1
<chapter id="lockdown-0">
2
<title>Disabling GNOME Desktop Features</title>
4
<para>This chapter describes how to disable particular features
5
of the GNOME Desktop.</para>
7
<sect1 id="lockdown-1">
8
<title>Introduction to Disabling GNOME Desktop Features</title>
10
<primary>disabling features</primary>
11
<secondary>introduction</secondary>
14
<primary>lockdown</primary>
15
<see>disabling features</see>
17
<para>The GNOME Desktop includes features that you can use
18
to restrict access to certain functions in the GNOME Desktop. The disable
19
features are useful in various situations where you want to restrict the actions
20
that users can perform on a computer. For example, you might want to prevent
21
command line operations on a computer that is for public use at a trade show.
22
The disable features are also known as <emphasis>lockdown</emphasis> features.</para>
23
<para>You set <application>GConf</application> keys to disable features. For
24
information about how to set <application>GConf</application> keys, see <xref linkend="gconf-0"/>. You can also use the <application>Configuration Editor</application> application to set <application>GConf</application> keys in
25
a user configuration source. For more information about the <application>Configuration Editor</application> application, see the <citetitle>GConf Editor
26
Manual</citetitle>.</para>
28
<sect1 id="lockdown-manual">
29
<title>Locking Down Setting Manually</title>
30
<sect2 id="lockdown-2">
31
<title>To Disable Lock Screen and Log Out</title>
33
<primary>disabling features</primary>
34
<secondary>lock screen</secondary>
37
<primary>disabling features</primary>
41
<para>To disable the lock screen and log out functions, set the <literal>/apps/panel/global/disable_lock_screen</literal> key and the <literal>/apps/panel/global/disable_log_out</literal> key to <literal>true</literal>.</para>
42
<para>When you disable
43
the lock screen and log out functions, the following items are removed from
47
<para><guimenuitem>Lock Screen</guimenuitem> and <guimenuitem>Log
48
Out <replaceable>user</replaceable></guimenuitem> menu items from the <guimenu>Main Menu</guimenu>.</para>
51
<para><guimenuitem>Lock</guimenuitem> and <guimenuitem>Log Out</guimenuitem>
52
menu items from the <menuchoice><guimenu>Add to Panel</guimenu><guimenuitem>Actions</guimenuitem></menuchoice> menu. To open this menu, right-click on
53
a vacant space on a panel, then choose <menuchoice><guimenu>Add to Panel</guimenu><guimenuitem>Actions</guimenuitem></menuchoice>.</para>
56
<para><guimenuitem>Lock Screen</guimenuitem> and <guimenuitem>Log
57
Out <replaceable>user</replaceable></guimenuitem> menu items from the <guimenu>Actions</guimenu> menu in the <application>Menu Bar</application> applet.</para>
60
<para>Also, any <guibutton>Lock Screen</guibutton> buttons and <guibutton>Log Out</guibutton> buttons on panels are disabled.</para>
62
<sect2 id="lockdown-12">
63
<title>To Disable Command Line Operations</title>
65
<primary>disabling features</primary>
66
<secondary>command line</secondary>
68
<para>To disable operations from a command line, set the <literal>/desktop/gnome/lockdown/disable_command_line</literal> key to <literal>true</literal>.</para>
69
<para>When you disable command line operations, the following
70
changes occur in the user interface:</para>
73
<para>The <guimenuitem>Run Application</guimenuitem> menu item is
74
removed from the following menus:</para>
78
<guimenu>Main Menu</guimenu>
82
<para><guimenu>Actions</guimenu> submenu in the <guimenu>Add to
83
Panel</guimenu> menu</para>
86
<para><guimenu>Actions</guimenu> menu in the <application>Menu Bar</application> applet</para>
91
<para>Any <guibutton>Run</guibutton> buttons on panels are disabled.</para>
94
<para>To disable command line operations, you must also remove menu items
95
that start terminal applications. For example, you might want to remove menu
96
items that contain the following commands from the menus:</para>
99
<para><application>GNOME Terminal</application> command, that is <command>/usr/bin/gnome-terminal</command></para>
103
<command>/usr/bin/xterm</command>
108
<command>/usr/bin/setterm</command>
112
<para>The items are removed from the following menus:</para>
116
<guimenu>Main Menu</guimenu>
122
<guimenu>Add to Panel</guimenu>
123
<guimenuitem>Launcher from menu</guimenuitem>
128
<para>To disable command line operations, you must also disable the <application>Command Line</application> applet. To disable the <application>Command Line</application> applet, add the applet to the <literal>/apps/panel/global/disabled_applets</literal> key. When you disable the <application>Command Line</application>
129
applet, the <application>Command Line</application> applet is removed from
130
the <guimenu>Main Menu</guimenu> and the <menuchoice><guimenu>Add to Panel</guimenu><guimenuitem>Utility</guimenuitem></menuchoice> menu. </para>
132
<sect2 id="lockdown-11">
133
<title>To Disable Panel Configuration</title>
135
<primary>disabling features</primary>
136
<secondary>panel configuration</secondary>
138
<para>To disable panel configuration, set the <literal>/apps/panel/global/locked_down</literal> key to <literal>true</literal>.</para>
139
<para>When you disable
140
panel configuration, the following changes occur in the user interface:</para>
143
<para>The following items are removed from the panel popup menu,
144
and from the drawer popup menu:</para>
148
<guimenuitem>Add to Panel</guimenuitem>
153
<guimenuitem>Delete This Panel</guimenuitem>
158
<guimenuitem>Properties</guimenuitem>
163
<guimenuitem>New Panel</guimenuitem>
169
<para>The launcher popup menu is disabled.</para>
172
<para>The following items are removed from the applet popup menu:</para>
176
<guimenuitem>Remove From Panel</guimenuitem>
181
<guimenuitem>Lock</guimenuitem>
186
<guimenuitem>Move</guimenuitem>
192
<para>The <guimenu>Main Menu</guimenu> popup menu is disabled. </para>
195
<para>The launcher drag feature is disabled, so that users cannot
196
drag launchers to, or from, panels.</para>
199
<para>The panel drag feature is disabled, so that users cannot drag
200
panels to new locations.</para>
205
<sect1 id="lockdown">
206
<title>Lockdown Editor</title>
208
<para>As of GNOME 2.14, a graphical lockdown editor called
209
<application>Pessulus</application> has been included to ease the task of
210
disabling desktop settings.</para>
212
<sect2 id="lockdown-start">
213
<title>Getting Started</title>
215
<para>To run the lockdown editor:</para>
219
<para>Click the <menuchoice>
220
<guimenu>Desktop</guimenu>
222
<guisubmenu>Administration</guisubmenu>
224
<guimenuitem>Lockdown Editor</guimenuitem>
229
<para>Run the <command>pessulus</command> command in a terminal
234
<para>You will see a window with several different tabs. Each of the tabs
235
represents a different category of desktop settings that can be disabled.
236
In the next section, we will discuss each category and provide a brief
237
description for each setting that can be disabled.</para>
240
<sect2 id="lockdown-disabling">
241
<title>Disabling Features</title>
243
<para>To disable a setting, make sure the checkbox next to the setting's
244
description is checked. Most settings will take effect immediately,
245
however some settings will require that the application be restarted in
246
order to take effect.</para>
248
<para>When <application>pessulus</application> starts, it will try to get
249
a connection to the GConf mandatory configuration source. This address for
250
this configuration source is
251
<literal>xml:merged:<replaceable>$prefix</replaceable>/etc/gconf/gconf.xml.mandatory</literal>.
252
If the user that is running <application>pessulus</application> has access
253
to this configuration source, then a lock icon will be displayed next to
254
the checkbox for each setting. Clicking the lock will toggle whether or
255
not the setting is mandatory. If the setting is mandatory, then regular
256
users will not be able to change or override the setting. If the user
257
running pessulus does not have access to the mandatory configuration
258
source, then the lock icon will not appear. In this case, all disabled
259
settings will simply be stored in the user's default configuration source
260
and can be modified later using other tools such as
261
<application>gconf-editor</application> or
262
<application>gconftool-2</application>. For more information on GConf and
263
mandatory configuration sources, see <xref linkend="gconf-26" />.</para>
265
<para>The following subsections will give a brief description of the
266
settings that can be disabled for each category.</para>
269
<para>Depending on the applications you have installed, you may see
270
fewer categories than those described in this section.</para>
273
<sect3 id="lockdown-disabling-general">
274
<title>General</title>
278
<term>Disable command line</term>
281
<para>Prevent the user from accessing the terminal or specifying a
282
command line to be executed. For example, this would disable
283
access to the panel's "Run Application" dialog.</para>
288
<term>Disable printing</term>
291
<para>Prevent the user from printing. For example, this would
292
disable access to all applications' "Print" dialogs.</para>
297
<term>Disable print setup</term>
300
<para>Prevent the user from modifying print settings. For example,
301
this would disable access to all applications' "Print Setup"
307
<term>Disable save to disk</term>
310
<para> Prevent the user from saving files to disk. For example,
311
this would disable access to all applications' "Save as"
318
<sect3 id="lockdown-disabling-panel">
323
<term>Lock down the panels</term>
326
<para>If true, the panel will not allow any changes to the
327
configuration of the panel. Individual applets may need to be
328
locked down separately however. The panel must be restarted for
329
this to take effect.</para>
334
<term>Disable force quit</term>
337
<para>If true, the panel will not allow a user to force an
338
application to quit by removing access to the force quit
344
<term>Disable lock screen</term>
347
<para>If true, the panel will not allow a user to lock their
348
screen, by removing access to the lock screen menu entries.</para>
353
<term>Disable log out</term>
356
<para>If true, the panel will not allow a user to log out, by
357
removing access to the log out menu entries.</para>
363
<sect3 id="lockdown-disabling-browser">
364
<title>Epiphany Web Browser</title>
368
<term>Disable quit</term>
371
<para>User is not allowed to close Epiphany.</para>
376
<term>Disable arbitrary URL</term>
379
<para>Disable the user's ability to type in a URL to
385
<term>Disable bookmark editing</term>
388
<para>Disable the user's ability to add or edit bookmarks.</para>
393
<term>Disable history</term>
396
<para>Disable all historical information by disabling back and
397
forward navigation, not allowing the history dialog and hiding the
398
most used bookmarks list.</para>
403
<term>Disable javascript chrome</term>
406
<para>Disable JavaScript's control over window chrome.</para>
411
<term>Disable toolbar editing</term>
414
<para>Disable the user's ability to edit toolbars.</para>
419
<term>Force fullscreen mode</term>
422
<para>Locks Epiphany in fullscreen mode.</para>
427
<term>Hide menubar</term>
430
<para>Hide the menubar by default. The menubar can still be
431
accessed using F10.</para>
436
<term>Disable unsafe protocols</term>
439
<para>Disables loading of content from unsafe protocols. Safe
440
protocols are http and https.</para>
446
<sect3 id="lockdown-disabling-screensaver">
447
<title>GNOME Screensaver</title>
451
<term>Lock on activation</term>
454
<para>Set this to TRUE to lock the screen when the screensaver
460
<term>Allow logout</term>
463
<para>Set this to TRUE to offer an option in unlock dialog to
464
logging out after a delay. The Delay is specified in the
465
"logout_delay" key.</para>
470
<term>Allow user switching</term>
473
<para>Set this to TRUE to offer an option in the unlock dialog to
474
switch to a different user account.</para>
added
removed
gnome2-system-admin-guide/C/lockdown.xml
