Home Home > 2010 > 01 > 20 > Locking down GNOME in SUSE 11 based distributions
Sign up | Login

Locking down GNOME in SUSE 11 based distributions

January 20th, 2010 by

Locking down the desktop may be an important functionality for you or it may be a major annoyance. This depends on your point of view and on which side of the administration fence you are. There are certainly many use cases where the restriction of desktop functionality is very important. One such use case may be the configuration of machines in a teaching environment.

For GNOME, Sabayon is a GUI tool that allows you to set up the desktop to your liking and store the configuration as a profile. Profiles can be deployed to any system allowing the machine to display the desired desktop based on who logs into the machine. Further you may also use Pessulus to lock down the GNOME desktop. Additional information may also be found in the GNOME Admin Guide.

In addition to the options mentioned above there is a command line tool (gconftool-2) you may use to create customizations from the command line. The gconftool-2 tool creates entries in the configuration tree for gconfd, the GNOME configuration daemon. The GNOME configuration is stored in XML files named %gconf.xml in a directory structure where directory names indicate the part of the desktop or GNOME application to which the features set in the XML file apply. For example options set in apps/nautilus/desktop/%gconf.xml determine the behavior of Nautilus when the desktop is drawn.

For users the configuration tree is stored in $HOME/.gconf allowing users to configure the desktop appearance and application behavior to their liking. For system wide configuration, configuration trees exist in /etc/gconf. Within the /etc/gconf directory structure the gconf.xml.mandatory directory tree represents the configuration tree that is used to lock down the system. Options specified in the /etc/gconf/gconf.xml.mandatory configuration tree cannot be altered by the user.

For example if we want to disable icons for mounted volumes to be displayed on the desktop and we would not want users to be able to enable this feature the following command will do the trick:

gconftool-2 --direct --config-source \
 xml:readwrite:/etc/gconf/gconf.xml.mandatory \
 --type boolean --set /apps/nautilus/desktop/volumes_visible "false"

The path of the parameter to be set can be determined by using the gconf-editor tool. The gconf-editor is an editor/browser for the GNOME configuration tree and is very helpful when trying to find features to be manipulated within the GNOME configuration directory. Detailed information about the gconf-editor can be found here. Knowing the path for the option to be set and the location of the configuration tree that contains the locked down configuration (/etc/gconf/gconf.xml.mandatory) it is easy enough to create a script that can be executed when a machine is set up to configure the desktop appearance as desired.

If you are using KIWI to create system images the gconftool-2 commands can easily be added to the config.sh script to configure the desktop behavior in the image. Creating a self installing CD/DVD or USB stick with KIWI allows you to deploy your pre-configured desktop image when ever a new system needs to be commissioned.

As a final option to locking down GNOME there is the well trusted route of editing the configuration files. Important when creating a GNOME configuration tree manually is that a %gconf.xml file needs to exist at every level. Considering our previous example one will need to create a %gconf.xml file as shown in the directory tree layout below:

apps
   |__ %gconf.xml
   |
   |__ nautilus
              |__ %gconf.xml
              |
              |__ desktop
                       |__ %gconf.xml

The XML files at the apps and nautilus directory levels are empty but must exist. The %gconf.xml file at the desktop level contains the following entry:

<?xml version="1.0"?>
<gconf>
    <entry name="volumes_visible" mtime="1260052996" type="bool" value="false"/>
</gconf>

The XML is simple enough and self explanatory. Further as you explore the configuration in the gconf-editor tool the types to be entered in the XML are fairly obvious. One caveate applies for entries of type string. Rather than having the value of a string configuration option be an attribute of the entry element like other types the string is special. For a string you will need to use the <stringvalue> child element of the <entry> element. For example if you wanted to disable the panel completely you would have the following entry

<?xml version="1.0"?>
<gconf>
    <entry name="panel" mtime="1263563592" type="string">
        <stringvalue></stringvalue>
    </entry>
</gconf>

in /etc/gconf/gconf.xml.mandatory/desktop/gnome/session/required_components/%gconf.xml

The gconftool-2 command creates the tree in the location specified with the –config-source command line option. Thus you can switch between manual edits and using a tool very easily. Once you have your tree you can package it up as an RPM and also add it to your auto YaST deployment if you are using this methodology.

With the available tools and/or by editing the configuration files directly locking down the GNOME desktop is relatively straight forward. The tricky part often is to find the correct file or the correct button to push for the desired behavior. This is where gconf-editor is the very valuable browser you are looking for.

Happy Hacking.

Both comments and pings are currently closed.

Comments are closed.