Friday, 13. December 2013
Did you install a kde-centric distribution on your parents pc? do you want to set up an internet terminal in a public area or in your office and you are tired of being called because a toolbar or an important widget has suddenly disappeared ?
the solution seems easy.. lock down plasma-desktop !
there is one preferred way to do so.. the kiosk framework
Create a file called /etc/kde4/kdeglobals (or add your options to ~/.kde/share/config/kdeglobals) and write something like the following in it: (there was a GUI for that in development but it seems dead by now)
[KDE Action Restrictions][$i]
action/lock_screen=false #hide rightclick unlock option
movable_toolbars=false #lock toolbars
run_command=false #disable krunner (alt-f2)
action/run_command=false #disable krunner (rightclick)
plasma-desktop/add_activities=false # not working right now
action/kwin_rmb=false # disable kwin context menu
action/logout=false # disable logout option
plasma/allow_configure_when_locked=false #no rightclick on plasmoids
plasma/plasma-desktop/unlockedDesktop=false #this is new
The [$i] will make the whole section immutable – that means it will not be overwritten by any user config-files read afterwards. (the given example will remove the lock-screen option, disable the run-command interface (krunner), lock application toolbars and (maybe in the future) disable the add activities feature, also the option to remove the logout entry and completely disable the context menu on kwin’s titlebar is working in 4.11 yay!!!)
Unfortunately some of the options in the kiosk documentation (especially the plasma specific ones) are not up2date therefore you will not be able to lock down plasma completely (at least not right now) but there is another solution to lock down plasma and make the “unlock widgets” entry disappear !
just write a single [$i] in the first line of ~/.kde/share/config/plasma-desktop-appletsrc -and- ~/.kde/share/config/plasma-desktoprc this will make the whole file immutable and hide the unlock widgets context menu entry.
Of course [$i] can be used to lock down specific widgets(sections) or just single options like height or width of the folder view widget for example.
Be aware that anybody who knows how to find those config files is still able to alter them e.g. remove the [$i]!
In order to secure the desktop completely you’ll have to copy those files to /etc/kde4 and go one step further…. disable rightclick on the plasma desktop containment: rightclick on the desktop – Mouse Actions – remove “Right-Button”
It is really hard to lock linux/plasma down.. there are still several ways to get control of the system when you know your way around keyboard shortcuts.. you could change to a new tty for example.. or just invoke any suitable keyboard shortcut. In my special case there is actually no need for a keyboard so i managed to lock down almost everything … only the cashew with it’s “add activities” feature remains.. since there is no reliable way to remove the cashew and no way to remove the activities feature this leaves plenty of space to mess around with the desktop and make it unusable for the next user at the KIOSK PC. (activities can be added but interestingly you can’t remove them afterwards in the locked state ^^)
for now the only way i found to restrict everything was to remove the cashew completely by setting the rights of the cashew library to forbidden:
sudo chmod 600 /usr/lib/kde4/plasma_toolbox_desktoptoolbox.so
So after all i got this totally locked down system where the only thing a user is allowed to do is to start one single task ( a unique one click live-linux-usb installer based on kubuntu 😉 http://life-edu.eu/ )
With a keyboard attached i’m able to administer the complete system thx to “krunner” (the only shortcut left alive) and with the two scripts i wrote, “desktop-lock” and “desktop-unlock”, im able to toggle the KIOSK mode in seconds ^^
KIOSK.zip (bash scripts – you should know what you are doing)