KDE System Administration/Kiosk/Keys

From KDE Wiki Sandbox

This article contains a listing of known keys that can be used with Kiosk and what they do. How to actually use these keys and other capabilities of Kiosk such as URL restrictions, creating assigning profiles, etc. is covered in the Introduction to Kiosk article.

Application Action Restrictions

KCalc

Konqueror and Desktop

Konsole

KWin

Panels

Using D-Bus To Find More Actions

Authorizing .desktop Files

File Dialog

Printing

Resource Restrictions

KDE applications can take advantage of many types of resources such as configuration data, caches, plugin registries, etc. These are loaded from both system-wide as well as from per-user locations on disk. It is possible to restrict use of the per-user resources directories, preventing users from adding to or altering existing shared resources.

This is accomplished by creating a section like this in a configuration file, most often kdeglobals so that it applies to all applications:

[KDE Resource Restrictions] <resource key>=false

The following resources can be used as keys and controlled in this manner:

Key Directory Provides
all n/a All resources listed in this table
autostart share/autostart Apps to start on login
data share/apps Application data
data_<appname> share/apps Application data for the application named <appname>
html share/doc/HTML HTML files
icon share/icon Icons
config share/config Application configurations
pixmap share/pixmaps Images
xdgdata-apps share/applications Application .desktop files
sound share/sounds Sound files
locale share/locale Localization data
services share/services Protocols, plugins, kparts, control panels, etc. registry
servicetypes share/servicetypes Plugin definitions, referenced in services registry entries
mime share/mimelnk Mimetype definitions
wallpaper share/wallpapers Desktop wallpaper images
templates share/templates Document templates
exe bin Executable files
lib lib Libraries

Screensavers

In kdeglobals in the [KDE Action Restrictions] group:

opengl_screensavers
defines whether OpenGL screensavers are allowed to be used.
manipulatescreen_screensavers
defines whether screensavers that manipulate an image of the screen (e.g. moving chunks of the screen around) are allowed to be used.

Automatic Log-out

In kscreensaverrc:

[ScreenSaver] AutoLogout=true AutoLogoutTimeout=600

The timeout is the time in seconds that the user must be idle for before the logout process is automatically started. Be careful with this capability as it can lead to data loss if the user has unsaved files open.

Session Capability Restrictions

These keys apply to various capabilities associated with a desktop session and are not application specific. To use them, create a section in kdeglobals that looks like this:

[KDE Action Restrictions] <key>=false

custom_config
Whether the --config command line option should be honored. The --config command line option can be used to circumvent locked-down configuration files.
editable_desktop_icons
define whether icons on the desktop can be moved, renamed, deleted or added. You might want to set the path for the desktop to some read-only directory as well instead of $HOME/Desktop.
lineedit_text_completion
Defines whether input lines should have the potential to remember any previously entered data and make suggestions based on this when typing. When a single account is shared by multiple people you may wish to disable this out of privacy concerns.
lock_screen
whether the user will be able to lock the screen.
logout
whether the user will be able to logout from KDE.
movable_toolbars
define whether toolbars may be moved around by the user. See also action/options_show_toolbar.
run_command
whether the "Run Command" (Alt-F2) option is available.
run_desktop_files
defines whether users may execute desktop files that are not part of the default desktop, KDE menu, registered services and autostarting services.
  • The default desktop includes the files under $KDEDIR/share/kdesktop/Desktop but not the files under $HOME/Desktop.
  • The KDE menu includes all files under $KDEDIR/share/applnk and $XDGDIR/applications
  • Registered services includes all files under $KDEDIR/share/services
  • Autostarting services include all files under $KDEDIR/share/autostart but not the files under $KDEHOME/Autostart
shell_access
Whether a shell suitable for entering random commands may be started. This also determines whether the "Run Command" option (Alt-F2) can be used to run shell-commands and arbitrary executables. Likewise, executables placed in the user's Autostart folder will no longer be executed. Applications can still be autostarted by placing .desktop files in the $KDEHOME/Autostart or $KDEDIR/share/autostart directory. See also run_desktop_files.
You probably also want to activate the following resource restictions:
  • "appdata_kdesktop" - To restrict the default desktop.
  • "apps" - To restrict the KDE menu.
  • "xdgdata-apps" - To restrict the KDE menu.
  • "services" - To restrict registered services.
  • "autostart" - To restrict autostarting services.
Otherwise users can still execute .desktop files by placing them in e.g. $KDEHOME/share/kdesktop/Desktop
skip_drm
defines if the user may omit DRM checking.
start_new_session
defines whether the user may start a second X session. See also the documentation on kdm configuration.
switch_user
defines whether user switching via kdm is allowed. See also the documentation on kdm configuration.