Restrict Access to Applications

sometimes, applications are installed on the system, but not all users should not be able to start it.

uninstalling not always possible, because some users may use it, or it is part of a larger RPM and the other applications from the RPM should stay on the system.

different approaches:

TryExec

check, if the user is allowed, to execute the application:

[Desktop Entry]
Comment=Ganttproject
Exec=/opt/ganttproject/ganttproject.sh
TryExec=/opt/ganttproject/ganttproject.sh

If the command that is specified by TryExec is not executable by the user, the Desktop-Entries is not displayed in the Start-Menu.

hide application by modifying the .desktop file

show only, if VMware image exists (and is readable):

vmware-winnt.desktop:

[Desktop Entry]
Comment=VMware mit Windows NT starten
Exec=/usr/bin/sudo /usr/bin/sc_vmware.sh /local/vmware/vermka/Windows_NT.vmx
Hidden[$e]=$(test -r /local/vmware/vermka/Windows_NT.vmx || echo "true")

permissions

Set application permissions to not executable by normal user and desktop files to be not readable. Define this in a permissions file under /etc/permissions.d/. Filename must match a installed RPM name.

Execute /sbin/conf.d/SuSEconfig.permissions

which sets permissions accordanly. After package installation by YaST, SuSEconfig is called and sets permissions. Therefore application is still unaccessable after a package update.

Example: /etc/permissions.d/k3b:

/usr/bin/k3b                                    root.media      750
/usr/share/applications/kde4/k3b.desktop        root.media      640