Difference between revisions of "KDE System Administration/Kiosk/Keys"

Revision as of 06:42, 10 February 2007

This article contains a listing of known keys that can be used with Kiosk and what they do. How to actually use these keys and other capabilities of Kiosk such as URL restrictions, creating assigning profiles, etc. is covered in the Introduction to Kiosk article.

Which configuration file to put these entries in depends on whether you wish to make them global to all applications or specific to one application. To make the restrictions valid for all applications, put them in kdeglobals. To enable a restriction for a specific applications place them in the application-specific configuration, e.g. konqererorrc for Konqueror.

Application Action Restrictions

KCalc

Konqueror and Desktop

Konsole

KWin

Key	Action
action/kwin_rmb	Context menus on window titlebar and frame

Panels


This section needs improvements: Please help us to cleanup confusing sections and fix sections which contain a todo revisit this when plasma is providing the panels

Using D-Bus To Find More Actions

Authorizing .desktop Files

Application .desktop files can have an additional field X-KDE-AuthorizeAction.

If this field is present the .desktop file is only considered valid if the action(s) mentioned in this field has been authorized. If multiple actions are listed they should be separated by commas (',').

If the .desktop file of an application lists one or more actions this way and the user has no authorization for even one of these actions then the application will not appear in the KDE menu, will not allow execution via that .desktop file and will not be used by KDE for opening files of associated mimetypes.

File Dialog

These keys disable actions that are found in the KDE file dialog. To use them, create a section in kdeglobals that looks like this:

[KDE Action Restrictions[$i] action/<key>=false

Key	Action
action/home	Go to home directory
action/up	Go to parent directory
action/back	Go to previous directory
action/forward	Go to next directory
action/reload	Reload directory
action/mkdir	Create new directory
action/toggleSpeedbar	Show/hide sidebar
action/sorting menu	Sorting options
action/short view	Select short view
action/detailed view	Select detailed view
action/show hidden	Show/hide hidden files
action/preview	Show/hide preview
action/separate dirs	Show/hide separate directories

Printing

There are several keys that restrict various aspects of the KDE print dialog and printing system. To use them, create a configuration section like this:

[KDE Resource Restrictions][$i] print/<resource key>=false

Note how each of the printing keys start with print/<tt> in the configuration file.

print/copies Disables the panel that allows users to make more than one copy. print/dialog Disables the complete print dialog. Selecting the print option will immediately print the selected document using default settings. Make sure that a system wide default printer has been selected. No application specific settings are honored when this restriction is activated. print/options Disables the button to select additional print options. print/properties Disables the button to change printer properties or to add a new printer.

print/selection: Disables the options that allows selecting a (pseudo) printer or change any of the printer properties. Make sure that a proper default printer has been selected before disabling this option. Disabling this option also disables <tt>print/system, print/options and print/properties.

print/system: Disables the option to select the printing system backend, e.g. CUPS. It is recommended to disable this option once the correct printing system has been configured.

Resource Restrictions

KDE applications can take advantage of many types of resources such as configuration data, caches, plugin registries, etc. These are loaded from both system-wide as well as from per-user locations on disk. It is possible to restrict use of the per-user resources directories, preventing users from adding to or altering existing shared resources.

This is accomplished by creating a section like this in a configuration file:

[KDE Resource Restrictions][$i] <resource key>=false

The following resources can be used as keys and controlled in this manner:

Key	Directory	Provides
all	n/a	All resources listed in this table
autostart	share/autostart	Apps to start on login
data	share/apps	Application data
data_<appname>	share/apps	Application data for the application named <appname>
html	share/doc/HTML	HTML files
icon	share/icon	Icons
config	share/config	Application configurations
pixmap	share/pixmaps	Images
xdgdata-apps	share/applications	Application .desktop files
sound	share/sounds	Sound files
locale	share/locale	Localization data
services	share/services	Protocols, plugins, kparts, control panels, etc. registry
servicetypes	share/servicetypes	Plugin definitions, referenced in services registry entries
mime	share/mimelnk	Mimetype definitions
wallpaper	share/wallpapers	Desktop wallpaper images
templates	share/templates	Document templates
exe	bin	Executable files
lib	lib	Libraries

Screensavers

In kdeglobals in the [KDE Action Restrictions] group:

opengl_screensavers: defines whether OpenGL screensavers are allowed to be used.

manipulatescreen_screensavers: defines whether screensavers that manipulate an image of the screen (e.g. moving chunks of the screen around) are allowed to be used.

Automatic Log-out

In kscreensaverrc:

[ScreenSaver] AutoLogout=true AutoLogoutTimeout=600

The timeout is the time in seconds that the user must be idle for before the logout process is automatically started. Be careful with this capability as it can lead to data loss if the user has unsaved files open.

Session Capability Restrictions

These keys apply to various capabilities associated with a desktop session and are not application specific. To use them, create a section in kdeglobals that looks like this:

[KDE Action Restrictions][$i] <key>=false

custom_config: Whether the --config command line option should be honored. The --config command line option can be used to circumvent locked-down configuration files.

editable_desktop_icons: define whether icons on the desktop can be moved, renamed, deleted or added. You might want to set the path for the desktop to some read-only directory as well instead of $HOME/Desktop.

lineedit_text_completion: Defines whether input lines should have the potential to remember any previously entered data and make suggestions based on this when typing. When a single account is shared by multiple people you may wish to disable this out of privacy concerns.

lock_screen: whether the user will be able to lock the screen.

logout: whether the user will be able to logout from KDE.

movable_toolbars: define whether toolbars may be moved around by the user. See also action/options_show_toolbar.

run_command: whether the "Run Command" (Alt-F2) option is available.

run_desktop_files: defines whether users may execute desktop files that are not part of the default desktop, KDE menu, registered services and autostarting services.

The default desktop includes the files under $KDEDIR/share/kdesktop/Desktop but not the files under $HOME/Desktop.
The KDE menu includes all files under $KDEDIR/share/applnk and $XDGDIR/applications
Registered services includes all files under $KDEDIR/share/services
Autostarting services include all files under $KDEDIR/share/autostart but not the files under $KDEHOME/Autostart

shell_access: Whether a shell suitable for entering random commands may be started. This also determines whether the "Run Command" option (Alt-F2) can be used to run shell-commands and arbitrary executables. Likewise, executables placed in the user's Autostart folder will no longer be executed. Applications can still be autostarted by placing .desktop files in the $KDEHOME/Autostart or $KDEDIR/share/autostart directory. See also run_desktop_files.

You probably also want to activate the following resource restictions:

"appdata_kdesktop" - To restrict the default desktop.
"apps" - To restrict the KDE menu.
"xdgdata-apps" - To restrict the KDE menu.
"services" - To restrict registered services.
"autostart" - To restrict autostarting services.

Otherwise users can still execute .desktop files by placing them in e.g. $KDEHOME/share/kdesktop/Desktop

skip_drm: defines if the user may omit DRM checking.

start_new_session: defines whether the user may start a second X session. See also the documentation on kdm configuration.

switch_user: defines whether user switching via kdm is allowed. See also the documentation on kdm configuration.

@@ Line 12: / Line 12: @@
 === KWin ===
+{|
+|-
+! Key !! Action
+|-
+|-
+| action/kwin_rmb || Context menus on window titlebar and frame
+|}
 === Panels ===