Re: gnome-panel menu lockdown proposal

[guenther <guenther rudersport de>]

On Mon, 2007-01-08 at 14:47 +0000, Matt Keenan wrote:
> guenther wrote:
> > The above covers Nautilus ways and manually creating .desktop files?
> 
> Forgot to state we also have a patch for nautilus, e.g. when user
> double clicks on an item to launch it, if not in the allowed list it
> won't launch....etc..
>
> > What about non-obvious ways to launch an app? Although often not
> > intended to run full featured UI apps, it can be abused to do so.
> >
> > * gnome-terminal (if in the allowed list)
> 
> Attempting to launch an application from the terminal... well to be
> honest if a user has terminal access, it's fairly likely they won't
> have a locked down desktop in operation, interesting idea though none
> the less.

True. :)

> > * deskbar-applet
> 
> Just disallow use of the deskbar-applet completely, via disabled_applets.

So there is a third part involved the admin needs to take care of in
order to lock down anything...

My point is, that the admins need to be aware of this. The original post
gave the impression of a one-stop solution, to lock this down. Which may
be what a real life admin believes it to be, too. After all, there is a
list of allowed applications. But additionally, the admin actually needs
to explicitly *dis*allow some more applications...

The admin has to be perfectly aware that this solution will stop running
arbitrary apps only at a first glance. It will not stop the user from
doing so, if he really wants to.

  guenther


-- 
char *t="\10pse\0r\0dtu\0  ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}