Hello mighty plasma developers!
I just wanted to give you a short update on the status of the kiosk
framework in kde/plasma 5.8.4 and i'm hoping for a little feedback of
yours ;-)
With all of the following restrictions in place my users are still able
to see at least one context menu entry on every widget in the main panel.
Still showing context menus (or parts of it) are:
- Menu for "Edit Applications" in the launcher called
"Anwendungsübersicht" and "Anwendungsmenü" (its working in
"Anwendungs-Starter")
- device manager
- date and time
- networksettings
- konsole (launcher icon )
these are the current restrictions:
------------------------------------------------------
[KDE Action Restrictions][$i]
action/switch_user=false
action/lock_screen=false
action/logout=false
action/kwin_rmb=false
action/plasma/containment_actions=false
action/run_command=false
action/options_show_toolbar=false
plasma/plasmashell/unlockedDesktop=false
plasma/allow_configure_when_locked=false
plasma-desktop/add_activities=false
unlockedDesktop=false
logout=false
movable_toolbars=false
run_command=false
start_new_session=false
shell_access=false
------------------------------------------------------
I also found out that restricting the user from entering any other
folder than $home (kde url restricitons) is working very well for
typical kde applications.
libreoffice (even when using the kde file open dialogs - libreoffice kde
integration ) still allows to enter any folder you like..
i also kinda hacked my own secure environment where shell access is not
allowed by placing a .desktop file
in .local/share/kservices5/ServiceMenus/ that allows me to open a
terminal in the current folder ^^
dolphin shouldn't allow this.. right?
_______________________
[Desktop Entry]
Type=Service
Icon=konsole
Actions=openterminal
X-KDE-Priority=TopLevel
ServiceTypes=KonqPopupMenu/Plugin,inode/directory,inode/directory-locked
[Desktop Action openterminal]
Exec=/usr/bin/konsole --workdir %U
Icon=konsole
Name=Open Terminal Here
______________________________
i even placed an xorg.conf file to supress opening ttys (works as
expected) but this little desktop file above did the job :-)
__________________________
Section "ServerFlags"
Option "DontVTSwitch" "true"
EndSection
__________________________
Should i make a bug report out of this ?
Getting "dolphins" places panel locked too when other toolbars are
locked - is this a featurerequest or a bugreport?
it is really hard to lockdown a system completely.. if i'm done with
it i'm definitely going to write an extensive howto and a little program :-)
thank you very much in advance.
thomas w.
PS: i am working on a plasma based "secure exam environment" (for
austrian schools) which i'm going to present at the "day of digital
education" at klagenfurt's university in 2 months.
nothing special...just a few shellscripts with a small UI (most of it is
kdialog for now ) and a lot of preconfigured files - but it heavily
relies on the kiosk framework and a the live usb installation i'm
already using in my school..
i'm just working out the kinks.. it's almost ready to go..
wouldn't be possible without you.. so thx again!
On 25.05.2016 16:16, Mag. Weissel Thomas wrote:
hello everybody..
first of all... wow! this list of fixes is awesome.. thank you!
i have a question about this "hide toolbars" restriction..
as you can see in the following screenshot (testing with dolphin
16.04.0)
http://test.xapient.net/STUFF/dolphin.jpg
<http://test.xapient.net/STUFF/dolphin.jpg>
i tried to restrict unocking the toolbar (look at the terminal)
also visible in the screenshot is, that "lock toolbar positions" is
not checked but the handle for moving
the toolbars is hidden.. so it works! although the menu entry to
unlock is still there...
you can also see that "show toolbar" (rightclick on the toolbar) and
"Main Toolbar" (rightclick on the menubar) is still visible so hiding
the toolbar is possible...
i'm a little bit confused because i read what kai wrote and it seems
that on his installation only the entry in the menubar context menu
is/was visible..
are we talking about the same thing here? just checking!
i tested:
action/manage activities=false
and it properly hides all entries to configure activities.. "Meta+Q"
doesnt open the activities configuration panel either... yay!!
but "Meta+Tab" shows the activity switcher... holding down "Meta" and
using the mouse on the activity switcher lets me open the configure
dialog.. no configurations are stored so this is not a big problem..
best regards,
thomas
Am 2016-05-25 um 14:00 schrieb enterprise-requ...@kde.org
<mailto:enterprise-requ...@kde.org>:
Send Enterprise mailing list submissions to
enterpr...@kde.org <mailto:enterpr...@kde.org>
To subscribe or unsubscribe via the World Wide Web, visit
https://mail.kde.org/mailman/listinfo/enterprise
<https://mail.kde.org/mailman/listinfo/enterprise>
or, via email, send a message with subject or body 'help' to
enterprise-requ...@kde.org <mailto:enterprise-requ...@kde.org>
You can reach the person managing the list at
enterprise-ow...@kde.org <mailto:enterprise-ow...@kde.org>
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Enterprise digest..."
Today's Topics:
1. Re: status of kde/plasma kiosk framework in kf5 (Kai Uwe Broulik)
----------------------------------------------------------------------
Message: 1
Date: Wed, 25 May 2016 11:22:32 +0200
From: Kai Uwe Broulik<k...@privat.broulik.de>
<mailto:k...@privat.broulik.de>
To: Plasma<plasma-devel@kde.org>
<mailto:plasma-devel@kde.org>,"enterpr...@kde.org"
<mailto:enterpr...@kde.org>
<enterpr...@kde.org> <mailto:enterpr...@kde.org>
Subject: Re: status of kde/plasma kiosk framework in kf5
Message-ID:<e1b5wtm-000269...@smtprelay03.ispgateway.de>
<mailto:e1b5wtm-000269...@smtprelay03.ispgateway.de>
Content-Type: text/plain; charset=utf-8
Hi Thomas,
just wanted to give you a quick update. I have just merged the last
patch of our big kiosk fixes pile.
The following fixes will land in the next Plasma and/or kde
frameworks release :
* Leave option in desktop toolbox honors kiosk restriction
* KRunner will be completely disabled (eg won't start at all) when
restricted, so you can't bypass that by calling over DBus directly
* Typing on empty desktop will not try to call krunner if restricted
* krunner history will be disabled if lineedit_text_completion is
restricted
* Kickoff favorites cannot be rearranged/added/removed when
unlockedDesktop is restricted
* Kickoff applications cannot be edited or added as launcher to task
bar when unlockedDesktop is restricted, the "edit applications"
context menu will also be hidden then
* most applets now won't offer context menu entries about modules
restricted via kde control module restrictions. Clicking would
already not do anything as we already block launching them but we now
avoid a dead menu entry
* right-clicking menu bar can no longer bypass "hide toolbars"
restriction
(Hope I didn't forget anything)
As for the always-shown Activities entry, can you try whether
action/manage activities=false (note the space) works? I'm not sure
if we handle spaces there properly.
David is also currently patching all of our applications so they use
the kiosk keys in the documentation (most erroneously used action/
prefix for everything).
If you have any further questions or problems, don't hesitate to ask,
we're happy to help you.
Kai Uwe
------------------------------
Subject: Digest Footer
_______________________________________________
Enterprise mailing list
enterpr...@kde.org <mailto:enterpr...@kde.org>
https://mail.kde.org/mailman/listinfo/enterprise
<https://mail.kde.org/mailman/listinfo/enterprise>
------------------------------
End of Enterprise Digest, Vol 3, Issue 11
*****************************************
