Lock Down Desktops with KDE Kiosk
Us amazing system and network administrators are frequently required to believe six impossible things before breakfast. Everything is supposed to be easily accessible and convenient, yet everything must also be locked down and controlled. The sane response is to smile and nod wisely, then do what we think is right.
Having tools to assist the satisfying of impossible demands helps. KDE has a Kiosk mode that allows you to create and replicate a fully-customized desktop, with options to lock down various bits to prevent users from changing them. You can do it the hard way, by editing a gaggle of configuration files, or you can do it the easy way with the Kiosk Admin Tool, the graphical KDE Kiosk configurator. (Make someone say that three times quickly.)
Kiosk does not touch applications or services – just the desktop itself, which includes menus, desktop icons, wallpapers, themes, screen savers, file associations, and commands. It lets you set up loose controls for business environments, or tight controls for public terminals that are used by a lot of random people.
Kiosk Admin Tool is available as source code, RPMs and in Debian Testing/Unstable. After installation you should have a menu entry for it in System -> KIOSK Admin Tool, or use the kiosktool command to start it from the command line.
First let's take a look at where KDE squirrels away all these settings. KDE is complex, but it's well-organized, and there is always a method to whatever KDE madness you find yourself in.
This points to the file locations where configuration profiles are stored.
Global configuration files are here.
User's individual settings go here. You can see for yourself where your particular KDE installation is going to look for configuration files:
$ kde-config --path config
KDE reads these in reverse order, so if it encounters any conflicts, the last value read is the one used. User's individual configurations take precedence, so they are read last.
There is a way to make an exception to the precedence rule: using $i, or the "immutable" key. You'll see how this is used in the examples below. Anything marked immutable has precedence, no matter what order it's in.
Configuring the KIOSK Admin Tool
Start up kiosktool from a root command shell, then go to Settings -> Configure Kiosk Admin Tool. You'll need to make a couple of tweaks first, and you'll need rootly powers to make them.
Check "Store all profiles under the same base directory", then type in the directory you want to use, like /etc/kde3/profiles. "Do not show users with a UID lower than [foo]" is useful for showing only your human users, providing you have followed a sensible UID numbering convention. For example, on Debian human users start at 1000; on Fedora they start at 500.
If you wish to upload profiles to a different server, configure that as well, then click OK.
KDE's settings are stored in profiles. Open the KIOSK Admin Tool, and you'll see the Default profile. Don't touch this, or you'll be sorry. At least I was- I changed the panel settings, then hit the preview button, and I lost the panel. Then KDE wouldn't restart, and I didn't feel like trying for a surgical repair, so I re-installed kdebase-bin, kdelibs-bin, and kdedesktop. Moral: don't muck with the Default profile.
Create a new profile by clicking "Add new profile," then hit "Add." Then to configure the profile, click "Setup Profile" on the Main Menu. This takes you into a window where you can configure the menu, look and feel, and other settings. Whether certain settings make sense depends on how the PC is going to be used; for example, why would you want to disable bookmarks, or the context menu? On a shared or public terminal, you probably want to lock the desktop down more tightly than on ordinary workstations in a business. These are some of the things you might want to do for a business desktop:
- Disable all tasks and applications that require root access
- Disable access to a command shell
- Disable "run command"
- Disable execution of arbitrary .desktop files
- Discreet screen savers only. Some screen savers display snapshots of the desktop, which could show sensitive information
- Disable OpenGL screen savers. Do this to avoid problems with locking up X Windows
- Lock down proxy settings. This helps to keep users from sneaking around your proxy server and avoiding your carefully-crafted controls
- You can lock down Desktop Icons and the Panel to varying degrees, from just-don't-remove-the-defaults to change-absolutely-nothing
- Disable lock screen option
- Disable input line history
- Disable bookmarks
- Disable toolbar moving
- Lock down background settings
- Lock down file associations
- You can disable file management commands, like Save As, Revert, Print, Mail, Undo, Copy, and Paste
Kiosk Admin Tool might not do everything you want it to, as the KDE Kiosk covers hundreds of configuration options. Or you just prefer to edit text files, or you want to fine-tune the files created by the Kiosk Admin Tool, which you can do, because it will not overwrite manual changes. This is easy, though tedious. Kiosk uses the INI file format: group name, key/value:
For example, this is what some of the restrictions mentioned above look like in my /etc/kde3/profiles/frontOffice/share/config/kdeglobals file, for the profile I named "frontOffice":
[KDE Action Restrictions][$i]
[KDE Resource Restrictions]
See how the entire group "KDE Action Restrictions" is marked immutable? Individual entries are marked as immutable this way:
[KDE Resource Restrictions]
"It is impossible to makes things foolproof, because fools are so ingenious." This has been attributed to Einstein, Ralph Waldo Emerson, and various other eminences. I don't know who said it first, probably Shakespeare, who said everything first. But whoever said it spoke truly. KDE Kiosk Mode won't give 100% protection from users, because we all know how inventive users can be at breaking things. (If only they were as talented at learning to use computers productively.) But it will help you a lot.