User Tools

Site Tools


libki_on_gnome

Create Users

Set up user 'public' with auto-login. Set up user 'nimda' with sudo privs.

Set up Gnome

Remove Applications

  • Run the following:
    sudo apt-get --purge remove tomboy f-spot xsane ekiga evolution pidgin rhythmbox tracker deskbar-applet vinagre transmission-common transmission-gtk serpentine gthumb python-bittorrent bittorrent gnome-btdownload

Change Power Button Behavior

  • From the System Menu, select Preferences→Power Management OR execute 'gnome-power-preferences' from a Terminal window.
  • Click the 'General' tab and change 'When the power button is pressed:' from 'Ask me' to 'Shutdown'.

Remove Menus

  • Add the programs you wish to allow users to run to the desktop.
  • Remove the Gnome menus from the menu bar.
  • Remove the “Show Desktop” button
  • Use the workspace switcher to set the number of workspaces to 1
    • Remove the workspace switcher

Using GConf to secure Gnome

Lockdown

Set these keys as MANDATORY for it to be effective

  • /apps/panel/global: locked_down
  • /apps/panel/global: menu_key: Set to 'disabled'
  • /apps/metacity/global_keybindings: Go here to disable/set keybindings (such as removing the default ALT+F2 = run dialogue so students cannot arbitrarily run any program on the system)
  • /apps/gnome_settings_daemon/screensaver: start_screensaver
  • /desktop/gnome/background: picture_filename /home/share/backgrounds/picture.jpg
  • /desktop/gnome/lockdown: disable_lock_screen
  • /desktop/gnome/lockdown: disable_user_switching

Niceties

Use these gconf keys to clean up the user interface and provide some nice features for multi-user sessions

  • /apps/panel/global/disabled_applets: A list of applets you can disable. This was relevant when removing fast-user-switch and deskbar applets, as Gnome would complain upon login of every user that it couldn't load the applet (they are defaulted to load even when the packages are removed) (see image here)
  • /apps/panel/toplevels/*/background: Will be good for setting panel translucency/color for administrator accounts
  • /desktop/gnome/interface/enable_animations: Will enable/disable animations in various aspects of Gnome, which can be sludgy in LTSP environments

Lock Down Menu

  • Create menu-lockdown.sh

menu-lockdown.sh:

#!/bin/sh
#
# Locks down default non-needed xdg menu entries for non-root users.

cd /usr/share/applications

chmod 640 baobab.desktop
chmod 640 redhat-manage-print-jobs.desktop
chmod 640 evolution.desktop
chmod 640 sun-java6-java.desktop
chmod 640 sun-java6-javaws.desktop
chmod 640 xchat.desktop
chmod 640 totem*.desktop
chmod 640 paman.desktop
chmod 640 padevchooser.desktop
chmod 640 paprefs.desktop
chmod 640 pavucontrol.desktop
chmod 640 pavumeter.desktop
chmod 640 sound-juicer.desktop
chmod 640 gnome-sound-recorder.desktop
chmod 640 gnome-power-preferences.desktop
chmod 640 seahorse*.desktop
chmod 640 transmission.desktop
chmod 640 brasero.desktop
  • Give menu-lockdown.sh executable permissions and give it a whirl:
  chmod +x menu-cleanup.sh
  ./menu-lockdown.sh
  • To get rid of fast-user-switch-applet, you have to disable the panel applet from starting within GConf:

/apps/panel/global/disabled_applets: OAFIID:GNOME_FastUserSwitchApplet (Don't forget to mark this key as Mandatory) (See screenshot here: http://logicalnetworking.net/other/wiki/ltsp-disabledapplets.png)

Hide System Directories

This section shows how to hide parts of the filesystem from within Nautilus. Please note that this technique is specific to Nautilus - other methods of gaining access to the filesystem, such as through OpenOffice “Open/Save” dialogs, the terminal, and other programs that do not use Nautilus to browse the filesystem are not affected (yet).

Doing this is easily accomplished by creating (as root) a file called .hidden in whichever directory you want to hide files/subdirectories in, which contains, one line at a time, a list of each file and/or directory you want to hide.

For example, I have created a file called /.hidden:

cd /

sudo vim .hidden

/.hidden:

bin
boot
cdrom
dev
etc
initrd
lib
lost+found
media
mnt
opt
proc
root
sbin
srv
sys
tmp
usr
var
initrd.img
initrd.img.old
vmlinuz
vmlinuz.old
lib32

User Cleanup on GDM

This script will create an image of the user account and restore that image on each logout.

/usr/local/bin/user-cleanup

#!/bin/bash

case "$USER" in
     root|nimda)
     echo "Really not a good idea!!"
     ;;
     *)
     /usr/bin/killall -9 -u $USER
     rsync -az --delete --exclude=.gvfs /var/userbackups/$USER/ /home/$USER
     ;;
esac

Invoke this script at the end of /etc/gdm/PostSession/Default, before the “exit 0” line. Of course, put a copy of your preconfigured user's home directory in /var/userbackups before you run it. Also add any user accounts you don't want this invoked on in the “root|nimda” list.

Auto Re-Login with GDM

Edit

/etc/gdm/PostSession/Default

and add the following on a line before

exit 0

:

/etc/init.d/gdm restart

This will cause gdm to restart and autologin. This is necessary as the TimedLogin directive for gdm no longer works after the first login.

References

libki_on_gnome.txt · Last modified: 2009/12/09 12:13 by administrator