wiki:kde/ApplicationAccessRestrictions

  1. Restrict Access to Applications
    1. TryExec
    2. adding additional checks to the .desktop file
    3. permissions
    4. Restrict Access to Systemsettings
      1. Get List of configuraton modules
      2. Example: disable configuration module display

Restrict Access to Applications

sometimes, applications are installed on the system, but not all users should not be able to start it.

uninstalling not always possible, because some users may use it, or it is part of a larger RPM and the other applications from the RPM should stay on the system.

different approaches:

TryExec

check, if the user is allowed, to execute the application: 

[Desktop Entry]
Comment=Ganttproject
Exec=/opt/ganttproject/ganttproject.sh
TryExec=/opt/ganttproject/ganttproject.sh

If the command that is specified by TryExec is not executable by the user, the Desktop-Entries is not displayed in the Start-Menu.

adding additional checks to the .desktop file

show only, if VMware image exists (and is readable):

vmware-winnt.desktop: 

[Desktop Entry]
Name=Windows NT
GeneralName=VMware
Exec=/usr/bin/sudo /usr/bin/sc_vmware.sh /local/vmware/vermka/Windows_NT.vmx
TryExec[$e]=$(test -r /local/vmware/vermka/Windows_NT.vmx && echo "/usr/bin/vmplayer" || echo "/INVALID-PROGRAM")

Works with KDE3 and KDE4.

IMPORTANT: with KDE3 it is possible to use Hidden (or NoDisplay) for this purpose. Due to a bug in KDE4 (tested up until KDE 4.4, see https://trac.dass-it.de/lvermgeo/ticket/62 and https://bugs.kde.org/show_bug.cgi?id=225255) the following is only possible with KDE3 and NOT with KDE4:

vmware-winnt.desktop: 

[Desktop Entry]
Name=Windows NT
GeneralName=VMware
Exec=/usr/bin/sudo /usr/bin/sc_vmware.sh /local/vmware/vermka/Windows_NT.vmx
Hidden[$e]=$(test -r /local/vmware/vermka/Windows_NT.vmx || echo "true")

permissions

Set application permissions to not executable by normal user and desktop files to be not readable. Define this in a permissions file under /etc/permissions.d/. Filename must match a installed RPM name.

Execute /sbin/conf.d/SuSEconfig.permissions

which sets permissions accordantly. After package installation by YaST, SuSEconfig is called and sets permissions. Therefore application is still unaccessible after a package update.

Example: /etc/permissions.d/k3b: 

/usr/bin/k3b                                    root.media      750
/usr/share/applications/kde4/k3b.desktop        root.media      640

Another way to evaluate the permission definitions is the chkstat command.

  • Check, what permissions will change
    • chkstat --system --warn
  • change the permissions
    • chkstat --system --set

Restrict Access to Systemsettings

to disable a configuration item from systemsettings, restrict the read permissions on file share/kde4/services/settings-NAME, as described in the former section. This can also be done in a KDE-profile.

Get List of configuraton modules

kcmshell4 --list

Example: disable configuration module display

assume using the KDE-Profile /var/lib/kde-profiles/vermkv_kiosk/

Create config file /var/lib/kde-profiles/vermkv_kiosk/share/kde4/services/settings-display.desktop: 

[Desktop Entry]
TryExec=/bin/false

or if it should be depend on the environment: 

[Desktop Entry]
Hidden[$e]=$(if test -e /tmp/flagfile_example; then echo "false"; else echo "true"; fi)
Last modified 12 years ago Last modified on Jul 5, 2012, 10:09:37 AM
Note: See TracWiki for help on using the wiki.