Chapter 13. Locking down selected tasks

This section describes how to lock down for users the following tasks:

  • Printing
  • File saving on disk
  • Repartitioning
  • User logout and user switching

13.1. Locking down printing

You can disable the print dialog from being shown to users. This can be useful if you are giving temporary access to a user or you do not want the user to print to network printers.

Important

The feature only works in applications which support it. Not all GNOME and third party applications have this feature enabled. The changes do not have effect on applications which do not support this feature.

To provent applications from printing, lock down the org.gnome.desktop.lockdown.disable-printing key:

Procedure

  1. Create the user profile in /etc/dconf/profile/user unless it already exists:

    user-db:user
    system-db:local
  2. Create a local database for machine-wide settings in the etc/dconf/db/local.d/00-lockdown file:

    [org/gnome/desktop/lockdown]
    
    # Prevent applications from printing
    disable-printing=true
  3. Override the user’s setting and prevent the user from changing it in the /etc/dconf/db/local.d/locks/lockdown file:

    # List the keys used to configure lockdown
    /org/gnome/desktop/lockdown/disable-printing
  4. Update the system databases:

    # dconf update

Having followed these steps, applications supporting this lockdown key, such as Evolution, Evince, or Gedit, will disable printing.

13.2. Locking file saving on disk

You can disable the Save and Save As dialogs. This can be useful if you are giving temporary access to a user or you do not want the user to save files to the computer.

Important

The feature only works in applications which support it. Not all GNOME and third party applications have this feature enabled. The changes will have no effect on applications which do not support this feature.

To prevent applications from file saving, lock down the org.gnome.desktop.lockdown.disable-save-to-disk key:

Procedure

  1. Create the user profile in /etc/dconf/profile/user unless it already exists:

    user-db:user
    system-db:local
  2. Create a local database for machine-wide settings in the /etc/dconf/db/local.d/00-lockdown file:

    [org/gnome/desktop/lockdown]
    
    # Prevent the user from saving files on disk
    disable-save-to-disk=true
  3. Override the user’s setting and prevent the user from changing it in the /etc/dconf/db/local.d/locks/lockdown file:

    # Lock this key to disable saving files on disk
    /org/gnome/desktop/lockdown/disable-save-to-disk
  4. Update the system databases:

    # dconf update

Having followed these steps, applications supporting this lockdown key, for example Videos, Image Viewer, Evolution, Document Viewer, or GNOME Shell, will disable their Save As dialogs.

13.3. Locking repartitioning

polkit enables you to set permissions for individual operations. For udisks2, the utility for disk management services, the configuration is located at /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy. This file contains a set of actions and default values, which can be overridden by system administrator.

Important

polkit configuration stored in /etc overrides the configuration shipped by packages in /usr/share/.

Procedure

  1. Create a file with the same content as in /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy:

    cp /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy /etc/share/polkit-1/actions/org.freedesktop.udisks2.policy

    Do not change the /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy file, your changes will be overwritten by the next package update.

  2. Delete the action you do not need, and add the following lines to the /etc/polkit-1/actions/org.freedesktop.udisks2.policy file:

    <action id="org.freedesktop.udisks2.modify-device">
      <message>Authentication is required to modify the disks settings</message>
         <defaults>
            <allow_any>no</allow_any>
            <allow_inactive>no</allow_inactive>
            <allow_active>yes</allow_active>
          </defaults>
     </action>

    Replace no by auth_admin if you want to ensure only the root user is able to perform the action.

  3. Save the changes.

When the user tries to change the disks settings, the following message is returned:

Authentication is required to modify the disks settings.

13.4. Locking down user logout and user switching

To prevent the user from logging out, use the folowing procedure.

Procedure

  1. Create the /etc/dconf/profile/user profile, which contains the following lines:

    user-db:user
    system-db:local

    where local is the name of a dconf database

  2. Create the /etc/dconf/db/local.d/ directory if it does not already exist.
  3. Create the /etc/dconf/db/local.d/00-logout key file to provide information for the local database:

    [org/gnome/desktop/lockdown]
    # Prevent the user from user switching
    disable-log-out=true
  4. Override the user’s setting, and prevent the user from changing it in the /etc/dconf/db/local.d/locks/lockdown file:

    # Lock this key to disable user logout
    /org/gnome/desktop/lockdown/disable-log-out
  5. Update the system databases:

    # dconf update
  6. Users must log out and back in again before the system-wide settings take effect.
Important

Users can evade the logout lockdown by switching to a different user. To prevent such scenario, lock down user swithcing as well.

To lock down user switching, use the following procedure:

Procedure

  1. Create the /etc/dconf/profile/user profile, which contains the following lines:

    user-db:user
    system-db:local

    where local is the name of a dconf database

  2. Create the /etc/dconf/db/local.d/ directory if it does not already exist.
  3. Create the /etc/dconf/db/local.d/00-user-switching key file to provide information for the local database:

    [org/gnome/desktop/lockdown]
    # Prevent the user from user switching
    disable-user-switching=true
  4. Override the user’s setting, and prevent the user from changing it in the /etc/dconf/db/local.d/locks/lockdown file:

    # Lock this key to disable user switching
    /org/gnome/desktop/lockdown/disable-user-switching
  5. Update the system databases:

    # dconf update
  6. Users must log out and back in again before the system-wide settings take effect.