar" (rightclick on the toolbar) and 
> "Main Toolbar" (rightclick on the menubar) is still visible so hiding 
> the toolbar is possible...
> i'm a little bit confused because i read what kai wrote and it seems 
> that on his installation only the entry in the menubar context menu 
> is/was visible..
> are we talking about the same thing here?  just checking!
>
>
> i tested:
> action/manage activities=false
>
> and it properly hides all entries to configure activities.. "Meta+Q" 
> doesnt open the activities configuration panel either... yay!!
> but "Meta+Tab" shows the activity switcher...  holding down "Meta" and 
> using the mouse on the activity switcher lets me open the configure 
> dialog.. no configurations are stored so this is not a big problem..
>
> best regards,
> thomas
>
>
>
>
> Am 2016-05-25 um 14:00 schrieb enterprise-request at kde.org 
> <mailto:enterprise-request at kde.org>:
>> Send Enterprise mailing list submissions to
>> enterprise at kde.org <mailto:enterprise at kde.org>
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://mail.kde.org/mailman/listinfo/enterprise 
>> <https://mail.kde.org/mailman/listinfo/enterprise>
>> or, via email, send a message with subject or body 'help' to
>> enterprise-request at kde.org <mailto:enterprise-request at kde.org>
>>
>> You can reach the person managing the list at
>> enterprise-owner at kde.org <mailto:enterprise-owner at kde.org>
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Enterprise digest..."
>>
>>
>> Today's Topics:
>>
>>     1. Re: status of kde/plasma kiosk framework in kf5 (Kai Uwe Broulik)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Wed, 25 May 2016 11:22:32 +0200
>> From: Kai Uwe Broulik<kde at privat.broulik.de> 
>> <mailto:kde at privat.broulik.de>
>> To: Plasma<plasma-devel at kde.org> 
>> <mailto:plasma-devel at kde.org>,"enterprise at kde.org" 
>> <mailto:enterprise at kde.org>
>> <enterprise at kde.org> <mailto:enterprise at kde.org>
>> Subject: Re: status of kde/plasma kiosk framework in kf5
>> Message-ID:<E1b5WtM-000269-LO at smtprelay03.ispgateway.de> 
>> <mailto:E1b5WtM-000269-LO at smtprelay03.ispgateway.de>
>> Content-Type: text/plain; charset=utf-8
>>
>> Hi Thomas,
>>
>> just wanted to give you a quick update. I have just merged the last 
>> patch of our big kiosk fixes pile.
>>
>> The following fixes will land in the next Plasma and/or kde 
>> frameworks release :
>>
>> * Leave option in desktop toolbox honors kiosk restriction
>> * KRunner will be completely disabled (eg won't start at all) when 
>> restricted, so you can't bypass that by calling over DBus directly
>> * Typing on empty desktop will not try to call krunner if restricted
>> * krunner history will be disabled if lineedit_text_completion is 
>> restricted
>> * Kickoff favorites cannot be rearranged/added/removed when 
>> unlockedDesktop is restricted
>> * Kickoff applications cannot be edited or added as launcher to task 
>> bar when unlockedDesktop is restricted, the "edit applications" 
>> context menu will also be hidden then
>> * most applets now won't offer context menu entries about modules 
>> restricted via kde control module restrictions. Clicking would 
>> already not do anything as we already block launching them but we now 
>> avoid a dead menu entry
>> * right-clicking menu bar can no longer bypass "hide toolbars" 
>> restriction
>>
>> (Hope I didn't forget anything)
>>
>> As for the always-shown Activities entry, can you try whether 
>> action/manage activities=false (note the space) works? I'm not sure 
>> if we handle spaces there properly.
>>
>> David is also currently patching all of our applications so they use 
>> the kiosk keys in the documentation (most erroneously used action/ 
>> prefix for everything).
>>
>> If you have any further questions or problems, don't hesitate to ask, 
>> we're happy to help you.
>>
>> Kai Uwe
>>
>>
>>
>>
>> ------------------------------
>>
>> Subject: Digest Footer
>>
>> _______________________________________________
>> Enterprise mailing list
>> Enterprise at kde.org <mailto:Enterprise at kde.org>
>> https://mail.kde.org/mailman/listinfo/enterprise 
>> <https://mail.kde.org/mailman/listinfo/enterprise>
>>
>>
>> ------------------------------
>>
>> End of Enterprise Digest, Vol 3, Issue 11
>> *****************************************
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/plasma-devel/attachments/20161206/572b9e06/attachment-0001.html>

More information about the Plasma-devel mailing list