Re: Mandatory Settings
- From: Havoc Pennington <hp redhat com>
- To: Malcolm Tredinnick <malcolm commsecure com au>
- Cc: Nick Vahalik <nvahalik e-tscc com>, gconf-list gnome org
- Subject: Re: Mandatory Settings
- Date: Sat, 06 Dec 2003 18:12:48 -0500
On Mon, 2003-12-01 at 21:42, Malcolm Tredinnick wrote:
>
> Leaving aside the issue of which settings can be controlled by gconf
> (since that is pretty application dependent), the "multiple policies"
> issue is not too straightforward with gconf. When we have talked about
> this in the past (as it pertains to lockdown settings), it has always
> seemed to come back to the fact that you need to be running different
> gconfd programs for the different policies. So normal users might be
> running /usr/bin/gconf* and managers running /opt/managers/bin/gconf*
> programs. Then you need to fiddle with permissions or ACLs or something
> to prevent users from running the manager version, etc. All a bit
> fiddly, but not impossible (the point being that each gconfd will access
> its own set of configuration files where you can tweak the policies.
There's a better way to do this; the gconf path file can have
environment variables expanded in it. So arrange to set an environment
variable like GCONF_POLICY_NAME=foo, then you can have
$(ENV_GCONF_POLICY_NAME) in your path file as part of the filename of a
configuration source. So if you have policies foo and bar, have:
/etc/gconf/gconf.policy-foo.defaults
/etc/gconf/gconf.policy-bar.defaults
and path file entry:
xml:readonly:/etc/gconf/gconf.policy-$(ENV_GCONF_POLICY_NAME).defaults
Or something along those lines. Doesn't _enforce_ the policy in a
security sense (people can change the environment variable), but as long
as people don't have a shell they can't get out of it.
Havoc
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]