Re: Lockdown or Kiosk configuration

From: Dan Williams <dcbw redhat com>
To: Micheal Wall <mstng_67 yahoo com>
Cc: NetworkManager-list gnome org
Subject: Re: Lockdown or Kiosk configuration
Date: Tue, 22 Sep 2009 22:07:39 -0700

On Wed, 2009-09-16 at 21:20 -0700, Micheal Wall wrote:
> Greetings,
> 
> I am interested in locking down nm-applet. I would like users to be able to connect to connections I've already configured (right-click-->edit connections...). However, I do not want users to be able to edit connections or disable networking (anything on the context menu). I would like to disable the context menu. I am willing to try anything, including re-compiling code if necessary. Anyone have suggestions?

1) you'll want to make your connections "System" connections, which you
can do in the connection editor by checking the "Available to all users"
checkbox.  Any user can choose a system connection, but you can disallow
any or all users from modify those connections.

2) you'll want to use GConf mandatory settings to lock down
the /system/networking/connections directory so that users cannot create
connections themselves

3) You can likely use D-Bus permissions in
the /etc/dbus-1/system.d/NetworkManager.conf file to restrict the
"sleep" and "wake" methods to root-only in both the "polict
at_console=true" and "default" contexts of that file:

                <deny send_destination="org.freedesktop.NetworkManager"
                       send_interface="org.freedesktop.NetworkManager"
                       send_type="method_call"
                       send_member="sleep"/>

                <deny send_destination="org.freedesktop.NetworkManager"
                       send_interface="org.freedesktop.NetworkManager"
                       send_type="method_call"
                       send_member="wake"/>

                <deny send_destination="org.freedesktop.NetworkManager"
                       send_interface="org.freedesktop.NetworkManager"
                       send_type="method_call"
                       send_member="Sleep"/>

                <deny send_destination="org.freedesktop.NetworkManager"
                       send_interface="org.freedesktop.DBus.Properties"
                       send_type="method_call"
                       send_member="Set"/>

I believe that's the necessary bits.

Or, since you can rebuild the applet, you can take out the UI elements
(but users would still be able to use dbus-send from the command line to
do what the UI does) and remove this code from the "setup_widgets()"
function:

	g_signal_connect (applet->status_icon, "popup-menu",
			  G_CALLBACK (status_icon_popup_menu_cb), applet);

which will disable showing the context menu.

Dan

References:
- Lockdown or Kiosk configuration
  - From: Micheal Wall

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]