Locking down KDE with Kiosk
Lock Down
KDE Kiosk lets administrators control user environments, including settings, themes, and access to the command shell and designated peripherals.
KDE Kiosk [1] is a framework for restricting features on users' desktops. As a system administrator, you can use Kiosk for a variety of reasons, including restricting features on a public terminal, enforcing a uniform wallpaper and theme in a corporate environment, eliminating the need to reset desktops after a lesson in a teaching lab, or increasing security. Kiosk includes more than two hundred settings [2], as well as the ability to lock down basic KDE configuration files.
Kiosk was introduced midway through the KDE 3 release series. For a while, a Kiosk Admin Tool [3] allowed admins to lock down features from the desktop. However, with the start of KDE 4, changes in structure and file names rendered the original Kiosk obsolete.
A new version of Kiosk did not begin to appear until two years after the release of KDE 4.0, which was more than enough time for people to conclude that it was not returning. The situation is not improved by the need to explore different versions of the documentation to figure out which one is current. More confusion is caused by the use of similar concepts in the two versions of the framework that are not identical.
The most recent version of Kiosk remains a work in progress and currently lacks some of the features of the earlier version, such as the ability to block specific URLs in Konqueror. The current version does not have the desktop tool and remains stubbornly a collection of various configuration files.
Basic Concepts
Normally, you would lock down a KDE desktop by changing permissions to write-protect configuration files, but that is an all-or-nothing choice. By contrast, Kiosk provides precise, logical controls that allow you to set up users' desktops exactly the way you want.
To begin using Kiosk, you first need to understand that it works mainly in two files: /etc/kde4/kdeglobals
and, depending on the distribution and KDE version, ~/.kde/share/config/kdeglobals
or ~/.kde4/share/config/kdeglobals
. In most distributions, you will have to use a text editor to create /etc/kde4/kdeglobals
; but, if it exists, it becomes the default for the ~/.kde/share/config/kdeglobals
file for a new account.
You also have the option of adding Kiosk settings (or keys, as the documentation calls them) to other configuration files in ~/.kde/share/config/
, such as plasma-desktop-appletsrc
or konsolerc
. This dispersal might make it more difficult for an advanced user to find and circumvent all keys, but remembering which files contain what can quickly become complicated enough that you are better off avoiding the practice and putting the keys into the kdeglobals files whenever possible. Only a few keys need to be placed in other configuration files.
Within the kdeglobals files, you can organize the keys into sections whose names are enclosed in square brackets. These names are for human use only, and their order does not matter to Kiosk.
Below the section name, enter the keys, one per line. A typical key uses the following structure:
CATEGORY/KEY= FALSE or TRUE
The key's value should be false to remove the feature from a desktop. If the home directory version of kdeglobals is set to true while the default kdeglobals is set to false, the feature will display despite the default, unless its key is marked as immutable in the default (see the "Immutability" box).
Immutability
A configuration file, section, or key can be given priority by marking it as unchangeable, or immutable, with [*i]
. You should think twice about setting an entire file as immutable; but, if you do, place [*i]
on the first line by itself. To make a section immutable, place [*]
at the end the line with the section name. You can make a key immutable by adding [*i]
after the category/key and before the equals sign.
Ordinarily, the keys in /etc/kde4/kdeglobals
are applied automatically, unless they are specifically contradicted by ~/.kde/share/config/kdeglobals
. However, any section or key in /etc/kde4/kdeglobals
will automatically override the settings for the same section or key in ~/.kde/share/config/kdeglobals
– even if it is also marked as immutable.
A typical section of a kdeglobals file might look like this:
[Plasma Desktop] plasma-desktop/scripting_console=false plama-desktop/add_activities=false
These settings make the Plasma scripting console inaccessible and prevent adding Activities.
Applying Kiosk Keys
Once you understand how Kiosk uses configuration files, applying a control is a matter of adding a category and key and setting its value – generally to false. The only time you will want a true value is when the default kdeglobals file does not set anything immutable, and you want the home directory version to override it.
Kiosk includes far too many keys to discuss in their entirety, but the items listed in Tables 1, 2, and 3 are some of the more useful and are organized by suggested sections. Most key names are self-explanatory.
Table 1
Restrictions for All Plasma Apps
Key | Decision |
---|---|
|
Whether immutable widgets and containments* can be configured |
|
Whether context menus are displayed |
|
Whether external scripting extensions to APIs can be used |
* Containments are desktop templates |
Table 2
Printing Restrictions
Key |
Action |
|
Limits to one copy |
|
Disables the complete print dialog. If printing is attempted, default settings are used |
|
No additional print options can be chosen |
|
Removes dialog to change print properties or add new printer |
|
Eliminates printer selection |
|
Removes selection of CUPS printing back end |
Table 3
Administration Restrictions
Resource Restrictions |
Action Restrictions |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Konsole Keys |
|
|
|
|
|
|
Session Capability Restrictions |
|
|
Plasma Desktop Restrictions |
|
|
|
|
|
|
|
File Dialog Keys |
|
|
|
|
In the "Administration Restrictions" box, the resource restrictions group is one of the more powerful; if all
is used, most configuration options are removed. Along with resource restrictions, session capability restrictions are used to set some of the most basic behavior. KDE action restrictions remove menu items from KDE applications, although other applications, such as Firefox and LibreOffice, will remain unaffected.
When selecting keys, be sure to check the complete list to ensure that you have all the related keys necessary to prevent a particular action. For example, if you want to prevent printing, it is not enough to remove action/file_print
; you should also disable the general keys for printing. In several places, a key list mentions when other groups of keys should be selected together.
Things to Watch
When you first start using Kiosk, you might imagine that setting everything as immutable in the default kdeglobals is the most economical method. However, you are likely to find that setting carefully chosen sections or keys as immutable is more flexible. You might consider working with unmarked sections or keys and, in special circumstances, producing local versions of kdeglobals. Either way, making effective use of Kiosk takes time and imagination. You should make sure all versions of kdeglobals are included in your regular backups to spare you the ordeal of having to recreate your work.
As you apply Kiosk, be aware that loose permissions or sudo
can help experienced users. Besides being thorough when selecting keys, be sure that local versions of configuration files are marked as read-only and that as few users as possible have access to root permissions. Whenever possible, you should install KDE applications in preference to general apps or those from Gnome or other desktops.
Make no mistake – KDE Kiosk is a powerful framework that goes far beyond other efforts, such as xguest, to limit user capabilities. However, that does not mean that planning and other system tools cannot enhance your Kiosk controls. Experiment with Kiosk and dummy accounts before implementing it, and watch for additional capacities as development of Kiosk continues.
Infos
- KDE Kiosk: http://techbase.kde.org/KDE_System_Administration/Kiosk/Introduction
- Kiosk keys: http://techbase.kde.org/KDE_System_Administration/Kiosk/Keys
- Kiosk Admin Tool: http://extragear.kde.org/apps/kiosktool/
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
There's a New Open Source Terminal App in Town
Ghostty is a new Linux terminal app that's fast, feature-rich, and offers a platform-native GUI while remaining cross-platform.
-
Fedora Asahi Remix 41 Available for Apple Silicon
If you have an Apple Silicon Mac and you're hoping to install Fedora, you're in luck because the latest release supports the M1 and M2 chips.
-
Systemd Fixes Bug While Facing New Challenger in GNU Shepherd
The systemd developers have fixed a really nasty bug amid the release of the new GNU Shepherd init system.
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.