Maintaining the Status Quo

Allowing users to override system settings is not always desirable. To keep administration headaches to a minimum, many corporate IT departments define a standard system configuration, and lock down systems so users can't alter set policies. Traditional UNIX-style file permissions are one tool for locking down a Linux desktop, but support is still required from the applications to prevent users from affecting and using local configurations.

KDE provides support for policy-controlled configurations via the KDE kiosk framework, which debuted in KDE 3.0. Work on the kiosk framework was originally inspired by the requirements of public access terminals, where locking down the system is mandatory. While adapting KDE for kiosks, it was quickly realized that the very same framework was perfectly suited for managing systems in a corporate environment.

The KDE kiosk framework currently provides three types of restrictions. The first type of restriction is probably the most obvious: application settings cannot be changed. The second type of restriction changes the behavior of applications: you can prevent a user from using a specific feature in a specific application. And the final restriction prohibits users from changing the settings of an entire class of resources. For example, you can configure KDE so that no one can change any icon resource in any setting in any application.

Let's look at how to use each type of restriction to create and maintain your standard desktop.

Locking Down Application Settings

Using the KDE kiosk system, you can lock down individual settings, groups of settings, or entire applications. This is done by editing a system wide configuration file and marking settings as unchangeable (or immutable in KDE lingo).

KDE configuration files consist of groups of key=value pairs, where each group of configuration options starts with a title enclosed in square brackets, such as [This Is A Group Title]. The following example was taken directly from a KDE configuration file:

[FMSettings]
AlwaysNewWin=false
HomeURL=~
ShowFileTips=true

As the system administrator, you may not want users to alter some these settings. For example, to lock down the ShowFileTips setting, while allowing a user to modify other settings, simply to add [$i] after ShowFileTips:

[FMSettings]
AlwaysNewWin=false
HomeURL=~
ShowFileTips[$i]=true

The [$i] makes ShowFileTips immutable. To lock down the entire [FMSettings] group we would specify something similar after [FMSettings], like so:

[FMSettings][$i]
AlwaysNewWin=false
HomeURL=~
ShowFileTips=true

To lock down all of the settings in the file, you could preface the file with [$i] on a line by itself:

[$i]
[FMSettings]
AlwaysNewWin=false
HomeURL=~
ShowFileTips=true

In an office, many users will be sharing such locked-down configurations. However, some flexibility is required to reflect each user's particular environment. For example, each user has his or her own home directory. KDE provides for per-user customization by allowing environment variables and even shell commands to be used in configuration files.

For example, if the value of the CORPNEWS environment variable should be used as the Konqueror "Home" URL instead of "~", you could edit the HomeURL entry this way:

HomeURL[$e]=$CORPNEWS

Note the [$e] following the HomeURL key. This signifies that the setting contains a dynamic value. It can also be combined with the immutable flag to prevent the user from changing the setting.

As of 3.1, KDE allows not only environment variables, but shell commands to be used in place of literal values. To have the user's home URL defined by a program, the appropriate command can be placed directly in the configuration file:

HomeURL[$e]=$(/usr/bin/homeURL)

Note the use of parentheses. This denotes that the entry is a shell command rather than an environment variable. To lock this particular configuration down, we would write:

HomeURL[$ei]=$(/usr/bin/homeURL)

In our office configuration, we want to define and lock down several desktop settings, starting with the default panel configuration. To achieve this, we'll set up the panel exactly how we want it using Panel configuration in the KDE Control Center, and then edit and "lock" the configuration file.

Use your favorite text editor to open the Panel configuration file, which in this case is /opt/kde/share/config/kickerrc (since the name of the panel program in KDE is "kicker"). Add a [$i] to the very top of the file before any settings, and save it. Now all the desktops will have the same panel setting, and the users will not be able to change it. The people at the help desk will love you!

To control the various look and feel options available in KDE, including such things as icons, wallpaper, color schemes, and widget style, use the KDE Control Center to design your official corporate look and feel, and then edit the /opt/kde/share/config/kdeglobals file. You don't need to lock down the entire file, just control a few of the settings.

For example, to set the background wallpaper, open /opt/kde/share/config/kdesktorc and mark the Desktop0 group as immutable:

[Desktop0][$i]
BackgroundMode=VerticalGradient
Color1=30,114,160
Color2=192,192,192
MultiWallpaperMode=NoMulti
Wallpaper=default_blue.jpg
WallpaperMode=Scaled