This chapter describes how to disable particular features of the GNOME Desktop. disabling features introduction lockdown disabling features The GNOME Desktop includes features that you can use to restrict access to certain functions in the GNOME Desktop. The disable features are useful in various situations where you want to restrict the actions that users can perform on a computer. For example, you might want to prevent command line operations on a computer that is for public use at a trade show. The disable features are also known as lockdown features. You set GConf keys to disable features. For information about how to set GConf keys, see . You can also use the Configuration Editor application to set GConf keys in a user configuration source. For more information about the Configuration Editor application, see the GConf Editor Manual. disabling features lock screen disabling features log out To disable the lock screen and log out functions, set the /apps/panel/global/disable_lock_screen key and the /apps/panel/global/disable_log_out key to true. When you disable the lock screen and log out functions, the following items are removed from the panels: Lock Screen and Log Out user menu items from the Main Menu. Lock and Log Out menu items from the Add to PanelActions menu. To open this menu, right-click on a vacant space on a panel, then choose Add to PanelActions. Lock Screen and Log Out user menu items from the Actions menu in the Menu Bar applet. Also, any Lock Screen buttons and Log Out buttons on panels are disabled. disabling features command line To disable operations from a command line, set the /desktop/gnome/lockdown/disable_command_line key to true. When you disable command line operations, the following changes occur in the user interface: The Run Application menu item is removed from the following menus: Main Menu Actions submenu in the Add to Panel menu Actions menu in the Menu Bar applet Any Run buttons on panels are disabled. To disable command line operations, you must also remove menu items that start terminal applications. For example, you might want to remove menu items that contain the following commands from the menus: GNOME Terminal command, that is /usr/bin/gnome-terminal /usr/bin/xterm /usr/bin/setterm The items are removed from the following menus: Main Menu Add to Panel Launcher from menu To disable command line operations, you must also disable the Command Line applet. To disable the Command Line applet, add the applet to the /apps/panel/global/disabled_applets key. When you disable the Command Line applet, the Command Line applet is removed from the Main Menu and the Add to PanelUtility menu. disabling features panel configuration To disable panel configuration, set the /apps/panel/global/locked_down key to true. When you disable panel configuration, the following changes occur in the user interface: The following items are removed from the panel popup menu, and from the drawer popup menu: Add to Panel Delete This Panel Properties New Panel The launcher popup menu is disabled. The following items are removed from the applet popup menu: Remove From Panel Lock Move The Main Menu popup menu is disabled. The launcher drag feature is disabled, so that users cannot drag launchers to, or from, panels. The panel drag feature is disabled, so that users cannot drag panels to new locations. As of GNOME 2.14, a graphical lockdown editor called Pessulus has been included to ease the task of disabling desktop settings. To run the lockdown editor: Click the System Administration Lockdown Editor Run the pessulus command in a terminal window. You will see a window with several different tabs. Each of the tabs represents a different category of desktop settings that can be disabled. In the next section, we will discuss each category and provide a brief description for each setting that can be disabled. To disable a setting, make sure the checkbox next to the setting's description is checked. Most settings will take effect immediately, however some settings will require that the application be restarted in order to take effect. When pessulus starts, it will try to get a connection to the GConf mandatory configuration source. This address for this configuration source is xml:merged:$prefix/etc/gconf/gconf.xml.mandatory. If the user that is running pessulus has access to this configuration source, then a lock icon will be displayed next to the checkbox for each setting. Clicking the lock will toggle whether or not the setting is mandatory. If the setting is mandatory, then regular users will not be able to change or override the setting. If the user running pessulus does not have access to the mandatory configuration source, then the lock icon will not appear. In this case, all disabled settings will simply be stored in the user's default configuration source and can be modified later using other tools such as gconf-editor or gconftool-2. For more information on GConf and mandatory configuration sources, see . The following subsections will give a brief description of the settings that can be disabled for each category. Depending on the applications you have installed, you may see fewer categories than those described in this section. Disable command line Prevent the user from accessing the terminal or specifying a command line to be executed. For example, this would disable access to the panel's "Run Application" dialog. Disable printing Prevent the user from printing. For example, this would disable access to all applications' "Print" dialogs. Disable print setup Prevent the user from modifying print settings. For example, this would disable access to all applications' "Print Setup" dialogs. Disable save to disk Prevent the user from saving files to disk. For example, this would disable access to all applications' "Save as" dialogs. Lock down the panels If true, the panel will not allow any changes to the configuration of the panel. Individual applets may need to be locked down separately however. The panel must be restarted for this to take effect. Disable force quit If true, the panel will not allow a user to force an application to quit by removing access to the force quit button. Disable lock screen If true, the panel will not allow a user to lock their screen, by removing access to the lock screen menu entries. Disable log out If true, the panel will not allow a user to log out, by removing access to the log out menu entries. Disable quit User is not allowed to close Epiphany. Disable arbitrary URL Disable the user's ability to type in a URL to Epiphany. Disable bookmark editing Disable the user's ability to add or edit bookmarks. Disable history Disable all historical information by disabling back and forward navigation, not allowing the history dialog and hiding the most used bookmarks list. Disable javascript chrome Disable JavaScript's control over window chrome. Disable toolbar editing Disable the user's ability to edit toolbars. Force fullscreen mode Locks Epiphany in fullscreen mode. Hide menubar Hide the menubar by default. The menubar can still be accessed using F10. Disable unsafe protocols Disables loading of content from unsafe protocols. Safe protocols are http and https. Lock on activation Set this to TRUE to lock the screen when the screensaver goes active. Allow log out Set this to TRUE to offer an option in unlock dialog to logging out after a delay. The Delay is specified in the "logout_delay" key. Allow user switching Set this to TRUE to offer an option in the unlock dialog to switch to a different user account.