Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature
Lock down the GNOME desktop with Pessulus
Share
Print
CommentsPessulus is a Python front end for configuring the Gconf XML configuration files.
The software lets you create a profile that limits a user to a set of application that a system administrator allows. It has a nice, logically structured GUI that allows administrators to choose and click checkboxes on the options that you want to deny for user access. By default all the lockdown functions are unchecked, meaning the system remains configured as is. Also, there is no button to check all the checkboxes at once; you have to choose each one by one. Moving the mouse button over a specific lockdown option gives administrators a description of that function in a popup box.
Pessulus provides four main groups for locking specific sets of applications -- Main, Panel, Epiphany Web browser, and GNOME screensaver. Each group allows an administrator to limit a specific set of software or functions.
The Main category includes lockdown of the command line (terminal), disabling printing (including disabling print setup), and disabling the "save to disk" function, which is useful if you don't want people to save anything on the terminal PC. Checking the Pessulus box to disable "save to disk" actually disables the "Save" function in all applications.
|
|
| Click to enlarge |
Unfortunately, in the third group, you can disable functions only for the Epiphany Web browser and not Firefox or Opera, for example, but this is OK as long you don't have any other Web browser installed on the system. This set of restrictions is useful if you're planning to have a Web-only terminal PC, because you can lock down the important functions such as the quit function, hide the menubar, disable bookmark editing, and disable JavaScript. Unfortunately, there is no option to disable Flash animations. You can also force Epiphany to run only in full screen mode, so that you can turn your box into a Web terminal. And you can disable users' ability to type URLs in Epiphany, and disable loading content from unsafe protocols (anything that is not HTTP or HTTPS).
The GNOME screensaver menu gives you three choices. You can set the screensaver to lock the screen when the screensaver activates, requiring users to type a password if they want to continue, set the option in the unlock dialog to allow users to log out after a delay, or add an option to the unlock dialog to allow user switching.
The only lockdown function that you might miss is the ability to not be able to mount external storage devices (like USB keys).
Pessulus gives you a nice interface for disabling specific user functions on the GNOME desktop, which makes GNOME now a suitable graphical environment for use on publicly available terminals.
Comments
on Lock down the GNOME desktop with PessulusNote: Comments are owned by the poster. We are not responsible for their content.
2. Sure, chown root:root, chmod a=r,u=rw
3. i dunno
heh, not very useful<nobr> <wbr></nobr>;)
Naturally you have to pay for whatever there is available. The extortion scheme isn't exactly lessened by internet cafes seriously competing on price or useability. Windows XP and an annoying toolbar- and spyware-riddled IE7 was the only thing available to your pleasure.
Not sure if I'd been any bit more happy, if I had encountered a locked down Gnome desktop instead. Actually, dumbing things down doesn't make them "more secure" - just more annoying to use. And I'm somewhat worried that the anti-user wave and crapware is reaching Linux now. (OTH, we're talking about Gnome, right?)
Did you even read the article?
Where is this "dumbing down" you are talking of? It's just taking away some features that are not welcome on a public terminal which should be used for webbrowsing. If YOU have no use for it, you are obviously not the intended target audience.
And about the "annoying" part:
Did you ever use a properly configured public terminal? Oviously not. You could be glad to be allowed to move the mouse. (Okay, that was a bit exaggerated, but you get the idea)
mrben
If someone is perfectly fine with the result of the gconf-preferences, why should he BUY a distro where he couldn't even find out about the price on the website?
<a href="http://userful.com/products/discoverstation" title="userful.com">http://userful.com/products/discoverstation</a userful.com>
So how do you actually run it?
Posted by: Anonymous Coward on May 22, 2007 11:37 PM1. Do I run it as the kiosk user or as root?
2. Does it write to<nobr> <wbr></nobr>/etc/gconf or ~kiosk/.gconf ? If the latter, what stops the kiosk user modifying the rules? Can you make ~kiosk/.gconf read only?
3. Do the rules apply to all users or just one? Can groups be created with these policies?
#