Lock Down KDE with Kiosk Mode

Hack No. 43 in Linux Desktop Hacks.

System administrators typically spend a lot of their time fixing trivial problems for users who have accidently changed their settings in some way. When an inexperienced user moves a desktop icon into the wastebin or sets a mimetype to open with the wrong programme they may be unable to reset their changes. Calls to the system administrator for help are a poor use of everyone's time. It would be better if the user had never been able to make undesirable changes.

Perhaps you just want to set up a GNU/Linux desktop for your grandmother but she keeps changing the layout of the application toolbars without meaning to. The new look confuses her so much that she calls you all the time asking for help, or worse, she gives up on GNU/Linux or her computer. Wouldn't it be great if you could protect your grandmother from herself?

For computers in a public setting such as an internet cafe or library these problems turn into more than just timewasters, they can prevent others from using the machine or cause distress as with the common anecdote of a library where a scriptkiddy had changed the background wallpaper on all the machines to pornographic photos.

Enter the Kiosk

KDE is one of the most configurable desktop environments but KDE 3.2.3 added the Kiosk framework which allows for any or all of the configuration options to be marked as unchangeable. With Kiosk you can create profiles which are attached to users or groups of users. A profile can define any KDE setting but will usually include the contents of the desktop, panel and k-menus as well as the look of the wallpaper, default fonts and widget style. You can also specify important system settings such as the network proxy and file associations. Most importantly all of these options can be set to be unchangeable by the user. This means grandma will never accidentally delete her web browser icon, and a bored teenager can't change the library's computer wallpaper to something that will give grandma a heard attack.

The easiest way to setup a Kiosk profile is to use the Kiosk Admin Tool. Some distributions include this by default, for others you can download the source from its website at http://extragear.kde.org/apps/kiosktool.php.

Start the Kiosk tool (as your normal user, there's no need to run as root) by selecting K-menu -> System -> Kiosk Admin Tool, or with the kiosktool command, and click Add New Profile. Give this profile a name such as 'locked-down' and click OK to save. You will be asked for your root password to save the new profile. Now click Manage Users and add a user policy to link a user to your new locked-down profile. It is also possible to link a whole group to the policy, you can see and change which users are in which groups by looking at the file /etc/group.

To configure a profile, select it in the list and click Next. The next screen presents numerous moules, each witrh specific configuration options in it. Ticking an option will lock down its corresponding feature. The settings will be saved when you click Back.

Some of the modules offer graphical setup for their settings. For example under the Desktop Icons module you can load a temporary desktop to replace your normal one. Switch to a different virtual desktop (Ctrl-F2) if you have windows covering your background. You can add, remove and move any of the icons on the temporary desktop. When you click Save in Kiosk Admin Tool, the settings for this desktop will be saved and your normal desktop will be loaded again. This makes configuring the setup for your Kiosk profile as easy as configuring your own desktop.

A general breakdown of the types of settings you will find in the most important modules follows:

Contains the settings that control the global properties for al KDE programs and inclues the ability to run commands, log out or move toolbars. Disabling Konsole removes not onlt its entry from the K-menu, but also the embedded Konsoles in Konqueror and Kate.
Desktop Icons
Settings to prevent users from moving or deleting desktop icons.
KDE Menu
Controls which programs are available in the K-Menu
Prevents users from changing the widget style, colour or font settings.
Stops the user from being able to browse outside their home directory.
Menu Actions
Turns off standard menu actions such as open, print, paste, settings etc from all KDE applications.
File Associations
Ensures that files can be opened only with the specified programs
Network Proxy
Enforces the use of your web proxy. Uses a web proxy to restrict which web sites a user can browse.
Used to lock down the panel, prevents users from adding or removing the items you place here, and enables you to prevent context menus from working

The Kiosk framework has been used in large enterprise deployments of KDE. Administrators report that is cuts their time taken up by user support by half, because it reduces the number of small but time consuming problems users have.

If you are considering using Kiosk in a public setting you may want to make yourself familiar with the KDE configuration file format. Browse through /etc/kde-profile to see the setting made by the Kiosk Admin Tool. Adding [$i] to a configration option, group of options or file makes them unchangeable by users.

Kiosk is not a substitute for using Unix filesystem permissions or other security settings. You should also make sure you set X to not be killable with control-alt-backspace and prevent users from changing to a text console. Finally make sure the login manager does not allow users to log in to any other desktop environment which has not been locked down.

Copyleft Jonathan Riddell 2004