Re: lock down features

From: George Farris <george gmsys com>
To: desktop-devel-list gnome org
Subject: Re: lock down features
Date: 14 Nov 2002 19:26:37 -0800

On Thu, 2002-11-14 at 19:03, Malcolm Tredinnick wrote:
> On Thu, Nov 14, 2002 at 11:44:36AM -0500, Havoc Pennington wrote:
> > On Thu, Nov 14, 2002 at 04:17:50PM +0000, Rui Miguel Seabra wrote: 
> > > Thus, this "lock down' should be taken as a preventive method for
> > > accidental changes that should not be promoted.
> > > 
> > > Or am I missing something?
> > 
> > I think you're right that it isn't genuinely secure, yes.
> > But I don't know if that's a requirement, at least for an initially
> > useful feature.
> 
> In this general vein, what is "lockdown" meant to cover here. Before
> we start talking about code impact, what does the endgame look like?
> 
> It's going to be very hard to stop an intentionally malicious user from
> changing things around (by screwing around in .gnome2 and .gconf, for
> example). So are we just trying to make this harder to do and then if
> something gets muddled up the sysadmin can just blow away $HOME/.gconf*
> and $HOME/.gnome* and have the user log back in to get to the "official
> setup"? Or...?
> 
> Without this, it's the situation Jeff and Glynn (a.o.) mention, where
> cycles are burnt looking at something that turns out to be unfit for the
> purpose.
> 
> Malcolm

I imagine from the standpoint of an educational institution that
"lockdown" would mean locking most desktop settings to something
reasonable for example not allowing the desktop background to be set to
a nude babe.  It wouldn't be super secure initially but be basically
impossible for 95% of the average student body to get around.

Also not allowing students to save or delete icons or entries from the
desktop or menus.  GTK colours could be included as well.

I'm sure there are many more.  It sounds from what Havoc has said that
gconf could do this right now.

My initial vote would be:

Control the following things based on say group id:
 - Changing desktop background
 - Changing GTK colours & themes
 - Removing desktop icons
 - Adding desktop icons
 - Removing panel menu items
 - Adding panel menu items
 - Changing window manager
 - Changing window manager theme
 - Changing desktop font
 - Changing application font
 - Changing Nautilus icon theme
 - Changing keyboard prefs
 - Changing mouse prefs
 - Changing network proxy
 - Changing toolbars
 - Changing mime types
 - Changing preferred applications
 - Changing window focus mode
 - Changing Galeon default home page
 - Adding or deleting panels
 - Changing panel behaviour
 - Adding or removing icons and applets on panels

Probably left out a few.

Have two different modes
 1) Strict lockdown, nothing changes.
 2) User settable changes that revert backt to defaults on next login.

Thats an initial kick at the cat.


-- 
George Farris <george gmsys com>

References:
- Re: lock down features
  - From: Rui Miguel Seabra
- Re: lock down features
  - From: Havoc Pennington
- Re: lock down features
  - From: Malcolm Tredinnick

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]