User:Danimo/KIOSK

From KDE TechBase

KIOSK Admin Tool user manual

Waldo Bastian (bastian kde.org), Michael Manke ([email protected])

Revision 1.1 (2005-08-09)

Copyright © 2005 <a href= "mailto:[email protected]"></a><a href= "mailto:[email protected]"></a><a href= "mailto:[email protected]">[email protected]</a> <a href= "mailto:[email protected]"></a><a href= "mailto:[email protected]"></a><a href= "mailto:[email protected]"></a><a href= "mailto:[email protected]"></a><a href= "mailto:[email protected]">[email protected]</a><a href="mailto:[email protected]"></a><a href="mailto:[email protected]"></a>

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

KIOSK Admin Toolis a KDE administration tool that offers system administrators an easy way to predefine desktop configurations for groups of users, lock down settings or otherwise restrict features of the KDE desktop environment.

Table of Contents

  1. Overview

  2. Profiles

  3. Install KIOSK Admin Tool and KDE Basics

  4. KIOSK Admin Tool Settings

  5. Add New Profile

  6. Assigning Profiles

  7. Setting up a Profile

  8. Using Profiles with Older KDE Versions

  9. Credits and License


Chapter 1. Overview

KIOSK Admin Tool is a KDE administration tool that offers system administrators an easy way to predefine desktop configurations for single and/or groups of users, lock down settings or otherwise restrict features of the KDE desktop environment.

The default Desktop delivers many powerful features an possibilities. However, in business environment for example it is nessesary to reduce the number of programs, features and possibilities according to the tasks that need to be done.

KIOSK Admin Tool takes advantage of KDE's KIOSK restrictions framework. It is centered around profiles.A profile is a collection of default settings and restrictions that can be applied to either individual users or groups of users.

KDE's Kiosk framework makes it possible for a system administrator to turn off certain KDE features.

Typical usage of KIOSK Admin Tool is to create a new profile, then to set up the profilewith the desired default settings and restrictions, and finally to activate the profile by assigning the profile to one or more users.


Chapter 2. Profiles

A profile is a collection of default settings and restrictions that can be applied to either individual users or groups of users.

The KDE desktop environment as well as all KDE applications use a specific directory structure to lookup configuration settings and various other information. KDE knows about several locations for these directory structures. All the information and configuration settings found in the various locations are combined before they are used. Lock down features control whether settings in the user's home folder ($KDEHOME or ~/.kde) are taken into account or not.

A profile consists of a standard KDE directory structure in a custom location with settings and information chosen by you.

KIOSK Admin Tool lets you chose in which location a profile should be stored. Information about available profiles is stored in the file /etc/kderc.

It is recommended to store all profiles under a single directory. In this case the /etc/kderc file only needs to contain a reference to this single directory and KDE and KIOSK Admin Tool will automatically pick up all profiles stored under this directory. See the Chapter 4chapter for more information.


Chapter 3. Install KIOSK Admin Tool and KDE Basics


KIOSK Admin Tool works since KDE 3.

When using KIOSK Admin Tool in combination with older versions of KDE (KDE 3.2 or older) some additional steps need to be taken in order to properly activate the profiles.

In KDE 3.2 a common menu format is introduced.

<a href="http://freedesktop.org/Standards/menu-spec/">http://freedesktop.org/Standards/menu-spec/</a>

The new menu format defines structure in a single .menu file, is based on categories, is shared between Gnome and KDE and supports applnk style menus as well.

It is preferred to use KDE 3.2.2 or newer.


The Distribution of SuSE 9.1 contains KIOSK Admin Tool that should be replaced by a newer version.


Downloads from: <a href= "http://extragear.kde.org/apps/kiosktool"></a><a href= "http://extragear.kde.org/apps/kiosktool"></a><a href= "http://extragear.kde.org/apps/kiosktool">http://extragear.kde.org/apps/kiosktool</a><a href="http://extragear.kde.org/apps/kiosktool"></a><a href="http://extragear.kde.org/apps/kiosktool"></a> .

For SuSE you can get a rpm-package:

Install command : rpm -i kiosktool-version.i568.rpm


The installation procedure in SuSE 9.2 may be done directly by YAST, but you have to select KIOSK Admin Tool manually.

Additional informations to next part of documentation (filesystem hierarchie, configuration files) you find here: <a href="http://www.kde.org/areas/sysadmin"></a><a href= "http://www.kde.org/areas/sysadmin"></a><a href= "http://www.kde.org/areas/sysadmin">http://www.kde.org/areas/sysadmin</a><a href="http://www.kde.org/areas/sysadmin"></a><a href="http://www.kde.org/areas/sysadmin"></a>


KDE defines a filesystem hierarchy which is used by the KDE environment itself as well as all KDE applications (and KIOSK Admin Tool).


/opt kde3/bin/kiosktool

/opt/kde3/bin/kiosktool-kdedirs

/opt/kde3/share/apps/kiosktool/...

/opt/kde3/share/config/kiosktoolrc

/opt/kde3/share/icons/...

/opt/kde3/share/locale/... (language packages)

...

check this: kiosktool-kdedirs –check



KDE Directory Layout (SuSE Linux for example):


$HOME/.kde user level, personal KDE directory

/opt/kde3 system level, SuSE specific,

sometimes /usr or /usr/kde3

/etc/opt/kde3 Added by SuSE


Environment Variables


$KDEHOME ~/.kde

normally located in user's home directory

$KDEROOTHOME /root/.kde

$KDEDIR /opt/kde3, /usr, /usr/kde3

depends from distribution, used by KDE2

$KDEDIRS /opt/kde3, /usr, /usr/kde3

new in KDE3 : multiple locations possible

The default values most times don't need to be changed (default o.k).

Normally $KDEHOME, the tree located in the user's home directory, has the highest precedence. This is the directory tree where the user sets up his own changes.

A system administrator can create additional directory trees which can be used for profiles.

Special KDE configuration directories for special user profiles (or group profiles) will be specified within

/etc/kderc (SuSE: /etc/kde3rc) .


Additional (shared) KDE Sub-Directories:

share/applications/ .desktop files for the KDE Menu (since KDE3.2)

share/apps contains applications specific data files; Each application has a sub-directory here for storing additional data files

share/config configuration files for KDE applications (normally named after the the application they belong to plus rc, i.e. kiosktoolrc). A special case is kdeglobals as a file that is readed by all KDE applications.

share/config/session/ used by KDE session manager ksmserver (normally only available under $KDEHOME/... At the end of a session KDE applications store their state here. The file names start with the name of the application followed by a number. ksmserver stores references to these numbers when saving a session in share/config/ksmserverrc .

share/doc/HTML/ contains documentation of KDE and KDE applications (khelpcenter)

share/icons icons for KDE applications

share/mimelnk KDE uses .desktop files that describe MIME types to identificate the type of a file

share/services contains .desktop files that describe services. Services are like applications but are usually launched by other applications instead of the user . Services do not appear in the KDE menu.

share/servicetypes servicetypes usually represents a certain programming interface

share/sounds contains sound files

share/templates contains templates for creating files of various types including a reference to a file in the .source sub-directory

share/wallpapers contains images that can be used as background picture


Additional (OS- and CPU-depended) KDE Sub-Directories:

bin/ used for KDE executables

cgi-bin/ CGI scripts that can be used by the KDE Help Center

lib/ used for KDE libraries

lib/kde3 contains components, plugins and other runtime loadable objects for use by KDE 3.x applications


Additional (Host Specific) KDE Sub-Directories:

three host-specific directories that are usually symlinked to other locations:

$KDEHOME/socket-$HOSTNAME --> /tmp/ksocket-$USER/

$KDEHOME/tmp-$HOSTNAME --> /tmp/kde-$USER/

$KDEHOME/cache-$HOSTNAME --> /tmp/kdecache-$USER/

/tmp and /var/tmp as systemwide (maybe world) writable directories

opt/kde3/bin/./lnusertemp tmp lnusertemp utility will create a new directory with an alternative name and links to that instead. That's why there is a possibility, that one of the mentioned directories already exists but is owned by another user.



KDE Configuration Files

simple text files, UTF-8 encoding for text outside the ASCII range

Groups indicated by a groupname placed in square brackets at the top of a group followed by key-value-pairs. Key and value are separated by an equal sign. The key can contain spaces and may be followed by options placed in square brackets, sometimes with optional backslash codes for special output formats. All the key-values entries that follow belong to the group.

[groupname]

keyname=value [option]

Entries at the top of the file that are not preceded by a group name belong to the default group.

Configuration Files – Cascading

There can be multiple configuration files with the same name in the share/config sub-directory of the various KDE directory trees.

A configuration file can contain only few selected groups with few selected keys.

The final value of a key depends from the the priority of the directory the configuration file is placed and the precedence of the key in it.

The configuration files under $KDEHOME have always the highest priority. The precedence order of KDE directories is listed in $KDEDIRS, available since KDE3.x .

If $KDEDIRS is undefined , the single location of $KDEDIR is used instead.

If a key in a certain group is defined multiple times in a single file, the value of the last entry is used.


Starting with KDE 3, configuration entries can be marked immutable, and once such a value has been read its value cannot be changed any more via KConfig or user entries in $KDEHOME . Entries can be marked immutable on an entry-by-entry, group, or file basis by adding a [$i] at the right places .

Keyword[$i]=value prevents overwriting the default setting and marks this key immutable.

Group[$i] sets all key entries of this group immutable.

To lock down the entire file, start the file with [$i] in a single line.

[$e] and [$ie] are so called Shell Expansions and can be used to provide more dynamic default values.

Normally the expanded form is written into the users configuration file after first use. To prevent this, it is recommended to lock the configuration entry down by using [$ie].



KDE Startup Sequence – what happens during startup


Login Manager: kdm

Startkde script: startkde starts kdeinit (which application?) and ksmserver (session manager) during the users login.

Kdeinit is used to start all other KDE programs.

Inititialised Background Services:

dcopserver (deamon for Desktop Communication Process/Protocol)

kded (generic KDE service daemon for background processes)

kcminit (Initialisation service for hardware)

klauncher (Program launch without interface, not the ALT-F2 dialog)

knotify (User notifications)

ksmserver (Session management, startup desktop components)

Desktop Components:

Kwin (Taskmanager)

KDesktop (Icons)

Kicker (Panel)

Klipper (Dienstprogramm für Zwischenablage)


DCOP, Desktop interprocess communication

can be used for all kinds of KDE desktop automatisation and scripting (also as command line tool)

based on Inter Client Exchange (ICE) Protocol and uses UNIX sockets instead of remote calls

can also be used to run KDE applications in GNOME desktop

( <a href= "http://www.kde.org/areas/sysadmin"></a><a href= "http://www.kde.org/areas/sysadmin"></a><a href= "http://www.kde.org/areas/sysadmin">http://www.kde.org/areas/sysadmin</a><a href="http://www.kde.org/areas/sysadmin"></a><a href="http://www.kde.org/areas/sysadmin"></a>/ )


Chapter 4. KIOSK Admin Tool Settings

KIOSKs first call: Main Window with „Default“ profile and according to the linux distribution additional profiles (examples).

<img src="kiosk_html_2a35c180.png" name="graphics1" align="left" hspace="12" width="758" height="523" border="0" id="graphics1">

Meaning of the right buttons:


Add New Profile: new profile with profilename, short description, the admin of the profile and where the profile will be stored


Setup Profile: change the settings of an existing profile, get the next window to set up the special restrictions of the selected profile


Assign Profiles: apply existing user or groups of users to the selected profile


Profile Properties: change the settings of an existing profile (window like Add New Profile)


Delete Profile: delete the selected profile








General Settings of KIOSK Admin Tool

<img src="kiosk_html_m151a4b87.png" name="graphics2" align="left" hspace="12" width="568" height="494" border="0" id="graphics2">

I prefer to store all profiles under the same base directory.

KIOSK has the option to deliver profile and changes to other workstations. The administration of all profiles can be done on a dedicated workstation by an administrator and then distributed to the associated workstations. That is aspecially usefull for changes, that requires that users should log out. Otherwise the administrator has the chance for tests on one workstation and to distribute to a lot of other.

Chapter 5. Add New Profile

A new profile with profilename, short description, the admin of the profile and where the profile will be

stored.

<img src="kiosk_html_3967db2.png" name="graphics3" align="left" hspace="12" width="640" height="466" border="0" id="graphics3">

Profile directory depends from Distribution and KIOSK basic settings:

/etc/kde-profile/<new_profilename>

or

/var/lib/kde-profile/<new_profilename>


<img src="kiosk_html_m6a86229.png" name="graphics4" align="left" hspace="12" width="390" height="230" border="0" id="graphics4">
<img src="kiosk_html_m36bcaf17.png" name="graphics5" align="left" hspace="12" width="232" height="273" border="0" id= "graphics5">

Configuration: /etc/kde-profile/ here with root-privileges (profile owner)


I prefer to use similar names for groups and the associated profiles and not too much profiles to prevent difficult administration and dependencies.


Chapter 6. AssignProfiles

apply existing users or groups of users to the selected profile


<img src="kiosk_html_28523501.png" name="graphics8" align="left" hspace="12" width="640" height="466" border="0" id="graphics8">
<img src="kiosk_html_m40f95a8b.png" name="graphics7" align="left" hspace="12" width="388" height="192" border="0" id= "graphics7">

Here the (i.e. added by YaST) existing group „restrict“ will be appended to the KDE profile „restricted“.

If a new user is a member of the group „restrict“, he gets automatically the restricted profile settings.

If an existing user with own KDE-settings in his home becomes a member of a restricted profile, he gets further some personal settings, if the settings in the profile directory are not harded by [$i] .

Chapter 7. SetupProfiles


<img src="kiosk_html_m5f8f9a54.png" name="graphics9" align="left" hspace="12" width="640" height="466" border="0" id="graphics9">

Change the settings of an existing profile, get the next window to set up the special restrictions of the selected profile.

We get a collection of KDE settings that can be selected, changed and fixed. The default KDE profile settings are the basic settings for each new profile.


<img src="kiosk_html_m78fd19c5.png" name="graphics10" align="left" hspace="12" width="708" height="591" border="0" id="graphics10">

General Settings:

<img src="kiosk_html_m364cfc8a.png" name="Grafik27" align="left" hspace="12" width="286" height="257" border="0" id="Grafik27">
We get a short description to each restriction. This settings works immediately after pressing „Finished“ for all associated users/groups. S<img src="kiosk_html_m5caf3ede.png" name= "graphics11" align="left" hspace="12" width="640" height="564" border="0" id="graphics11">
ee restriction settings in kdeglobals for example:

[KDE Action Restrictions]

shell_access=false

Desktop Icons

<img src="kiosk_html_5d85a4e8.png" name="graphics12" align="left" hspace="12" width="640" height="542" border="0" id="graphics12">
<img src="kiosk_html_12dbf77b.png" name="graphics21" align="left" width="450" height="209" border="0" id="graphics21">

„Preview Desktop Icons“ is a preview of the actual settings without possibility to change.

„Setup Desktop Icons“ delivers a Desktop, where we can create icons on wished positions.

We have to pay attention to profile associated users, if they are just using the desktop (see the „Attention“ message). We also have a look to other (here in KIOSK not visible) icons from the Desktop directory in the users home. These Icons should manually deleted in /etc/skel/ and $HOME/Desktop/ . We lock down settings and disable context menu to prevent unallowed changes and actions.

A short description to these functionality is given in the bottom of the window.


We find these changes in ~/share/config/...

Desktop Background

<img src="kiosk_html_m21415cd3.png" name="graphics13" align="left" hspace="12" width="640" height="506" border="0" id="graphics13">
<img src="kiosk_html_12dbf77b.png" name="graphics22" align="left" width="450" height="209" border="0" id="graphics22">

Similar to the previous configuration of the Desktop Icons we can preview and setup and later lock down the Desktop Background. We have to pay attention to profile associated users, if they are just using the desktop (see the „Attention“ message).



KIOSK uses KDE Control Module for these settings.

<img src="kiosk_html_m7e3812c9.png" name="graphics36" align="left" width="744" height="510" border="0" id="graphics36">

<img src="kiosk_html_m21acdc40.png" name="graphics37" align="left" width="455" height="164" border="0" id="graphics37">

Don't forget to press „Apply“ in this window before you press „Save“ to append the Background Settings to the profile.

We find these changes in ~/share/config/...

Screen Saver Configuration

The Screen Saver Configuration is easy like Desktop Background. We can preview and setup and later lock down the settings. We have to pay attention to profile associated users, if they are just using the desktop (see the „Attention“ message).


<img src="kiosk_html_m6b5486a4.png" name="graphics16" align="left" width="665" height="529" border="0" id="graphics16">
<img src="kiosk_html_12dbf77b.png" name="graphics6" align="left" width="450" height="209" border="0" id="graphics6">

KIOSK uses KDE Control Module for these settings.


<img src="kiosk_html_79ce2b55.png" name="graphics14" align="left" width="665" height="473" border="0" id="graphics14">
<img src="kiosk_html_m4b86351f.png" name="Grafik33" align="left" hspace="12" width="497" height="139" border="0" id= "Grafik33">

Don't forget to press „Apply“ in this window before you press „Save“ to append the Screen Saver Settings to the profile.

We find these changes in ~/share/config/...



Setup KDE Menu

to create a special menu for a selection of programs in a wished structure

In business environment the menu should contain only those programs which ar nessesary for the profile associated users to do business work.


<img src= "kiosk_html_3654f784.png" name="graphics15" align="left" width= "665" height="468" border="0" id="graphics15">
<img src="kiosk_html_12dbf77b.png" name="graphics18" align="left" width="450" height="209" border="0" id="graphics18">




We can preview, setup and later disable menu editing and can disable all tasks and applications that require root access. We have to pay attention to profile associated users, if they are just using the desktop (see the „Attention“ message).


KIOSK Admin Tool uses KmenuEdit and copies changes to profile or system wide locations.

We get the default KDE menu and then we can change the structure by deleting, moving or adding .

Ksycoca caches menu structure and information about all available applications, build with

kbuildsycoca.


In KIOSK versions before 1.x we should only delete entries. Otherwise it is possible that

some programs would not launch.

<img src= "kiosk_html_m28746e02.png" name="graphics17" align="left" width= "521" height="580" border="0" id="graphics17">
We find these changes in ~/share/config/...

<img src="kiosk_html_m5cf72bd2.png" name="Grafik38" align="left" hspace="12" width="373" height="154" border="0" id="Grafik38">
Don't forget to press „File – Safe“ in this window before you press „Save“ to append the Screen Saver Settings to the profile.

We find these changes in ~/share/config/...


Setup Theming

For Hotline and Helpdesk is a consistent „Look and Feel“ nessesary. We can change Style Settings, Color Settings, Font Settings and Window Decoration Settings and then make them immutable by locking.

<img src="kiosk_html_m5608e9c.png" name="graphics19" align="left" width="665" height="468" border="0" id="graphics19">



KIOSK uses KDE Control Module for these settings.

<img src="kiosk_html_m5a25c7b6.png" name="graphics20" align="left" width="665" height="509" border="0" id="graphics20">

Don't forget to press „Apply“ in this window before you press „Save“ to append the Theming Settings to the profile.

We find these changes in ~/share/config/...



Panel Configuration (Panel also known as Kicker)


<img src="kiosk_html_489dee1f.png" name="graphics23" align="left" width="665" height="468" border="0" id="graphics23">
<img src="kiosk_html_m735398c2.png" name="Grafik39" align="left" hspace="12" width="377" height="200" border="0" id= "Grafik39">

After controlling preview or setup we can make the panel immutable by lock down panel settings and can disable context menu (right mouse click).

We have to pay attention to profile associated users, if they are just using the desktop (see the „Attention“ message).

<img src= "kiosk_html_1b1c2196.png" name="Grafik40" align="left" hspace="12" width="800" height="85" border="0" id="Grafik40">
Here we set up how Icons (Panel Buttons), Applets (Pager with virtuell Desktops, Taskbar with running programs, System Tray with System-Mini-Icons) and the clock appear on the Panel.

We find these changes in ~/share/config/...

The configuration of taskbar, system tray and general panel settings in KIOSK Admin Tool are reachable by right mouse click (context menues).

<img src="kiosk_html_142a3526.png" name="graphics24" align="left" width="458" height="430" border="0" id="graphics24">
<img src="kiosk_html_mc9c25a9.png" name="graphics25" align="left" width="201" height="84" border="0" id="graphics25">
<img src="kiosk_html_m73600289.png" name="graphics26" align="left" width="244" height="88" border="0" id="graphics26">

<img src="kiosk_html_m393ebec5.png" name="graphics27" align="left" width="744" height="629" border="0" id="graphics27">
Don't forget to press „Apply“ in this window before you press „Save“ to append the Panel Settings to the profile.

Network Proxy Configuration

Network Proxy settings for predefined settings for www browsing. This prevents centralised settings for profile appended users and a practical method to give users different rights for using internet or no. We can make these settings immutable. Than the proxy configuration in konquerors configuration menu doesn't appears.

Attention: This settings only works for KDE programs, but not for non-KDE-browsers like Opera or Firefox.


<img src="kiosk_html_5a88a1f9.png" name="graphics28" align="left" width="665" height="468" border="0" id="graphics28">
We should lock down proxy settings to make them dependent only from profile and independent fom users settings in $HOME/.kde/share/config/kioslaverc.

KIOSK uses KDE Control Module for these proxy presettings.

(like command: kcmshell kde-proxy.desktop)


<img src= "kiosk_html_24224e9a.png" name="graphics29" align="left" width= "665" height="480" border="0" id="graphics29">

Don't forget to press „Apply“ in this window before you press „Save“ to append the Proxy Settings to the profile.

We find these changes in ~/<profilename>/share/config/kioslaverc .


Setup Konqueror

Konqueror works in different view profiles. KIOSK can prevent some functions for all views.

<img src="kiosk_html_m8efc222.png" name="graphics30" align="left" width="701" height="501" border="0" id="graphics30">
Disable file-browsing outside home directory prevents file access to other directories for all KDE applications.

We find these changes in ~/<profilename>/share/config/kdeglobals and there in the group[KDE URL Restrictions].

(Properties in context menu >> ~/kdeglobals >> group [KDE Action Restrictions] >> properties=true/false)

Setup Menu Actions

Not only for Konqueror, but for all KDE programs KIOSK delivers the possibility, that typical menu entries not appear and so the user can't use these actions.

<img src= "kiosk_html_f8da344.png" name="graphics31" align="left" width="665" height="468" border="0" id="graphics31">

We find these changes in ~/<profilename>/share/config/kdeglobals .

(Configure Shortcuts... >> ~/kdeglobals>> group [KDE Action Restrictions]>> options_configure = true/false)

Setup Remote Desktop Sharing (VNC)

We can predefine Remote Desktop Sharing and make this settings immutable for the users. stellmöglichkeiten hierfür entzogen werden.






<img src="kiosk_html_76e38573.png" name="graphics32" align="left" width="665" height="468" border="0" id="graphics32">
<img src="kiosk_html_1cb4e494.png" name="Grafik46" align="left" hspace="12" width="375" height="154" border="0" id= "Grafik46">

<img src= "kiosk_html_4b75ade5.png" name="graphics33" align="left" width= "665" height="473" border="0" id="graphics33">
KIOSK uses KDE Control Module for these desktop sharing presettings.


Don't forget to press „Apply“ in this window before you press „Save“ to append the Proxy Settings to the profile.

We find these changes in ~/<profilename>/share/config/...




Setup File Associations

In Linux distributions we find a lot of programs to work with one application type. For Hotline and Helpdesk is a consistent work with applications nessesary. Because of leaving KIOSK restrictions in non-KDE applications we should reduce the file associations to KDE applications if possible. Otherwise we prevent the usage of installed programs, that are not present on Desktop, KDE Menu or Panel. Additional we also should lock down these settings and have to prevent „open with“ in menu actions.





<img src="kiosk_html_m64794e21.png" name="graphics34" align="left" width="665" height="468" border="0" id="graphics34">
<img src="kiosk_html_m2df95077.png" name="Grafik49" align="left" hspace="12" width="375" height="154" border="0" id= "Grafik49">


Don't forget to press „Apply“ in this window before you press „Save“ to append the File Association Settings to the profile.

We find these changes in ~/<profilename>/share/config/profilerc






Additional marks and tips


KIOSK Admin Tool appends only to KDE programs and normally not for programs like Mozilla, Evolution or OpenOffice. Regardig better integration of non-KDE applications in future it is possible, that some KIOSK settings will also work.


Be carefully with restrictions. The user should use his allowed applications with nessesary functionality to do his work. Otherwise restrictions delivers security, less hotline and helpdesk.

KIOSK allows easy administration in centralised profiles.


We also should have a look to other (here in KIOSK not visible) settings in the users home. If settings in profiles are not setted immutable, the settings in users home has the highest priority.

We lock down settings and disable context menu to prevent unallowed changes and actions.


Sometimes desktop restrictions delivers error-messages for a new user. When a user logs in first time, some personal settings are done in users home.

If KDE does not have write access to the users configuration files they will automatically be considered immutable and the user will be warned about that fact. If you do not like this behavior, add a warn_unwritable_config=false to the KDE Action Restrictions section in /etc/kderc (or kdeglobals on the global, profile, or user level) to disable this warning for all applications. But non writable user configuration files are not a foolproof lock down mechanism since the user can potentially rename these files and add new ones according to his taste.

Consider the file system mechanisms an add-on to the much more sophisticated KDE Kiosk framework.


For high security we can set the environment variable $KDEHOME to an other directory than /home/<username>/.kde and additional set readonly by $KDE_HOME_READONLY .


If a user is assigned to more than one KDE profile, then the settings of the first (higher) listed KDE profile will have the higher priority (--> /etc/kde-user-profile). But, if exists an individual user profile, other assigned group profiles will be ignored for this user.



Links:


KIOSK Admin Tool Homepage:

<a href= "http://extragear.kde.org/apps/kiosktool">http://extragear.kde.org/apps/kiosktool</a>



Dokumentation KIOSK Admin Tool - Waldo Bastian:

<a href= "http://doc.kde.org/en/HEAD/kdeextragear-3/kiosktool">http://doc.kde.org/en/HEAD/kdeextragear-3/kiosktool</a>



Details structure and funktions of KDE:

<a href= "http://www.kde.org/areas/sysadmin"></a><a href= "http://www.kde.org/areas/sysadmin"></a><a href= "http://www.kde.org/areas/sysadmin">http://www.kde.org/areas/sysadmin</a><a href="http://www.kde.org/areas/sysadmin"></a><a href="http://www.kde.org/areas/sysadmin"></a>/



Waldo Bastian on Kiosk and the Linux desktop

Posted by aKademy Team on Wednesday 11/Aug/2004, @21:44

<a href= "http://dot.kde.org/1092253495/">http://dot.kde.org/1092253495/</a>




KDE and K Desktop Environment are trademarks of KDE e.V.




Chapter 9. Credits and License

KIOSK Admin Tool

Program copyright 2004 Waldo Bastian (bastian kde.org)

Documentation copyright 2004 Waldo Bastian (bastian kde.org)

This documentation is licensed under the terms of the GNU Free Documentation License.