Locking down KDE with Kiosk
Lock Down
KDE Kiosk lets administrators control user environments, including settings, themes, and access to the command shell and designated peripherals.
KDE Kiosk [1] is a framework for restricting features on users' desktops. As a system administrator, you can use Kiosk for a variety of reasons, including restricting features on a public terminal, enforcing a uniform wallpaper and theme in a corporate environment, eliminating the need to reset desktops after a lesson in a teaching lab, or increasing security. Kiosk includes more than two hundred settings [2], as well as the ability to lock down basic KDE configuration files.
Kiosk was introduced midway through the KDE 3 release series. For a while, a Kiosk Admin Tool [3] allowed admins to lock down features from the desktop. However, with the start of KDE 4, changes in structure and file names rendered the original Kiosk obsolete.
A new version of Kiosk did not begin to appear until two years after the release of KDE 4.0, which was more than enough time for people to conclude that it was not returning. The situation is not improved by the need to explore different versions of the documentation to figure out which one is current. More confusion is caused by the use of similar concepts in the two versions of the framework that are not identical.
The most recent version of Kiosk remains a work in progress and currently lacks some of the features of the earlier version, such as the ability to block specific URLs in Konqueror. The current version does not have the desktop tool and remains stubbornly a collection of various configuration files.
Basic Concepts
Normally, you would lock down a KDE desktop by changing permissions to write-protect configuration files, but that is an all-or-nothing choice. By contrast, Kiosk provides precise, logical controls that allow you to set up users' desktops exactly the way you want.
To begin using Kiosk, you first need to understand that it works mainly in two files: /etc/kde4/kdeglobals
and, depending on the distribution and KDE version, ~/.kde/share/config/kdeglobals
or ~/.kde4/share/config/kdeglobals
. In most distributions, you will have to use a text editor to create /etc/kde4/kdeglobals
; but, if it exists, it becomes the default for the ~/.kde/share/config/kdeglobals
file for a new account.
You also have the option of adding Kiosk settings (or keys, as the documentation calls them) to other configuration files in ~/.kde/share/config/
, such as plasma-desktop-appletsrc
or konsolerc
. This dispersal might make it more difficult for an advanced user to find and circumvent all keys, but remembering which files contain what can quickly become complicated enough that you are better off avoiding the practice and putting the keys into the kdeglobals files whenever possible. Only a few keys need to be placed in other configuration files.
Within the kdeglobals files, you can organize the keys into sections whose names are enclosed in square brackets. These names are for human use only, and their order does not matter to Kiosk.
Below the section name, enter the keys, one per line. A typical key uses the following structure:
CATEGORY/KEY= FALSE or TRUE
The key's value should be false to remove the feature from a desktop. If the home directory version of kdeglobals is set to true while the default kdeglobals is set to false, the feature will display despite the default, unless its key is marked as immutable in the default (see the "Immutability" box).
Immutability
A configuration file, section, or key can be given priority by marking it as unchangeable, or immutable, with [*i]
. You should think twice about setting an entire file as immutable; but, if you do, place [*i]
on the first line by itself. To make a section immutable, place [*]
at the end the line with the section name. You can make a key immutable by adding [*i]
after the category/key and before the equals sign.
Ordinarily, the keys in /etc/kde4/kdeglobals
are applied automatically, unless they are specifically contradicted by ~/.kde/share/config/kdeglobals
. However, any section or key in /etc/kde4/kdeglobals
will automatically override the settings for the same section or key in ~/.kde/share/config/kdeglobals
– even if it is also marked as immutable.
A typical section of a kdeglobals file might look like this:
[Plasma Desktop] plasma-desktop/scripting_console=false plama-desktop/add_activities=false
These settings make the Plasma scripting console inaccessible and prevent adding Activities.
Applying Kiosk Keys
Once you understand how Kiosk uses configuration files, applying a control is a matter of adding a category and key and setting its value – generally to false. The only time you will want a true value is when the default kdeglobals file does not set anything immutable, and you want the home directory version to override it.
Kiosk includes far too many keys to discuss in their entirety, but the items listed in Tables 1, 2, and 3 are some of the more useful and are organized by suggested sections. Most key names are self-explanatory.
Table 1
Restrictions for All Plasma Apps
Key | Decision |
---|---|
|
Whether immutable widgets and containments* can be configured |
|
Whether context menus are displayed |
|
Whether external scripting extensions to APIs can be used |
* Containments are desktop templates |
Table 2
Printing Restrictions
Key |
Action |
|
Limits to one copy |
|
Disables the complete print dialog. If printing is attempted, default settings are used |
|
No additional print options can be chosen |
|
Removes dialog to change print properties or add new printer |
|
Eliminates printer selection |
|
Removes selection of CUPS printing back end |
Table 3
Administration Restrictions
Resource Restrictions |
Action Restrictions |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Konsole Keys |
|
|
|
|
|
|
Session Capability Restrictions |
|
|
Plasma Desktop Restrictions |
|
|
|
|
|
|
|
File Dialog Keys |
|
|
|
|
In the "Administration Restrictions" box, the resource restrictions group is one of the more powerful; if all
is used, most configuration options are removed. Along with resource restrictions, session capability restrictions are used to set some of the most basic behavior. KDE action restrictions remove menu items from KDE applications, although other applications, such as Firefox and LibreOffice, will remain unaffected.
When selecting keys, be sure to check the complete list to ensure that you have all the related keys necessary to prevent a particular action. For example, if you want to prevent printing, it is not enough to remove action/file_print
; you should also disable the general keys for printing. In several places, a key list mentions when other groups of keys should be selected together.
Things to Watch
When you first start using Kiosk, you might imagine that setting everything as immutable in the default kdeglobals is the most economical method. However, you are likely to find that setting carefully chosen sections or keys as immutable is more flexible. You might consider working with unmarked sections or keys and, in special circumstances, producing local versions of kdeglobals. Either way, making effective use of Kiosk takes time and imagination. You should make sure all versions of kdeglobals are included in your regular backups to spare you the ordeal of having to recreate your work.
As you apply Kiosk, be aware that loose permissions or sudo
can help experienced users. Besides being thorough when selecting keys, be sure that local versions of configuration files are marked as read-only and that as few users as possible have access to root permissions. Whenever possible, you should install KDE applications in preference to general apps or those from Gnome or other desktops.
Make no mistake – KDE Kiosk is a powerful framework that goes far beyond other efforts, such as xguest, to limit user capabilities. However, that does not mean that planning and other system tools cannot enhance your Kiosk controls. Experiment with Kiosk and dummy accounts before implementing it, and watch for additional capacities as development of Kiosk continues.
Infos
- KDE Kiosk: http://techbase.kde.org/KDE_System_Administration/Kiosk/Introduction
- Kiosk keys: http://techbase.kde.org/KDE_System_Administration/Kiosk/Keys
- Kiosk Admin Tool: http://extragear.kde.org/apps/kiosktool/
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.