Re: Lockdown stuff



On Tue, 2003-10-07 at 16:49, Matt Keenan wrote:

> I have split the tasks into sections :

I'll comment on the Nautilus details first, then I have some general
comments at the end.

> 1. Nautilus
>      - Restrict a user from removing/adding/moving/renaming or accessing the
>        properties of desktop icons.
> 
>      New keys :
> 	
>          /desktop/gnome/lockdown/nautilus/lockdown_desktop_icons    boolean
>          /desktop/gnome/lockdown/nautilus/icons_to_lockdown         list/string
> 
>      If lockdown_desktop_icons is set then basically all default icons on
>      the desktop are locked down, a user cannot remove/rename/move them and
>      they cannot add more icons.
> 
>      Basically involves hiding the menu items Rename, Move To Thrash, Move to
>      Thrash. And for adding new items, restrict dropping, and the menu items
>      New Folder/New Launcher from within Nautilus.
> 
>      If lockdown_desktop icons is not set then the icons_to_lockdown key is
>      referred to, this key will contain a list of specific .desktop files that
>      are locked down, and only these will be restricted from removing/renaming/
>      moving. A user will be able to add new icons, and the newly added ones
>      will not be locked down.

When you say "desktop icons" what do you mean? All files in the desktop
directory? Or just the home/trash/volume icons? You talk about folders
and stuff as if you mean all files, but then you say "contain a list of
specific .desktop files", and the desktop is not only about .desktop
files. (Also, note that the trash/home/volume icons are not .desktop
files any more, but special in-memory objects.)

Also, is this meant to be a serious lockdown, or just a simple thing
that you can work around easily? I mean, browsing to ~/Desktop in a
nautilus window will allow you to do many things to the desktop, as will
opening up any application and saving things in ~/Desktop.

Also, even for the lame lockdown you need to handle things like paste,
and various other global keybindings.

>      The above two keys will also be used to determine if an icons properties
>      can be accessed.
> 
>      - Restrict users from accessing a files properties, either from File menu or
>        context menu.

What is this meant to do? You can still see most of a files properties
in e.g. the list view or by changing the icon captions.

>      New key :
>          /desktop/gnome/lockdown/nautilus/disable_properties     boolean
> 
>      If set simply hide the properties menu item.
> 
> 	
>      - Restrict users from running applications within nautilus.
> 
>      New keys :
> 	/desktop/gnome/lockdown/nautilus/disable_application_launching  boolean
> 
>      This will have the affect of hiding the Open, Open With and Open in New
>      Window menu items, and also disable double-click launching.

This means you can't use Nautilus to open any file. Why would you even
use nautilus if you couldn't do that? Maybe you could still use it to
copy/move/rename files, but restrictions configured that way makes no
sense to me at all.

>      - Restrict a user from browsing directories/locations.
> 
>      New Keys :
>          /desktop/gnome/lockdown/nautilus/restrict_viewable_locations    boolean
>          /desktop/gnome/lockdown/nautilus/viewable_locations         list/string
> 
>      If restrict_viewable_locations is NOT set, then all locations/directories
>      are viewable to the user. If it is set then the viewable_locations key will
>      be checked. This key will contain a list of locations that a user can view
>      which can include directory paths and nautilus locations such as network://
>      etc.. If the list is empty then the user cannot view any locations.

What about subdirectories? if $home is listed, can you view
$home/subdir?

>      - Define sensitivity for all context menu items :
> 
>      New Keys :
> 
>          /desktop/gnome/lockdown/nautilus/disable_new_window              boolean
>          /desktop/gnome/lockdown/nautilus/disable_new_folder              boolean
>          /desktop/gnome/lockdown/nautilus/disable_new_launcher            boolean
>          /desktop/gnome/lockdown/nautilus/disable_new_terminal            boolean
>          /desktop/gnome/lockdown/nautilus/disable_scripts                 boolean
>          /desktop/gnome/lockdown/nautilus/disable_cut                     boolean
>          /desktop/gnome/lockdown/nautilus/disable_copy                    boolean
>          /desktop/gnome/lockdown/nautilus/disable_paste                   boolean
>          /desktop/gnome/lockdown/nautilus/disable_duplicate               boolean
>          /desktop/gnome/lockdown/nautilus/disable_make_link               boolean
>          /desktop/gnome/lockdown/nautilus/disable_rename                  boolean
>          /desktop/gnome/lockdown/nautilus/disable_move_to_thrash          boolean
>          /desktop/gnome/lockdown/nautilus/disable_stretch_icon            boolean
>          /desktop/gnome/lockdown/nautilus/disable_restore_icon            boolean
>          /desktop/gnome/lockdown/nautilus/disable_add_to_archive          boolean
>          /desktop/gnome/lockdown/nautilus/disable_disks                   boolean
>          /desktop/gnome/lockdown/nautilus/disable_use_default_background  boolean
>          /desktop/gnome/lockdown/nautilus/disable_change_desktop_background
>                                                                           boolean
> 
>      Just hide the relevant menu item of the key is set.

This is totally tied to the current UI. In fact its totally tied to
yesterdays UI as the menu is different now. It makes no sense to have
such a finegrained setup, and its gonna be a total pain both for users
and developers to keep it synchronized with changes to the UI.

>      - Disable setting of default printer
> 
>      New Key :
>          /desktop/gnome/lockdown/nautilus/disable_make_default_printer    boolean
> 
>      Hides the Make Default Printer context menu item.

What is this? I don't know of such an item.

>      - Restrict user from adding new devices
> 
>      New Key :
>          /desktop/gnome/lockdown/nautilus/disable_new_devices            boolean
> 
>      We can't physically stop a user from adding a new device such as a digital
>      camera etc... but if this key is set, then ensure that Nautilus does not
>      react to it, e.g. showing an icon for a USB device etc....

What about "old devices"? I.e. USB device that already plugged
in/mounted when the user logs in. We could just ignore all mountpoints,
but then chances are that we'll ignore something we shouldn't, such as a
/home mount. :)

Also, given the changes to the volume handling thats been discussed this
might not really be a nautilus key as such, but more like a HAL or
gnome-vfs thing.


In general, I think your proposal is way too fine grained. A sysadmin
that wants to lock down a box for some specific usage has to do a *lot*
of work figuring out which of the lockdown keys to enable, and chances
are high that he didn't think of some way to work around the
configuration, making the box not locked down. 

Some of the keys you proposed can be configured in such a way that they
make zero sense (allow cut+paste, but not copy?), and some things are
better locked down in other ways (such as filesystem permissions). Many
of the keys are such that any working/useful configuration of them make
nautilus pretty much useless, and a better way to do the lockdown would
probably be to disable nautilus. 

I think a better approach to the lockdown problem is to sit down and
talk to people who want to use lockdown and see what they really want to
accomplish, then sit down and figure out a few higher-level lockdown
operations that we implement throughout the desktop and that allows all
the interesting policies to be implemented. This will allow mortal
sysadmins to figure out how to set this up, and it will probably make
the lockdown mode work better since the people who know the software
best (the developers) will pick the feature details for a particular
lockdown policy. It will also make the lockdown keys work across
upgrades in a way that lowlevel 'disable-this-menu-item' keys won't. We
probably won't be able to make a few high level policy settings do
everything, so we might need to add a few lowlevel keys for those
special-case situations where we can't get a sane highlevel policy that
works for everyone.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
                   alexl redhat com    alla lysator liu se 
He's an underprivileged shark-wrestling messiah on a search for his missing 
sister. She's a chain-smoking impetuous socialite with a song in her heart and 
a spring in her step. They fight crime! 




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]