Disabling GNOME Desktop Features
This chapter describes how to disable particular features
of the GNOME Desktop.
Introduction to Disabling GNOME Desktop Features
disabling features
introduction
lockdown
disabling features
The GNOME Desktop includes features that you can use
to restrict access to certain functions in the GNOME Desktop. The disable
features are useful in various situations where you want to restrict the actions
that users can perform on a computer. For example, you might want to prevent
command line operations on a computer that is for public use at a trade show.
The disable features are also known as lockdown features.
You set GConf keys to disable features. For
information about how to set GConf keys, see . You can also use the Configuration Editor application to set GConf keys in
a user configuration source. For more information about the Configuration Editor application, see the GConf Editor
Manual.
Locking Down Setting Manually
To Disable Lock Screen and Log Out
disabling features
lock screen
disabling features
log
out
To disable the lock screen and log out functions, set the /apps/panel/global/disable_lock_screen key and the /apps/panel/global/disable_log_out key to true.
When you disable
the lock screen and log out functions, the following items are removed from
the panels:
Lock Screen and Log
Out user menu items from the Main Menu.
Lock and Log Out
menu items from the Add to PanelActions menu. To open this menu, right-click on
a vacant space on a panel, then choose Add to PanelActions.
Lock Screen and Log
Out user menu items from the Actions menu in the Menu Bar applet.
Also, any Lock Screen buttons and Log Out buttons on panels are disabled.
To Disable Command Line Operations
disabling features
command line
To disable operations from a command line, set the /desktop/gnome/lockdown/disable_command_line key to true.
When you disable command line operations, the following
changes occur in the user interface:
The Run Application menu item is
removed from the following menus:
Main Menu
Actions submenu in the Add to
Panel menu
Actions menu in the Menu Bar applet
Any Run buttons on panels are disabled.
To disable command line operations, you must also remove menu items
that start terminal applications. For example, you might want to remove menu
items that contain the following commands from the menus:
GNOME Terminal command, that is /usr/bin/gnome-terminal
/usr/bin/xterm
/usr/bin/setterm
The items are removed from the following menus:
Main Menu
Add to Panel
Launcher from menu
To disable command line operations, you must also disable the Command Line applet. To disable the Command Line applet, add the applet to the /apps/panel/global/disabled_applets key. When you disable the Command Line
applet, the Command Line applet is removed from
the Main Menu and the Add to PanelUtility menu.
To Disable Panel Configuration
disabling features
panel configuration
To disable panel configuration, set the /apps/panel/global/locked_down key to true.
When you disable
panel configuration, the following changes occur in the user interface:
The following items are removed from the panel popup menu,
and from the drawer popup menu:
Add to Panel
Delete This Panel
Properties
New Panel
The launcher popup menu is disabled.
The following items are removed from the applet popup menu:
Remove From Panel
Lock
Move
The Main Menu popup menu is disabled.
The launcher drag feature is disabled, so that users cannot
drag launchers to, or from, panels.
The panel drag feature is disabled, so that users cannot drag
panels to new locations.
Lockdown Editor
As of GNOME 2.14, a graphical lockdown editor called
Pessulus has been included to ease the task of
disabling desktop settings.
Getting Started
To run the lockdown editor:
Click the
Desktop
Administration
Lockdown Editor
Run the pessulus command in a terminal
window.
You will see a window with several different tabs. Each of the tabs
represents a different category of desktop settings that can be disabled.
In the next section, we will discuss each category and provide a brief
description for each setting that can be disabled.
Disabling Features
To disable a setting, make sure the checkbox next to the setting's
description is checked. Most settings will take effect immediately,
however some settings will require that the application be restarted in
order to take effect.
When pessulus starts, it will try to get
a connection to the GConf mandatory configuration source. This address for
this configuration source is
xml:merged:$prefix/etc/gconf/gconf.xml.mandatory.
If the user that is running pessulus has access
to this configuration source, then a lock icon will be displayed next to
the checkbox for each setting. Clicking the lock will toggle whether or
not the setting is mandatory. If the setting is mandatory, then regular
users will not be able to change or override the setting. If the user
running pessulus does not have access to the mandatory configuration
source, then the lock icon will not appear. In this case, all disabled
settings will simply be stored in the user's default configuration source
and can be modified later using other tools such as
gconf-editor or
gconftool-2. For more information on GConf and
mandatory configuration sources, see .
The following subsections will give a brief description of the
settings that can be disabled for each category.
Depending on the applications you have installed, you may see
fewer categories than those described in this section.
General
Disable command line
Prevent the user from accessing the terminal or specifying a
command line to be executed. For example, this would disable
access to the panel's "Run Application" dialog.
Disable printing
Prevent the user from printing. For example, this would
disable access to all applications' "Print" dialogs.
Disable print setup
Prevent the user from modifying print settings. For example,
this would disable access to all applications' "Print Setup"
dialogs.
Disable save to disk
Prevent the user from saving files to disk. For example,
this would disable access to all applications' "Save as"
dialogs.
Panel
Lock down the panels
If true, the panel will not allow any changes to the
configuration of the panel. Individual applets may need to be
locked down separately however. The panel must be restarted for
this to take effect.
Disable force quit
If true, the panel will not allow a user to force an
application to quit by removing access to the force quit
button.
Disable lock screen
If true, the panel will not allow a user to lock their
screen, by removing access to the lock screen menu entries.
Disable log out
If true, the panel will not allow a user to log out, by
removing access to the log out menu entries.
Epiphany Web Browser
Disable quit
User is not allowed to close Epiphany.
Disable arbitrary URL
Disable the user's ability to type in a URL to
Epiphany.
Disable bookmark editing
Disable the user's ability to add or edit bookmarks.
Disable history
Disable all historical information by disabling back and
forward navigation, not allowing the history dialog and hiding the
most used bookmarks list.
Disable javascript chrome
Disable JavaScript's control over window chrome.
Disable toolbar editing
Disable the user's ability to edit toolbars.
Force fullscreen mode
Locks Epiphany in fullscreen mode.
Hide menubar
Hide the menubar by default. The menubar can still be
accessed using F10.
Disable unsafe protocols
Disables loading of content from unsafe protocols. Safe
protocols are http and https.
GNOME Screensaver
Lock on activation
Set this to TRUE to lock the screen when the screensaver
goes active.
Allow logout
Set this to TRUE to offer an option in unlock dialog to
logging out after a delay. The Delay is specified in the
"logout_delay" key.
Allow user switching
Set this to TRUE to offer an option in the unlock dialog to
switch to a different user account.