Re: Lockdown... Take 2
- From: "Michael Britton Selvitelle" <mbs uky edu>
- To: desktop-devel-list gnome org
- Subject: Re: Lockdown... Take 2
- Date: Mon, 13 Oct 2003 11:56:25 -0400
Although this is much less granular than before, I think we still need to analyze a variety of possible solutions to the lockdown problem. The solution may very be, as you are suggesting, a number of keys that allow control over the execute of various binaries and properties of the desktop ... but as others have said, I'm sure there are other directions we can explore as well.
I shot an email to a friend of mine, the director of technology for a local school system ... here's what he has said regarding his experience with locking down systems within the schools:
"Years ago we used Microsoft's Policy Editor to protect machines - but it was clunky, cumbersome and impossible to figure out. So we stopped using it. (Back in the Win3.1 days I used to edit ini files to lock down workstations).
Currently we use something called Deep Freeze - 3rd party software that protects each machine. It has some type of imaging capability (the company swears that it does not image, however) that restores the last look after you reboot. So if student deletes all the icons they are back when you reboot...Main problem is that it is on each machine, and if you want to get to the control panel for example, you have to take it off, change, then put it back on...
We are moving back to Policy Editor as we move into Server 2003 (with XP for workstations). It is vastly improved, and using scripting I think we are going to be able to do some pretty neat stuff. Major problem will be how we handle the Win98 and even Win2000 machines (which are not totally compatible with the new Group Policy Editor).
The new Group Policy Editor will allow you to put a policy on a group of login names or particular workstations (so you see it is domain based). That way if a student logged in as part of a certain group, it could send him to a Proxy Server - and he could not change the settings. A staff member who logged in at the same machine might be sent through a different proxy server. Or you might set the policy for the machine such that anyone who used it could not change the desktop settings, or could only save to the My Documents folder, etc. All kinds of possibilities here..."
Someone before made a very good point that we don't want to require 3rd party software to manage this type of task. We may need keys as mentioned, but we should definitely research possibly more intuitive methods.
Britt
-----Original Message-----
From: Matt Keenan <Matt Keenan sun com>
To: "desktop-devel-list gnome org" <desktop-devel-list gnome org>
Date: Mon, 13 Oct 2003 15:07:51 +0100
Subject: Lockdown... Take 2
Folks,
OK after much taught based on the feedback given to my first proposal I have
gone back and taken a much higher approach to the problem in hand.
By simply looking at the general areas that need to be locked down such as :
- Desktop Icons
Sys admins want to lockdown a users icons.
- Panel Configuration
Locking down of panels location, contents etc..
- Application Launching
Locking down of what applications a user can run.
- Terminal Access
Locking down of terminal access.
- Location Viewing
Locking down of locations a user can browse.
- Lock Screen / Logout
Locking down of Lock Scree and Logout functionality.
The origional idea as too grunular in that I was focusing on tasks within
areas of the desktop such as nautilus only or the panel only.
This approach concentrates on the desktop as a whole.
Now for the details :
I still propose that we use one specific location within Gconf for holding
lockdown keys :
/desktop/gnome/lockdown
- Desktop Icons
A new key will be used to lockdown desktop icons :
boolean /desktop/gnome/lockdown/lockdown_desktop_icons
If this key is set then icons on the desktop are completely
locked down, you cannot :
Remove
Hide Move To Thrash menu item.
Add
Hide New Folder and New Launcher menu items.
Rename
Hide Rename menu item.
Placement
Ensure icons cannot be dragged
Properties
Icons properties is not accessable, so that
users cannot change to a custom icon or add
emblems. Hide Properties menu item for icons.
New Folder
Hide New Folder menu item.
Duplicate
Hide Duplicate menu item.
Stretch/Restore
Hide Stretch/Restore icon menu items.
- Application Launching
Two new keys will be used for the lockdown of application launching :
boolean /desktop/gnome/lockdown/restrict_application_launching
string/list /desktop/gnome/lockdown/allowed_applications
If restrict_application_launching is set, the the list key
allowed_applications will be checked. This list will simply be a list
of binaries that are allowed to be launched. By default the key
restrict_application_launching will be FALSE, and the list key
restrict_application_launching will be FALSE, and the list key
allowed_applications will contain a complete list of applications are
available on the desktop. This will ensure that when application
restriction is turned on a sysadmin will be able to simply remove
whatever applications are necessary from the list.
This will involve hiding nautilus menu options such as :
Open
Open With
Open In New Window
New Launcher
Scripts
This will also control double-click behaviour on executable permission files.
Within the panel this list can be used to determine what menu items are
displayed. The Exec element of a .desktop does not appear in the allowed
applications list then that menu item will not be displayed in the Menu.
For example if you wanted to get rid of the Find Files menu item then simply
turn on restrict_application_launching and make sure gnome-search-tool is
not in the allowed_applications list.
- Location Restriction
Two new keys will be used for the lockdown of locations within nautilus :
boolean /desktop/gnome/lockdown/restrict_locations
string/list /desktop/gnome/lockdown/allowed_locations
If restrict_locations is not set, then all locations will be viewable
however if it is set, then the list contained in allowed_locations will
be checked to see if a user can browse to that location within nautilus.
If the location is a path, then any subdirectories underneath that path
are seen as accessable locations. Location restriction can also be used
for hiding the Disks menu item. The adding of new devices can also be
dealt with here, as the new devices location will not be in the allowed
locations list, so therefore will not appear within Nautilus. By default
location restriction will be FALSE, and the list allowed_locations will
contain a default list of viewable locations from nautilus.
- Command Line Interface
A new key will be used to control whether a command line interface
will be available or not.
boolean /desktop/gnome/lockdown/disable_command_line
This key if set will be responsible for hiding all terminal access from
users. Hiding such menu options as :
New Terminal
Run Application
Command Line applet.
Applications->System Tools->Terminal
Although if you want to restrict specific terminal items appear in the
panel menus you could just ensure that gnome-terminal does not appear
in the allowed applications list.
- Panel Configuration
A new key will be used to lockdown the panel :
boolean /desktop/gnome/lockdown/lockdown_panel_config
This key if set will control the appearance of the following
menu items :
Add To Panel
Delete This Panel
Properties
New Panel
Individual menu items on applets and launchers can also be controlled
such as Move, Lock and Remove From Panel.
This can be used to ensure users cannot Add new panels, remove existing
ones, change the contents of existing panels, or change the location of
existing panels by monitoring drag and drop of panels.
- Lock Screen/Logout
A new gconf key will be used to determine wheter the lockscreen and
logout menu options appear in the panel :
boolean /desktop/gnome/lockdown/disable_lockscreen_and_logout
This is particularly useful in Shared Desktop scenarios where you
specifically do not want users to lock their screen or logout.
- Miscellaneous
o Desktop Identity
The desktop background and themes already have gconf keys associated
with them. The writability of these keys can be checked and if
not writable, then in nautilus the Change Desktop Background and
Use Default Background menu items can be hidden and in the Panel
the Theme Manager menu item can be hidden. The Theme Manager could
also be hidden of Application Launching restriction is used and the
the binary gnome-theme-manager is not present it will not be displayed.
o Setting Printers.
To ensure a user does not change their default printer etc, then the
printers:// location can be ommited from the allowed locations list.
o MIME Type Setting
The application gnome-file-types-properties is used to change your
default MIME type settings. To restrict a user from doing so then
remove this binary from the allowed_applications list.
o Default Keyboard Shortcuts
Similar to MIME settings to change your default keyboard and shortuts
the binary gnome-keybindings-properties is used. Just ensure this
not be shown for them. This could also be done for Multimedia Keyboard
shortcuts.
In summary I am proposing the following new keys :
boolean /desktop/gnome/lockdown/lockdown_desktop_icons
boolean /desktop/gnome/lockdown/restrict_application_launching
string/list /desktop/gnome/lockdown/allowed_applications
boolean /desktop/gnome/lockdown/restrict_locations
string/list /desktop/gnome/lockdown/allowed_locations
boolean /desktop/gnome/lockdown/disable_command_line
boolean /desktop/gnome/lockdown/lockdown_panel_config
boolean /desktop/gnome/lockdown/disable_lockscreen_and_logout
This I feel is a far better approach that what I had originally conceived and
is a good starting point with regard to locking down your desktop.
Please feel free to comment....
Regards..
Matt
--
__.--'\ \.__./ /'--.__
_.-' '.__.' '.__.' '-._
.' Matt Keenan (mattman) '.
/ Sun Microsystems Ireland \
| |
| E-Mail : Matt Keenan Sun Com |
| mattman iol ie |
| |
| Irish Fantasy League Of American Football |
| http://www.iflaf.com |
| |
| Happy Hookers Golf Society |
| http://www.iol.ie/~mattman/golf/hhgs.htm |
| |
| Phone : +353 1 8199251, Sun Ext : 19251 |
\ .---. .---. /
'._ .' '.''. .''.' '. _.'
'-./ \ / \.-'
''
_______________________________________________
desktop-devel-list mailing list
desktop-devel-list gnome org
http://mail.gnome.org/mailman/listinfo/desktop-devel-list
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
