KDE System Administration/Kiosk/Keys: Difference between revisions
m (Minor fixes) |
|||
Line 1: | Line 1: | ||
This article contains a listing of known keys that can be used with Kiosk and what they do. How to actually use these keys and other capabilities of Kiosk such as URL restrictions, creating assigning profiles, etc. is covered in the [[../Introduction|Introduction to Kiosk]] article. | This article contains a listing of known keys that can be used with Kiosk and what they do. How to actually use these keys and other capabilities of Kiosk such as URL restrictions, creating assigning profiles, etc. is covered in the [[../Introduction|Introduction to Kiosk]] article. | ||
Which configuration file to put these entries in depends on whether you wish to make them global to all applications or specific to one application. To make the restrictions valid for all applications, put them in {{path|kdeglobals}}. To enable a restriction for | Which configuration file to put these entries in depends on whether you wish to make them global to all applications or specific to one application. To make the restrictions valid for all applications, put them in {{path|kdeglobals}}. To enable a restriction for specific applications place them in the application-specific configuration, e.g. {{path|konquerorrc}} for Konqueror. | ||
== Application Action Restrictions == | == Application Action Restrictions == | ||
Line 297: | Line 297: | ||
Locking down the entire config with [$i] will cause everything to be immutable. Locking a Containment group will render that one group of widgets to be immutable, and locking a widget itself will cause it to not be movable as well as otherwise locked. | Locking down the entire config with [$i] will cause everything to be immutable. Locking a Containment group will render that one group of widgets to be immutable, and locking a widget itself will cause it to not be movable as well as otherwise locked. | ||
In addition the following resource restrictions are available: | In addition, the following resource restrictions are available: | ||
;plasma/allow_configure_when_locked (since Plasma 4.4) | ;plasma/allow_configure_when_locked (since Plasma 4.4) | ||
Line 390: | Line 390: | ||
;print/dialog | ;print/dialog | ||
:Disables the complete print dialog. Selecting the print option will immediately print the selected document using default settings. Make sure that a system wide default printer has been selected. No application specific settings are honored when this restriction is activated. | :Disables the complete print dialog. Selecting the print option will immediately print the selected document using default settings. Make sure that a system-wide default printer has been selected. No application-specific settings are honored when this restriction is activated. | ||
;print/options | ;print/options | ||
Line 406: | Line 406: | ||
== Resource Restrictions == | == Resource Restrictions == | ||
KDE applications can take advantage of many types of resources such as configuration data, caches, plugin registries, etc. These are loaded from both system-wide as well as from per-user locations on disk. It is possible to restrict use of the per-user resources directories, preventing users from adding to or altering existing shared resources. | KDE applications can take advantage of many types of resources such as configuration data, caches, plugin registries, etc. These are loaded from both system-wide as well as from per-user locations on disk. It is possible to restrict the use of the per-user resources directories, preventing users from adding to or altering existing shared resources. | ||
This is accomplished by creating a section like this in a configuration file: | This is accomplished by creating a section like this in a configuration file: | ||
Line 462: | Line 462: | ||
;opengl_screensavers | ;opengl_screensavers | ||
: | :Defines whether OpenGL screensavers are allowed to be used. | ||
;manipulatescreen_screensavers | ;manipulatescreen_screensavers | ||
: | :Defines whether screensavers that manipulate an image of the screen (e.g. moving chunks of the screen around) are allowed to be used. | ||
=== Automatic Log-out === | === Automatic Log-out === | ||
Line 491: | Line 491: | ||
;editable_desktop_icons | ;editable_desktop_icons | ||
: | :Defines whether icons on the desktop can be moved around. In order to prevent adding, removing, or renaming icons, you should set the desktop folder read-only. ''(since Plasma 5.14)'' | ||
;lineedit_text_completion | ;lineedit_text_completion | ||
Line 500: | Line 500: | ||
;action/lock_screen | ;action/lock_screen | ||
:whether the user will be able to lock the screen. | :Defines whether the user will be able to lock the screen. | ||
;logout | ;logout | ||
:whether the user will be able to logout from the Plasma session. | :Defines whether the user will be able to logout from the Plasma session. | ||
;movable_toolbars | ;movable_toolbars | ||
Line 509: | Line 509: | ||
;run_command | ;run_command | ||
:whether the "Run Command" (Alt-F2) option is available. | :Defines whether the "Run Command" (Alt-F2) option is available. | ||
{{Note|To also disable desktop context menu run command '''action/run_command''' is required at [KDE Action Restrictions]}} | |||
;run_desktop_files | ;run_desktop_files | ||
: | :Defines whether users may execute desktop files that are not part of the default desktop, KDE menu, registered services and autostarting services. | ||
* The default desktop includes the files under {{path|$KDEDIR/share/kdesktop/Desktop}} but '''not''' the files under {{path|$HOME/Desktop}}. | * The default desktop includes the files under {{path|$KDEDIR/share/kdesktop/Desktop}} but '''not''' the files under {{path|$HOME/Desktop}}. | ||
* The KDE menu includes all files under {{path|$KDEDIR/share/applnk}} and {{path|$XDGDIR/applications}} | * The KDE menu includes all files under {{path|$KDEDIR/share/applnk}} and {{path|$XDGDIR/applications}} | ||
Line 522: | Line 522: | ||
:Whether a shell suitable for entering random commands may be started. This also determines whether the "Run Command" option (Alt-F2) can be used to run shell-commands and arbitrary executables. Likewise, executables placed in the user's Autostart folder will no longer be executed. Applications can still be autostarted by placing <tt>.desktop</tt> files in the {{path|$KDEHOME/Autostart}} or {{path|$KDEDIR/share/autostart}} directory. See also <tt>run_desktop_files</tt>. | :Whether a shell suitable for entering random commands may be started. This also determines whether the "Run Command" option (Alt-F2) can be used to run shell-commands and arbitrary executables. Likewise, executables placed in the user's Autostart folder will no longer be executed. Applications can still be autostarted by placing <tt>.desktop</tt> files in the {{path|$KDEHOME/Autostart}} or {{path|$KDEDIR/share/autostart}} directory. See also <tt>run_desktop_files</tt>. | ||
:You probably also want to activate the following resource | :You probably also want to activate the following resource restrictions: | ||
*"appdata_kdesktop" - To restrict the default desktop. | *"appdata_kdesktop" - To restrict the default desktop. | ||
*"apps" - To restrict the KDE menu. | *"apps" - To restrict the KDE menu. | ||
Line 531: | Line 531: | ||
;skip_drm | ;skip_drm | ||
: | :Defines if the user may omit [https://en.wikipedia.org/wiki/Digital_rights_management DRM] checking. At the time of writing, this primarily applies to document formats with a DRM mechanism (e.g. PDF). | ||
;action/start_new_session | ;action/start_new_session | ||
: | :Defines whether the user may start a new session. | ||
;action/switch_user | ;action/switch_user | ||
: | :Defines whether user switching is allowed. | ||
== Telemetry == | == Telemetry == |
Revision as of 12:28, 9 November 2020
This article contains a listing of known keys that can be used with Kiosk and what they do. How to actually use these keys and other capabilities of Kiosk such as URL restrictions, creating assigning profiles, etc. is covered in the Introduction to Kiosk article.
Which configuration file to put these entries in depends on whether you wish to make them global to all applications or specific to one application. To make the restrictions valid for all applications, put them in kdeglobals. To enable a restriction for specific applications place them in the application-specific configuration, e.g. konquerorrc for Konqueror.
Application Action Restrictions
These keys disable actions that are commonly found in KDE applications. To use these actions, create a section in kdeglobals that looks like this:
[KDE Action Restrictions][$i]
action/<key>=false
Key | Menu | Action |
---|---|---|
action/file_new | File | New |
action/file_open | File | Open |
action/file_open_recent | File | Open Recent File |
action/file_save | File | Save |
action/file_save_as | File | Save As |
action/file_revert | File | Revert |
action/file_close | File | Close |
action/file_print | File | |
action/file_print_preview | File | Print Preview |
action/file_mail | File | Email File |
action/file_quit | File | Quit |
action/edit_undo | Edit | Undo |
action/edit_redo | Edit | Redo |
action/edit_cut | Edit | Cut |
action/edit_copy | Edit | Copy |
action/edit_paste | Edit | Paste |
action/edit_select_all | Edit | Select All |
action/edit_deselect | Edit | Deselect |
action/edit_find | Edit | Find |
action/edit_find_next | Edit | Find Next |
action/edit_find_last | Edit | Find last |
action/edit_replace | Edit | Replace |
action/view_actual_size | View | 100% Zoom |
action/view_fit_to_page | View | Fit To Page (zooming) |
action/view_fit_to_width | View | Fit To Width (zooming) |
action/view_fit_to_height | View | Fit To Height (zooming) |
action/view_zoom_in | View | Zoom In |
action/view_zoom_out | View | Zoom Out |
action/view_zoom | View | Zoom |
action/view_redisplay | View | Refresh |
action/go_up | Go | Up |
action/go_back | Go | Back |
action/go_forward | Go | Forward |
action/go_home | Go | Home |
action/go_previous | Go | Previous |
action/go_next | Go | Next |
action/go_goto | Go | Go To... |
action/go_goto_page | Go | Go To Page... |
action/go_goto_line | Go | Go To Line... |
action/go_first | Go | Go To Start |
action/go_last | Go | Go To End |
action/bookmarks | Bookmarks | Also disables action/bookmark_add and action/bookmark_edit |
action/bookmark_add | Bookmarks | Add Bookmark |
action/bookmark_edit | Bookmarks | Edit Bookmarks |
action/tools_spelling | Tools | Check Spelling |
action/options_show_menubar | Settings | Show/hide Menubar |
action/options_show_toolbar | Settings | Show/hide Toolbar, will also disable the "Toolbars" submenu if present |
action/options_show_statusbar | Settings | Show/hide statusbar |
action/options_save_Settings | Settings | Save Settings |
action/options_configure | Settings | Configure application |
action/options_configure_keybinding | Settings | Configure Shortcuts |
action/options_configure_toolbars | Settings | Configure Toolbars |
action/options_configure_notifications | Settings | Configure Notifications |
action/fullscreen | Settings | Enter full screen mode |
action/help | Help | Not yet fully implemented |
action/help_contents | Help | Application handbook |
action/help_whats_this | Help | Go into "what's this" mode |
action/help_report_bug | Help | Report a bug |
action/help_about_app | Help | Show about application dialog |
action/help_about_kde | Help | Show about KDE dialog |
KCalc
By marking the kcalcrc config file as immutable, the "Configure" button will not be shown.
File Manager
Key | Action |
---|---|
action/editfiletype | Edit associated applications |
action/properties | File properties |
action/openwith | Open file with action |
action/openintab | Open link in a new tab |
action/kdesktop_rmb | RMB menu, see note below |
action/iconview_preview | Show preview thumbnails in icons, though it leaves the actual setting untouched. To disable previews (as opposed to simply disabling the user to change the setting) you also need to add the following lines to konqiconviewrc:
[Settings]
PreviewsEnabled[$i]=false
|
action/sharefile | Disables file sharing from the UI, but you may also want to disable filesharing altogether. |
action/sendURL | Send Link Address |
action/sendPage | Send File |
action/devnew | Create New -> Device |
action/incIconSize | Increase icon size |
action/decIconSize | Decrease icon size |
action/go | Entire go menu |
action/configdesktop | Configure desktop in RMB menu, see also Control Module Restrictions |
action/executeshellcommand | In Konqueror Tools menu, see also shell_access |
action/show_dot | Disables the option to toggle showing hidden files, the actual setting remains unaffected. To disable showing hidden files, add the following lines to konqiconviewrc:
[Settings]
ShowDotFiles[$i]=false
|
Konsole
These keys can appear in kdeglobals, konsolepartrc or konsolerc.
Key | Action |
---|---|
action/konsole_rmb | Context menus |
action/settings | Disable the entire settings menu |
action/show_menubar | Show/hide the menubar |
action/show_toolbar | Show/hide the toolbar |
action/scrollbar | Show/hide the scrollbar |
action/bell | Configure bell actions |
action/font | Configure font |
action/keyboard | Set keyboard type |
action/schema | Select the schema to use |
action/size | Set the terminal size |
action/history | Configure history |
action/save_default | Save settings as defaults |
action/save_sessions_profile | Save sessions profile |
action/send_signal | Send a signal to the current terminal |
action/bookmarks | Bookmarks menu |
action/add_bookmark | Add a bookmark |
action/edit_bookmarks | Edit bookmarks |
action/clear_terminal | Clear the current terminal |
action/reset_clear_terminal | Clear and reset the current terminal |
action/find_history | Find in history |
action/find_next | Find next item in history |
action/find_previous | Find previous item in history |
action/save_history | Save history to disk |
action/clear_history | Clear history of current terminal |
action/clear_all_histories | Clear histories of all terminals |
action/detach_session | Detach current tab |
action/rename_session | Rename current session |
action/zmodem_upload | ZModem uploading |
action/monitor_activity | Monitor current terminal for activity |
action/monitor_silence | Monitor current terminal for silence |
action/send_input_to_all_sessions | Replicate input to all sessions |
action/close_session | Close current terminal session |
action/new_session | Create a new terminal session |
action/activate_menu | Activate menubar |
action/list_sessions | Session list menu |
action/move_session_left | Shift tab to the left |
action/move_session_right | Shift tab to the right |
action/previous_session | Go to tab to the left |
action/next_session | Go to tab to the right |
action/switch_to_session_# | Go to tab numbered #, where # is a number between 1 and 12 inclusive. |
action/bigger_font | Increase font size |
action/smaller_font | Decrease font size |
action/toggle_bidi | Turn bidirectional text support on or off |
KWin
Key | Action |
---|---|
action/kwin_rmb | Context menus on window titlebar and frame |
Plasma
Locking down the entire config with [$i] will cause everything to be immutable. Locking a Containment group will render that one group of widgets to be immutable, and locking a widget itself will cause it to not be movable as well as otherwise locked.
In addition, the following resource restrictions are available:
- plasma/allow_configure_when_locked (since Plasma 4.4)
- Whether widgets and containments can be configured when immutable / locked. The default is true as a convenience to users.
- plasma/containment_actions (since KDE Frameworks 5.49)
- Whether or not to allow Plasma mouse actions on desktop and panels (most notably context menus, but also mouse wheel to switch virtual desktops, etc.)
- plasma/plasmashell/unlockedDesktop (since Plasma 5.0)
- Whether to allow widgets in Plasma to be unlocked; when false, the following restrictions apply:
- Widgets cannot be unlocked
- Favorites and applications in the application launchers cannot be added, removed, rearranged, or otherwise altered (since Plasma 5.7)
- Application launchers in the task manager cannot be added or removed (since Plasma 5.8)
- plasma-desktop/scripting_console (since Plasma 4.4)
- Whether the plasma desktop scripting console is accessible or not.
- plasma-desktop/add_activities (>= 4.7.1)
- Whether the user may add new activities or not
Other
Plasma offers to download new widgets, wallpapers, scripts, and other 3rd party add-ons from the KDE Store using the KNewStuff (aka "Get Hot New Stuff") framework. The buttons are typically labeled "Get New ..." with a "star" icon. If this feature is undesirable it can be disabled using the following key:
- ghns (since KDE Frameworks 5.27)
- Whether the Download Dialog of Get Hot New Stuff can be accessed
Authorizing .desktop Files
Application .desktop files can have an additional field X-KDE-AuthorizeAction.
If this field is present the .desktop file is only considered valid if the action(s) mentioned in this field has been authorized. If multiple actions are listed they should be separated by commas (',').
If the .desktop file of an application lists one or more actions this way and the user has no authorization for even one of these actions then the application will not appear in the KDE menu, will not allow execution via that .desktop file and will not be used by KDE for opening files of associated mimetypes.
File Dialog
These keys disable actions that are found in the KDE file dialog. To use them, create a section in kdeglobals that looks like this:
[KDE Action Restrictions][$i]
action/<key>=false
Key | Action |
---|---|
action/home | Go to home directory |
action/up | Go to parent directory |
action/back | Go to previous directory |
action/forward | Go to next directory |
action/reload | Reload directory |
action/mkdir | Create new directory |
action/toggleSpeedbar | Show/hide sidebar |
action/sorting menu | Sorting options |
action/short view | Select short view |
action/detailed view | Select detailed view |
action/show hidden | Show/hide hidden files |
action/preview | Show/hide preview |
action/separate dirs | Show/hide separate directories |
Printing
There are several keys that restrict various aspects of the KDE print dialog and printing system. To use them, create a configuration section like this:
[KDE Resource Restrictions][$i]
print/<resource key>=false
Note how each of the printing keys start with print in the configuration file.
- print/copies
- Disables the panel that allows users to make more than one copy.
- print/dialog
- Disables the complete print dialog. Selecting the print option will immediately print the selected document using default settings. Make sure that a system-wide default printer has been selected. No application-specific settings are honored when this restriction is activated.
- print/options
- Disables the button to select additional print options.
- print/properties
- Disables the button to change printer properties or to add a new printer.
- print/selection
- Disables the options that allows selecting a (pseudo) printer or change any of the printer properties. Make sure that a proper default printer has been selected before disabling this option. Disabling this option also disables print/system, print/options and print/properties.
- print/system
- Disables the option to select the printing system backend, e.g. CUPS. It is recommended to disable this option once the correct printing system has been configured.
Resource Restrictions
KDE applications can take advantage of many types of resources such as configuration data, caches, plugin registries, etc. These are loaded from both system-wide as well as from per-user locations on disk. It is possible to restrict the use of the per-user resources directories, preventing users from adding to or altering existing shared resources.
This is accomplished by creating a section like this in a configuration file:
[KDE Resource Restrictions][$i]
<resource key>=false
The following resources can be used as keys and controlled in this manner:
Key | Directory | Provides |
---|---|---|
all | n/a | All resources listed in this table |
autostart | share/autostart | Apps to start on login |
data | share/apps | Application data |
data_<appname> | share/apps | Application data for the application named <appname> |
html | share/doc/HTML | HTML files |
icon | share/icon | Icons |
config | share/config | Application configurations |
pixmap | share/pixmaps | Images |
xdgdata-apps | share/applications | Application .desktop files |
sound | share/sounds | Sound files |
locale | share/locale | Localization data |
services | share/services | Protocols, plugins, kparts, control panels, etc. registry |
servicetypes | share/servicetypes | Plugin definitions, referenced in services registry entries |
mime | share/mimelnk | Mimetype definitions |
wallpaper | share/wallpapers | Desktop wallpaper images |
templates | share/templates | Document templates |
exe | bin | Executable files |
lib | lib | Libraries |
Screensavers
In kdeglobals in the [KDE Action Restrictions] group:
- opengl_screensavers
- Defines whether OpenGL screensavers are allowed to be used.
- manipulatescreen_screensavers
- Defines whether screensavers that manipulate an image of the screen (e.g. moving chunks of the screen around) are allowed to be used.
Automatic Log-out
In kscreensaverrc:
[ScreenSaver]
AutoLogout=true
AutoLogoutTimeout=600
The timeout is the time in seconds that the user must be idle for before the logout process is automatically started. Be careful with this capability as it can lead to data loss if the user has unsaved files open.
Session Capability Restrictions
These keys apply to various capabilities associated with a desktop session and are not application specific. To use them, create a section in kdeglobals that looks like this:
[KDE Action Restrictions][$i]
<key>=false
- custom_config
- Whether the --config command line option should be honored. The --config command line option can be used to circumvent locked-down configuration files.
- editable_desktop_icons
- Defines whether icons on the desktop can be moved around. In order to prevent adding, removing, or renaming icons, you should set the desktop folder read-only. (since Plasma 5.14)
- lineedit_text_completion
- Defines whether input lines should have the potential to remember any previously entered data and make suggestions based on this when typing. When a single account is shared by multiple people you may wish to disable this out of privacy concerns.
- lineedit_reveal_password
- Defines whether password input fields may have a button that allows showing the password in plain text. (since KDE Frameworks 5.30 and/or Plasma 5.9)
- action/lock_screen
- Defines whether the user will be able to lock the screen.
- logout
- Defines whether the user will be able to logout from the Plasma session.
- movable_toolbars
- define whether toolbars may be moved around by the user. See also action/options_show_toolbar.
- run_command
- Defines whether the "Run Command" (Alt-F2) option is available.
- run_desktop_files
- Defines whether users may execute desktop files that are not part of the default desktop, KDE menu, registered services and autostarting services.
- The default desktop includes the files under $KDEDIR/share/kdesktop/Desktop but not the files under $HOME/Desktop.
- The KDE menu includes all files under $KDEDIR/share/applnk and $XDGDIR/applications
- Registered services includes all files under $KDEDIR/share/services
- Autostarting services include all files under $KDEDIR/share/autostart but not the files under $KDEHOME/Autostart
- shell_access
- Whether a shell suitable for entering random commands may be started. This also determines whether the "Run Command" option (Alt-F2) can be used to run shell-commands and arbitrary executables. Likewise, executables placed in the user's Autostart folder will no longer be executed. Applications can still be autostarted by placing .desktop files in the $KDEHOME/Autostart or $KDEDIR/share/autostart directory. See also run_desktop_files.
- You probably also want to activate the following resource restrictions:
- "appdata_kdesktop" - To restrict the default desktop.
- "apps" - To restrict the KDE menu.
- "xdgdata-apps" - To restrict the KDE menu.
- "services" - To restrict registered services.
- "autostart" - To restrict autostarting services.
- Otherwise users can still execute .desktop files by placing them in e.g. $KDEHOME/share/kdesktop/Desktop
- skip_drm
- Defines if the user may omit DRM checking. At the time of writing, this primarily applies to document formats with a DRM mechanism (e.g. PDF).
- action/start_new_session
- Defines whether the user may start a new session.
- action/switch_user
- Defines whether user switching is allowed.
Telemetry
Whilst telemetry is disabled by default, a user can choose to enable it inside applications.
To force global disabling set
/etc/xdg/KDE/UserFeedback.conf
[UserFeedback]
Enabled=false