File: lockdown-command-line.page

package info (click to toggle)
gnome-user-docs 49.1-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 143,008 kB
  • sloc: xml: 829; makefile: 532; sh: 514
file content (137 lines) | stat: -rw-r--r-- 4,858 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
 
<page xmlns="http://projectmallard.org/1.0/"
      xmlns:its="http://www.w3.org/2005/11/its"
      type="topic" style="task"
      id="lockdown-command-line">

  <info>
    <link type="guide" xref="software#management" />
    <link type="guide" xref="user-settings#lockdown"/>
    <revision pkgversion="3.30" date="2019-02-08" status="review"/>

    <credit type="author copyright">
      <name>Petr Kovar</name>
      <email>pknbe@volny.cz</email>
      <years>2014</years>
    </credit>
    <credit type="author copyright">
      <name>Ekaterina Gerasimova</name>
      <email>kittykat3756@gmail.com</email>
      <years>2014</years>
    </credit>
    <credit type="author copyright">
      <name>Jana Svarova</name>
      <email>jana.svarova@gmail.com</email>
      <years>2015</years>
    </credit>

    <include href="legal.xml" xmlns="http://www.w3.org/2001/XInclude"/>

    <desc>Prevent users from accessing the command-line.</desc>
  </info>

  <title>Disable command-line access</title>

  <p>To disable command-line access for your desktop user, you need to make
  configuration changes in a number of different contexts. Bear in mind that the
  following steps do not remove the desktop user's permissions to access a
  command line, but rather remove the ways that the desktop user could access
  the command line.</p>

  <list>
    <item>
      <p>Set the <code>org.gnome.desktop.lockdown.disable-command-line</code>
      GSettings key, which prevents the user from accessing the terminal or
      specifying a command line to be executed (the <keyseq><key>Alt</key>
      <key>F2</key></keyseq> command prompt).</p>
    </item>
    <item>
      <p>Prevent users from accessing the <keyseq><key>Alt</key><key>F2</key>
      </keyseq> command prompt.</p>
    </item>
    <item>
      <p>Disable switching to virtual terminals (VTs) with the <keyseq>
      <key>Ctrl</key><key>Alt</key><key><var>function key</var></key></keyseq>
      shortcuts by modifying the X server configuration.</p>
    </item>
    <item>
      <p>Remove <app>Terminal</app> and all other terminal applications from
      the <gui>Activities</gui> overview in GNOME Shell. You will also need to
      prevent the user from installing a new terminal application.</p>
      <comment>
        <cite>Petr Kovar</cite>
        <p>We have yet to cover removing a menu item in this guide. We don’t
        want system admins having to modify .desktop files as those could be
        overwritten on system update.</p>
      </comment>
    </item>
  </list>

<section id="command-prompt">
  <title>Disable the command prompt</title>

  <steps>
    <include href="dconf-snippets.xml"
      xpointer="xpointer(/*/*[@xml:id='dconf-profile-user'])"
      xmlns="http://www.w3.org/2001/XInclude"/>
    <item>
      <p>Create a <sys>local</sys> database for machine-wide settings in
      <file>/etc/dconf/db/local.d/00-lockdown</file>:</p>
      <code># Specify the dconf path
[org/gnome/desktop/lockdown]

# Disable the command prompt
disable-command-line=true</code>
    </item>
    <item>
      <p>Override the user’s setting and prevent the user from changing it in
      <file>/etc/dconf/db/local.d/locks/lockdown</file>:</p>
      <code># List the keys used to configure lockdown
/org/gnome/desktop/lockdown/disable-command-line</code>
    </item>
    <include href="dconf-snippets.xml"
      xpointer="xpointer(/*/*[@xml:id='dconf-update'])"
      xmlns="http://www.w3.org/2001/XInclude"/>
    <include href="dconf-snippets.xml"
      xpointer="xpointer(/*/*[@xml:id='dconf-logoutin'])"
      xmlns="http://www.w3.org/2001/XInclude"/>
  </steps>
</section>

<section id="virtual-terminal">
  <title>Disable dropping to a virtual terminal</title>

  <p>Users can normally use the
  <keyseq><key>Ctrl</key><key>Alt</key><key><var>function
  key</var></key></keyseq> shortcuts (for example,
  <keyseq><key>Ctrl</key><key>Alt</key><key>F2</key></keyseq>) to switch from
  the GNOME desktop to a virtual terminal.</p>

  <p>If the computer is running the <em>X Window System</em>, you can disable
  access to all virtual terminals by adding a <code>DontVTSwitch</code> option
  to the <code>Serverflags</code> section in an X configuration file in the
  <file>/etc/X11/xorg.conf.d/</file> directory.</p>

  <steps>
    <item>
      <p>Create or edit an X configuration file in
      <file>/etc/X11/xorg.conf.d/</file>. For example,
      <file>/etc/X11/xorg.conf.d/10-xorg.conf</file>:</p>
    <listing>
    <title><file>/etc/X11/xorg.conf.d/10-xorg.conf</file></title>
<code>Section "Serverflags"

Option "DontVTSwitch" "yes"

EndSection
</code>
    </listing>
    </item>
    <item>
      <p>Restart the X server for the changes to take effect.</p>
    </item>
  </steps>

</section>

<!-- TODO: add section for removing applications from the Activities overview. -->
</page>