You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2015-06-30 06:15:26
- JacobLLavoie
- Member
- Registered: 2015-06-30
- Posts: 2
Guest user account lockdown
I am trying to setup a guest user account using gnome 3 as the DWM. What I would like to do is only allow certain programs (chrome, calc, libreoffice etc...) to be run/accessible and other programs (terminal, settings etc...) To be hidden/unuseable by the "guest" account. As a secondary I have read how to lockdown chrome so the user may not change settings, but that is on a system wide basis, if there would be a way to remap the dir that chrome is looking for to a dir in the users home folder (with correct perms to keep it from being modified/deleted of course) that would work.
Offline
#2 2015-06-30 12:18:03
- drcouzelis
- Member
- From: Connecticut, USA
- Registered: 2009-11-09
- Posts: 4,092
- Website
Re: Guest user account lockdown
Locked down from whom? How will the computer be used?
In my opinion, it's easier to start with a "bare" X session and only add the functionality you want to allow the user to have than it is to remove functionality from a fully functioning GNOME desktop, but I don't have much experience with these things.
Offline
#3 2015-07-02 15:29:31
- JacobLLavoie
- Member
- Registered: 2015-06-30
- Posts: 2
Re: Guest user account lockdown
The reason behind using gnome is for familiarity to M$ (ease of access for end user). Locked down from people who are disabled and have a habit of breaking things (changing system setting, deleting files etc...) They click around and type randomly (sometimes not) thinking they are fixing the computer or doing something good.
Offline
#4 2015-09-25 11:34:57
- cribbageSTARSHIP
- Member
- Registered: 2015-07-31
- Posts: 21
Re: Guest user account lockdown
Did you ever find what you needed to do? I'm looking to do the same.
Offline
#5 2015-09-25 11:40:26
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 29,550
- Website
Re: Guest user account lockdown
I don't think there can be any solutions here until there is a clearly defined problem. A user account (without a wheel or other sudo entry) can't modify anything except their own configurations. If you don't want them to be able to even edit their own configs, then just remove write permissions from the necessary files in their ~/.config.
You could try removing write permissions from all of ~/.config, but this might cause some issues if programs try to store cache-like or history data. In theory this is the wrong place for that sort of information, but some programs put it there anyways.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
#6 2015-09-25 14:13:19
- TheChickenMan
- Member
- From: United States
- Registered: 2015-07-25
- Posts: 354
Re: Guest user account lockdown
I don't think there can be any solutions here until there is a clearly defined problem. A user account (without a wheel or other sudo entry) can't modify anything except their own configurations. If you don't want them to be able to even edit their own configs, then just remove write permissions from the necessary files in their ~/.config.
An account without wheel is already pretty locked down. What about just writing a script to backup/restore ~/.config and ~/.local that you could run if something gets messed up in there or once a week or something. If it's just a guest account then deleting everything from their home would just reload defaults when they login and a restore wouldn't really be necessary. You really have to try pretty hard to mess up a system without root permissions. What more do you need locked down?
If quantum mechanics hasn't profoundly shocked you, you haven't understood it yet.
Niels Bohr
Offline
#7 2015-09-25 14:16:28
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 29,550
- Website
Re: Guest user account lockdown
What about just writing a script to backup/restore ~/.config and ~/.local that you could run if something gets messed up in there or once a week or something. If it's just a guest account then deleting everything from their home would just reload defaults when they login and a restore wouldn't really be necessary.
These ideas could be combined pretty well: set up the configs the way you want, back them up, then set up a script to run on every logout (or login) that just deletes all the configs and restores your saved set. This way they can do whatever they want, and even if they mess something up they don't need you to explicitly run some script to fix it: they just log out and back in again (something anyone familiar with Windows would find a perfectly normal step).
"Have you tried turning it off and on again"
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
#8 2015-09-25 14:24:18
- Chazza
- Wiki Maintainer
- Registered: 2013-06-02
- Posts: 506
Re: Guest user account lockdown
There are in fact some lockdown settings under org.gnome.desktop.lockdown, one of which should in theory disable the command line. I have no way of testing these though, I'm just looking at the gnome-desktop-schemas. As for hiding other applications, you could always install alacarte which can hide applications by creating xdg menu files in ~/.config/menus. As long as you hide alacarte itself, I'm sure your users won't know any better.
Offline
Pages: 1