Chapter 9. Restricting the desktop session

You can restrict and control various functionalities on the GNOME desktop environment. You can enforce specific configurations and restrictions to maintain system integrity and prevent unauthorized access.

9.1. Disabling user logout and user switching

Disabling user logout and user switching can improve security, prevent user errors, and enforce a specific workflow. This can mitigate unauthorized access to sensitive data and disruptions to the workflow caused by users accidentally logging out or switching to another user.

Prerequisites

  • Administrative access.

Procedure

  1. Create a plain text /etc/dconf/db/local.d/00-logout keyfile in the /etc/dconf/db/local.d/ directory with the following content:

    [org/gnome/desktop/lockdown]
    # Disable user logut
    disable-log-out=true
    
    # Disable user switching
    disable-user-switching=true
  2. Create a new file under the /etc/dconf/db/local.d/locks/ directory and list the keys or subpaths you want to lock down:

    # Lock user logout
    /org/gnome/desktop/lockdown/disable-log-out
    
    # Lock user switching
    /org/gnome/desktop/lockdown/disable-user-switching
  3. Apply the changes to the system databases:

    # dconf update

9.2. Disabling printing

Disabling printing can prevent unauthorized access to sensitive documents and potential breaches and safeguard confidential information.

Prerequisites

  • Administrative access.

Procedure

  1. Create a plain text /etc/dconf/db/local.d/00-printing keyfile in the /etc/dconf/db/local.d/ directory with the following content:

    [org/gnome/desktop/lockdown]
    # Disable printing
    disable-printing=true
  2. Create a new file under the /etc/dconf/db/local.d/locks/ directory and list the keys or subpaths you want to lock down:

    # Lock printing
    /org/gnome/desktop/lockdown/disable-printing
  3. Apply the changes to the system databases:

    # dconf update

9.3. Disabling filesaving

Disabling file saving can help to protect sensitive data from unauthorized access and protect against potential data leaks.

Prerequisites

  • Administrative access.

Procedure

  1. Create a plain text /etc/dconf/db/local.d/00-filesaving keyfile in the /etc/dconf/db/local.d/ directory with the following content:

    [org/gnome/desktop/lockdown]
    # Disable saving files on disk
    disable-save-to-disk=true
  2. Create a new file under the /etc/dconf/db/local.d/locks/ directory and list the keys or subpaths you want to lock down:

    # Lock file saving
    /org/gnome/desktop/lockdown/disable-save-to-disk
  3. Apply the changes to the system databases:

    # dconf update

9.4. Disabling the command prompt

Disabling the command prompt can simplify user interactions with the system, prevent inexperienced users from executing potentially harmful commands that might cause system instability or data loss, and reduce the risk of unauthorized changes to system settings or configurations.

Prerequisites

  • Administrative access.

Procedure

  1. Create a plain text /etc/dconf/db/local.d/00-lockdown keyfile in the /etc/dconf/db/local.d/ directory with the following content:

    [org/gnome/desktop/lockdown]
    
    # Disable command prompt
    disable-command-line=true
  2. Create a new file under the /etc/dconf/db/local.d/locks/ directory and list the keys or subpaths you want to lock down:

    # Lock command prompt
    /org/gnome/desktop/lockdown/disable-command-line
  3. Apply the changes to the system databases:

    # dconf update
  4. For this settings to take effect, users needs to log out and log back in.

9.5. Disabling repartitioning

You can override the default system settings that control disk management.

Important

Avoid modifying the /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy file directly. Any changes you make will be replaced during the next package update.

Prerequisites

  • Administrative access.

Procedure

  1. Copy the /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy file under the /etc/share/polkit-1/actions/ directory:

    # cp /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy /etc/share/polkit-1/actions/org.freedesktop.udisks2.policy
  2. In the /etc/polkit-1/actions/org.freedesktop.udisks2.policy file, delete any actions that you do not need and add the following lines:

    <action id="org.freedesktop.udisks2.modify-device">
      <message>Authentication is required to modify the disks settings</message>
         <defaults>
            <allow_any>no</allow_any>
            <allow_inactive>no</allow_inactive>
            <allow_active>yes</allow_active>
          </defaults>
     </action>

    If you want to restrict access only to the root user, replace <allow_any>no</allow_any> with <allow_any>auth_admin</allow_any>.