[[PageOutline]]

= Restrict Access to Applications =

sometimes, applications are installed on the system,
but not all users should not be able to start it.

uninstalling not always possible,
because some users may use it, or it is part of a larger RPM and the other applications from the RPM should stay on the system.

different approaches:


== TryExec ==

check, if the user is allowed, to execute the application:

{{{
[Desktop Entry]
Comment=Ganttproject
Exec=/opt/ganttproject/ganttproject.sh
TryExec=/opt/ganttproject/ganttproject.sh
}}}

If the command that is specified by TryExec is not executable by the user,
the Desktop-Entries is not displayed in the Start-Menu.



== adding additional checks to the .desktop file ==

show only, if VMware image exists (and is readable):

vmware-winnt.desktop:
{{{
[Desktop Entry]
Name=Windows NT
GeneralName=VMware
Exec=/usr/bin/sudo /usr/bin/sc_vmware.sh /local/vmware/vermka/Windows_NT.vmx
TryExec[$e]=$(test -r /local/vmware/vermka/Windows_NT.vmx && echo "/usr/bin/vmplayer" || echo "/INVALID-PROGRAM")
}}}

Works with KDE3 and KDE4.



'''IMPORTANT:''' with KDE3 it is possible to use {{{Hidden}}} (or {{{NoDisplay}}}) for this purpose.
Due to a bug in KDE4 (tested up until KDE 4.4, see https://trac.dass-it.de/lvermgeo/ticket/62 and https://bugs.kde.org/show_bug.cgi?id=225255) 
the following is only possible with KDE3 and '''NOT''' with KDE4:

vmware-winnt.desktop:
{{{
[Desktop Entry]
Name=Windows NT
GeneralName=VMware
Exec=/usr/bin/sudo /usr/bin/sc_vmware.sh /local/vmware/vermka/Windows_NT.vmx
Hidden[$e]=$(test -r /local/vmware/vermka/Windows_NT.vmx || echo "true")
}}}







== permissions ==

Set application permissions to not executable by normal user and desktop files to be not readable.
Define this in a permissions file under {{{/etc/permissions.d/}}}.
Filename must match a installed RPM name.

Execute
{{{/sbin/conf.d/SuSEconfig.permissions}}}

which sets permissions accordantly.
After package installation by YaST, SuSEconfig is called
and sets permissions.
Therefore application is still unaccessible after a package update.

Example:
/etc/permissions.d/k3b:
{{{
/usr/bin/k3b                                    root.media      750
/usr/share/applications/kde4/k3b.desktop        root.media      640
}}}

Another way to evaluate the permission definitions is the chkstat command.

      * Check, what permissions will change
        * {{{chkstat --system --warn}}}
      * change the permissions
        * {{{chkstat --system --set}}}

== Restrict Access to Systemsettings ==

to disable a configuration item from systemsettings,
restrict the read permissions on file share/kde4/services/settings-NAME, as described in the former section.
This can also be done in a KDE-profile.

=== Get List of configuraton modules ===

{{{
kcmshell4 --list
}}}

=== Example: disable configuration module display ===

assume using the KDE-Profile /var/lib/kde-profiles/vermkv_kiosk/

Create config file ''/var/lib/kde-profiles/vermkv_kiosk/share/kde4/services/settings-display.desktop'':
{{{
[Desktop Entry]
TryExec=/bin/false
}}}

or if it should be depend on the environment:
{{{
[Desktop Entry]
Hidden[$e]=$(if test -e /tmp/flagfile_example; then echo "false"; else echo "true"; fi)
}}}