Re: Mandatory Settings



On Mon, 2003-12-01 at 21:42, Malcolm Tredinnick wrote:
> 
> Leaving aside the issue of which settings can be controlled by gconf
> (since that is pretty application dependent), the "multiple policies"
> issue is not too straightforward with gconf. When we have talked about
> this in the past (as it pertains to lockdown settings), it has always
> seemed to come back to the fact that you need to be running different
> gconfd programs for the different policies. So normal users might be
> running /usr/bin/gconf* and managers running /opt/managers/bin/gconf*
> programs. Then you need to fiddle with permissions or ACLs or something
> to prevent users from running the manager version, etc. All a bit
> fiddly, but not impossible (the point being that each gconfd will access
> its own set of configuration files where you can tweak the policies.

There's a better way to do this; the gconf path file can have
environment variables expanded in it. So arrange to set an environment
variable like GCONF_POLICY_NAME=foo, then you can have
$(ENV_GCONF_POLICY_NAME) in your path file as part of the filename of a
configuration source. So if you have policies foo and bar, have:
 /etc/gconf/gconf.policy-foo.defaults
 /etc/gconf/gconf.policy-bar.defaults

and path file entry:
 xml:readonly:/etc/gconf/gconf.policy-$(ENV_GCONF_POLICY_NAME).defaults

Or something along those lines. Doesn't _enforce_ the policy in a
security sense (people can change the environment variable), but as long
as people don't have a shell they can't get out of it.

Havoc





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]