Hi Thomas, this sounds really interesting! Did you do also mount /home non-executable? and did you disable krunner? I would love to see your configuration, that topic interests me for us too. :-) supressing ttys could work with systemd, too, i think that has some options there :)
Is there a git of your configuration somewhere after your talk? Yours, Dennis On 06.12.2016 21:35, Thomas Weissel wrote: > Hello mighty plasma developers! > > I just wanted to give you a short update on the status of the kiosk > framework in kde/plasma 5.8.4 and i'm hoping for a little feedback of > yours ;-) > > > With all of the following restrictions in place my users are still able > to see at least one context menu entry on every widget in the main panel. > > > Still showing context menus (or parts of it) are: > > - Menu for "Edit Applications" in the launcher called > "Anwendungsübersicht" and "Anwendungsmenü" (its working in > "Anwendungs-Starter") > > - device manager > > - date and time > > - networksettings > > - konsole (launcher icon ) > > > these are the current restrictions: > > ------------------------------------------------------ > > [KDE Action Restrictions][$i] > > action/switch_user=false > action/lock_screen=false > action/logout=false > action/kwin_rmb=false > > action/plasma/containment_actions=false > > action/run_command=false > action/options_show_toolbar=false > plasma/plasmashell/unlockedDesktop=false > plasma/allow_configure_when_locked=false > plasma-desktop/add_activities=false > unlockedDesktop=false > logout=false > movable_toolbars=false > run_command=false > start_new_session=false > > shell_access=false > ------------------------------------------------------ > > > I also found out that restricting the user from entering any other > folder than $home (kde url restricitons) is working very well for > typical kde applications. > > libreoffice (even when using the kde file open dialogs - libreoffice kde > integration ) still allows to enter any folder you like.. > > > i also kinda hacked my own secure environment where shell access is not > allowed by placing a .desktop file > in .local/share/kservices5/ServiceMenus/ that allows me to open a > terminal in the current folder ^^ > > dolphin shouldn't allow this.. right? > > _______________________ > > [Desktop Entry] > > Type=Service > > Icon=konsole > > Actions=openterminal > > X-KDE-Priority=TopLevel > > ServiceTypes=KonqPopupMenu/Plugin,inode/directory,inode/directory-locked > > > [Desktop Action openterminal] > > Exec=/usr/bin/konsole --workdir %U > > Icon=konsole > > Name=Open Terminal Here > > ______________________________ > > > > i even placed an xorg.conf file to supress opening ttys (works as > expected) but this little desktop file above did the job :-) > > __________________________ > > Section "ServerFlags" > > Option "DontVTSwitch" "true" > > EndSection > > __________________________ > > > > Should i make a bug report out of this ? > > Getting "dolphins" places panel locked too when other toolbars are > locked - is this a featurerequest or a bugreport? > > it is really hard to lockdown a system completely.. if i'm done with > it i'm definitely going to write an extensive howto and a little program :-) > > thank you very much in advance. > > thomas w. > > > PS: i am working on a plasma based "secure exam environment" (for > austrian schools) which i'm going to present at the "day of digital > education" at klagenfurt's university in 2 months. > > nothing special...just a few shellscripts with a small UI (most of it is > kdialog for now ) and a lot of preconfigured files - but it heavily > relies on the kiosk framework and a the live usb installation i'm > already using in my school.. > > i'm just working out the kinks.. it's almost ready to go.. > > wouldn't be possible without you.. so thx again! > > > > > > > > > > > On 25.05.2016 16:16, Mag. Weissel Thomas wrote: >> hello everybody.. >> >> first of all... wow! this list of fixes is awesome.. thank you! >> >> i have a question about this "hide toolbars" restriction.. >> >> >> as you can see in the following screenshot (testing with dolphin >> 16.04.0) >> >> http://test.xapient.net/STUFF/dolphin.jpg >> <http://test.xapient.net/STUFF/dolphin.jpg> >> >> i tried to restrict unocking the toolbar (look at the terminal) >> also visible in the screenshot is, that "lock toolbar positions" is >> not checked but the handle for moving >> the toolbars is hidden.. so it works! although the menu entry to >> unlock is still there... >> >> you can also see that "show toolbar" (rightclick on the toolbar) and >> "Main Toolbar" (rightclick on the menubar) is still visible so hiding >> the toolbar is possible... >> i'm a little bit confused because i read what kai wrote and it seems >> that on his installation only the entry in the menubar context menu >> is/was visible.. >> are we talking about the same thing here? just checking! >> >> >> i tested: >> action/manage activities=false >> >> and it properly hides all entries to configure activities.. "Meta+Q" >> doesnt open the activities configuration panel either... yay!! >> but "Meta+Tab" shows the activity switcher... holding down "Meta" and >> using the mouse on the activity switcher lets me open the configure >> dialog.. no configurations are stored so this is not a big problem.. >> >> best regards, >> thomas >> >> >> >> >> Am 2016-05-25 um 14:00 schrieb >> <mailto:enterprise-requ...@kde.org>enterprise-requ...@kde.org: >>> Send Enterprise mailing list submissions to >>> <mailto:enterpr...@kde.org>enterpr...@kde.org >>> >>> To subscribe or unsubscribe via the World Wide Web, visit >>> >>> <https://mail.kde.org/mailman/listinfo/enterprise>https://mail.kde.org/mailman/listinfo/enterprise >>> >>> or, via email, send a message with subject or body 'help' to >>> <mailto:enterprise-requ...@kde.org>enterprise-requ...@kde.org >>> >>> You can reach the person managing the list at >>> <mailto:enterprise-ow...@kde.org>enterprise-ow...@kde.org >>> >>> When replying, please edit your Subject line so it is more specific >>> than "Re: Contents of Enterprise digest..." >>> >>> >>> Today's Topics: >>> >>> 1. Re: status of kde/plasma kiosk framework in kf5 (Kai Uwe Broulik) >>> >>> >>> ---------------------------------------------------------------------- >>> >>> Message: 1 >>> Date: Wed, 25 May 2016 11:22:32 +0200 >>> From: Kai Uwe >>> Broulik<mailto:k...@privat.broulik.de><k...@privat.broulik.de> >>> To: Plasma<mailto:plasma-devel@kde.org><plasma-devel@kde.org>," >>> <mailto:enterpr...@kde.org>enterpr...@kde.org" >>> <mailto:enterpr...@kde.org><enterpr...@kde.org> >>> Subject: Re: status of kde/plasma kiosk framework in kf5 >>> Message-ID:<e1b5wtm-000269...@smtprelay03.ispgateway.de> >>> <mailto:e1b5wtm-000269...@smtprelay03.ispgateway.de> >>> Content-Type: text/plain; charset=utf-8 >>> >>> Hi Thomas, >>> >>> just wanted to give you a quick update. I have just merged the last >>> patch of our big kiosk fixes pile. >>> >>> The following fixes will land in the next Plasma and/or kde >>> frameworks release : >>> >>> * Leave option in desktop toolbox honors kiosk restriction >>> * KRunner will be completely disabled (eg won't start at all) when >>> restricted, so you can't bypass that by calling over DBus directly >>> * Typing on empty desktop will not try to call krunner if restricted >>> * krunner history will be disabled if lineedit_text_completion is >>> restricted >>> * Kickoff favorites cannot be rearranged/added/removed when >>> unlockedDesktop is restricted >>> * Kickoff applications cannot be edited or added as launcher to task >>> bar when unlockedDesktop is restricted, the "edit applications" >>> context menu will also be hidden then >>> * most applets now won't offer context menu entries about modules >>> restricted via kde control module restrictions. Clicking would >>> already not do anything as we already block launching them but we now >>> avoid a dead menu entry >>> * right-clicking menu bar can no longer bypass "hide toolbars" >>> restriction >>> >>> (Hope I didn't forget anything) >>> >>> As for the always-shown Activities entry, can you try whether >>> action/manage activities=false (note the space) works? I'm not sure >>> if we handle spaces there properly. >>> >>> David is also currently patching all of our applications so they use >>> the kiosk keys in the documentation (most erroneously used action/ >>> prefix for everything). >>> >>> If you have any further questions or problems, don't hesitate to ask, >>> we're happy to help you. >>> >>> Kai Uwe >>> >>> >>> >>> >>> ------------------------------ >>> >>> Subject: Digest Footer >>> >>> _______________________________________________ >>> Enterprise mailing list >>> <mailto:enterpr...@kde.org>enterpr...@kde.org >>> https://mail.kde.org/mailman/listinfo/enterprise >>> <https://mail.kde.org/mailman/listinfo/enterprise> >>> >>> >>> ------------------------------ >>> >>> End of Enterprise Digest, Vol 3, Issue 11 >>> ***************************************** >> >
