May 30, 2007

Kiosktool locks down KDE users' desktops

Author: Anže Vidmar

Recently I wrote about locking down the GNOME desktop environment with Pessulus. In this article, I'll show you how to do the same for KDE, using Kiosktool, a front end for changing the KDE configuration files in users' home folders and the /etc/kde* folders.

With Kiosktool, system administrators can create as many profiles as they like and assign them to different users or groups (see Figure 1). You can also configure Kiosktool to automatically upload newly created profiles to a remote server on exit, making machine cloning easy. You can use this feature, for example, to set up several kiosk machines with the same KDE user profiles, as long as you have access to the root account on each machine.

By default, none of the functions Kiosktool can modify are disabled. To disable any function, check a box in front of the function name. When you highlight a function in the list, Kiosktools displays its description at the bottom of the Kiosktool window (see Figure 2).

Figure 1 - click to enlarge

Kiosktool lets you lock down components in a dozen categories: General, Desktop Icons, Desktop Background, Screen Saver, KDE Menu, Theming, Panel, Network Proxy, Konqueror, Menu Actions, Desktop Sharing, and File Associations.

The General component provides useful options like disabling all tasks and applications that require root access, as well as access to the command shell, run command, bookmarks, and logout option, and disabling starting a second X session.

Desktop Icons lets you lock down the whole desktop for the user, including context menus and icons. Desktop Background locks the desktop background settings. With Screen Saver, sysadmins can lock down screensaver settings and screensavers that uses OpenGL, and also allow only screensavers that hide the whole screen content.

In the KDE Menu component you can disable all tasks and applications that require root access from the KDE menu, and disable editing the KDE menu. The Theming component forces users to stick with the desktop theme you provide; you can lock down options like font, color, style, and windows decoration.

Figure 2 - click to enlarge

In the Panel settings you can lock prevent users from modifying the panel in any way (adding or removing applets or buttons or changing the panel settings). With Network Proxy you can set the proxy settings globally, so users are forced to use the global proxy settings for all connections.

In the Konqueror component you can disable file browsing outside the home directory, jailing the users in their home folder and preventing them from browsing anything below that. You can disable the "Open With" action, "Open in new tab" action, and disable properties in the context menu.

In the Menu Actions component you can disable several categories of actions from the menus in all KDE applications. The actions are: File, Edit, View, Go, Bookmarks, Tools, Settings, and Help. You can also prevent users from saving any changes made to KDE application menus.

Finally, you can disable Desktop Sharing, and lock down File Associations so that users cannot change the default application associations.

Kiosktool provides better control over KDE settings than Pessulus does over GNOME. I especially like its ability to assign different profiles to different set of users or groups. Thanks to the range of features it controls, Kiosktool is a good tool for not only setting up kiosk machines, but also setting user profiles on multiuser machines easily.