Restrict Access to Applications
sometimes, applications are installed on the system, but not all users should not be able to start it.
uninstalling not always possible, because some users may use it, or it is part of a larger RPM and the other applications from the RPM should stay on the system.
different approaches:
TryExec
check, if the user is allowed, to execute the application:
[Desktop Entry] Comment=Ganttproject Exec=/opt/ganttproject/ganttproject.sh TryExec=/opt/ganttproject/ganttproject.sh
If the command that is specified by TryExec is not executable by the user, the Desktop-Entries is not displayed in the Start-Menu.
adding additional checks to the .desktop file
show only, if VMware image exists (and is readable):
vmware-winnt.desktop:
[Desktop Entry] Name=Windows NT GeneralName=VMware Exec=/usr/bin/sudo /usr/bin/sc_vmware.sh /local/vmware/vermka/Windows_NT.vmx TryExec[$e]=$(test -r /local/vmware/vermka/Windows_NT.vmx && echo "/usr/bin/vmplayer" || echo "/INVALID-PROGRAM")
Works with KDE3 and KDE4.
IMPORTANT: with KDE3 it is possible to use Hidden
(or NoDisplay
) for this purpose.
Due to a bug in KDE4 (tested up until KDE 4.4, see https://trac.dass-it.de/lvermgeo/ticket/62 and https://bugs.kde.org/show_bug.cgi?id=225255)
the following is only possible with KDE3 and NOT with KDE4:
vmware-winnt.desktop:
[Desktop Entry] Name=Windows NT GeneralName=VMware Exec=/usr/bin/sudo /usr/bin/sc_vmware.sh /local/vmware/vermka/Windows_NT.vmx Hidden[$e]=$(test -r /local/vmware/vermka/Windows_NT.vmx || echo "true")
permissions
Set application permissions to not executable by normal user and desktop files to be not readable.
Define this in a permissions file under /etc/permissions.d/
.
Filename must match a installed RPM name.
Execute
/sbin/conf.d/SuSEconfig.permissions
which sets permissions accordantly. After package installation by YaST, SuSEconfig is called and sets permissions. Therefore application is still unaccessible after a package update.
Example: /etc/permissions.d/k3b:
/usr/bin/k3b root.media 750 /usr/share/applications/kde4/k3b.desktop root.media 640
Another way to evaluate the permission definitions is the chkstat command.
- Check, what permissions will change
chkstat --system --warn
- change the permissions
chkstat --system --set
Restrict Access to Systemsettings
to disable a configuration item from systemsettings, restrict the read permissions on file share/kde4/services/settings-NAME, as described in the former section. This can also be done in a KDE-profile.
Get List of configuraton modules
kcmshell4 --list
Example: disable configuration module display
assume using the KDE-Profile /var/lib/kde-profiles/vermkv_kiosk/
Create config file /var/lib/kde-profiles/vermkv_kiosk/share/kde4/services/settings-display.desktop:
[Desktop Entry] TryExec=/bin/false
or if it should be depend on the environment:
[Desktop Entry] Hidden[$e]=$(if test -e /tmp/flagfile_example; then echo "false"; else echo "true"; fi)