Chapter 19. Locking down selected tasks
This section describes how to lock down for users the following tasks:
- Printing
- File saving on disk
- Repartitioning
- User logout and user switching
19.1. Locking down printing
You can disable the print dialog from being shown to users. This can be useful if you are giving temporary access to a user or you do not want the user to print to network printers.
The feature only works in applications which support it. Not all GNOME and third party applications have this feature enabled. The changes do not have effect on applications which do not support this feature.
To prevent applications from printing, lock down the org.gnome.desktop.lockdown.disable-printing key:
Procedure
Create the user profile in
/etc/dconf/profile/userunless it already exists:user-db:user system-db:local
Create a local database for machine-wide settings in the
etc/dconf/db/local.d/00-lockdownfile:[org/gnome/desktop/lockdown] # Prevent applications from printing disable-printing=true
Override the user’s setting and prevent the user from changing it in the
/etc/dconf/db/local.d/locks/lockdownfile:# List the keys used to configure lockdown /org/gnome/desktop/lockdown/disable-printing
Update the system databases:
# dconf update
Having followed these steps, applications supporting this lockdown key, such as Evolution, Evince, or Gedit, will disable printing.
19.2. Locking file saving on disk
You can disable the Save and Save As dialogs. This can be useful if you are giving temporary access to a user or you do not want the user to save files to the computer.
The feature only works in applications which support it. Not all GNOME and third party applications have this feature enabled. The changes will have no effect on applications which do not support this feature.
To prevent applications from file saving, lock down the org.gnome.desktop.lockdown.disable-save-to-disk key:
Procedure
Create the user profile in
/etc/dconf/profile/userunless it already exists:user-db:user system-db:local
Create a local database for machine-wide settings in the
/etc/dconf/db/local.d/00-lockdownfile:[org/gnome/desktop/lockdown] # Prevent the user from saving files on disk disable-save-to-disk=true
Override the user’s setting and prevent the user from changing it in the
/etc/dconf/db/local.d/locks/lockdownfile:# Lock this key to disable saving files on disk /org/gnome/desktop/lockdown/disable-save-to-disk
Update the system databases:
# dconf update
Having followed these steps, applications supporting this lockdown key, for example Videos, Image Viewer, Evolution, Document Viewer, or GNOME Shell, will disable their Save As dialogs.
19.3. Locking repartitioning
polkit enables you to set permissions for individual operations. For udisks2, the utility for disk management services, the configuration is located at /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy. This file contains a set of actions and default values, which can be overridden by system administrator.
polkit configuration stored in /etc overrides the configuration shipped by packages in /usr/share/.
Procedure
Create a file with the same content as in
/usr/share/polkit-1/actions/org.freedesktop.udisks2.policy:cp /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy /etc/share/polkit-1/actions/org.freedesktop.udisks2.policy
Do not change the
/usr/share/polkit-1/actions/org.freedesktop.udisks2.policyfile, your changes will be overwritten by the next package update.Delete the action you do not need, and add the following lines to the
/etc/polkit-1/actions/org.freedesktop.udisks2.policyfile:<action id="org.freedesktop.udisks2.modify-device"> <message>Authentication is required to modify the disks settings</message> <defaults> <allow_any>no</allow_any> <allow_inactive>no</allow_inactive> <allow_active>yes</allow_active> </defaults> </action>Replace
nobyauth_adminif you want to ensure only therootuser is able to perform the action.- Save the changes.
When the user tries to change the disks settings, the following message is returned:
Authentication is required to modify the disks settings.
19.4. Locking down user logout and user switching
To prevent the user from logging out, use the following procedure.
Procedure
Create the
/etc/dconf/profile/userprofile, which contains the following lines:user-db:user system-db:local
where
localis the name of a dconf database-
Create the
/etc/dconf/db/local.d/directory if it does not already exist. Create the
/etc/dconf/db/local.d/00-logoutkey file to provide information for the local database:[org/gnome/desktop/lockdown] # Prevent the user from user switching disable-log-out=true
Override the user’s setting, and prevent the user from changing it in the
/etc/dconf/db/local.d/locks/lockdownfile:# Lock this key to disable user logout /org/gnome/desktop/lockdown/disable-log-out
Update the system databases:
# dconf update
- Users must log out and back in again before the system-wide settings take effect.
Users can evade the logout lockdown by switching to a different user. To prevent such scenario, lock down user switching as well.
To lock down user switching, use the following procedure:
Procedure
Create the
/etc/dconf/profile/userprofile, which contains the following lines:user-db:user system-db:local
where
localis the name of a dconf database-
Create the
/etc/dconf/db/local.d/directory if it does not already exist. Create the
/etc/dconf/db/local.d/00-user-switchingkey file to provide information for the local database:# Prevent the user from user switching [org/gnome/desktop/lockdown] disable-user-switching=true [org/gnome/desktop/screensaver] user-switch-enabled=false
Override the user’s setting, and prevent the user from changing it in the
/etc/dconf/db/local.d/locks/lockdownfile:# Lock this key to disable user switching /org/gnome/desktop/lockdown/disable-user-switching /org/gnome/desktop/screensaver/user-switch-enabled
Update the system databases:
# dconf update
- Users must log out and back in again before the system-wide settings take effect.
