Lockdown Editor
As of GNOME 2.14, a graphical lockdown editor called Pessulus has been included to ease the task of disabling desktop settings.
- 10.3.1. Getting Started
- 10.3.2. Disabling Features
10.3.1. Getting Started
To run the lockdown editor:
- Click the
- Run the pessulus command in a terminal window.
You will see a window with several different tabs. Each of the tabs represents a different category of desktop settings that can be disabled. In the next section, we will discuss each category and provide a brief description for each setting that can be disabled.
10.3.2. Disabling Features
To disable a setting, make sure the checkbox next to the setting's description is checked. Most settings will take effect immediately, however some settings will require that the application be restarted in order to take effect.
When pessulus starts, it will try to get a connection to the GConf mandatory configuration source. This address for this configuration source is xml:merged:$prefix/etc/gconf/gconf.xml.mandatory. If the user that is running pessulus has access to this configuration source, then a lock icon will be displayed next to the checkbox for each setting. Clicking the lock will toggle whether or not the setting is mandatory. If the setting is mandatory, then regular users will not be able to change or override the setting. If the user running pessulus does not have access to the mandatory configuration source, then the lock icon will not appear. In this case, all disabled settings will simply be stored in the user's default configuration source and can be modified later using other tools such as gconf-editor or gconftool-2. For more information on GConf and mandatory configuration sources, see Section 1.2.1 ― GConf Configuration Sources.
The following subsections will give a brief description of the settings that can be disabled for each category.
Depending on the applications you have installed, you may see fewer categories than those described in this section.
- 10.3.2.1. General
- 10.3.2.2. Panel
- 10.3.2.3. Epiphany Web Browser
- 10.3.2.4. GNOME Screensaver
10.3.2.1. General
- Disable command line
-
Prevent the user from accessing the terminal or specifying a command line to be executed. For example, this would disable access to the panel's "Run Application" dialog.
- Disable printing
-
Prevent the user from printing. For example, this would disable access to all applications' "Print" dialogs.
- Disable print setup
-
Prevent the user from modifying print settings. For example, this would disable access to all applications' "Print Setup" dialogs.
- Disable save to disk
-
Prevent the user from saving files to disk. For example, this would disable access to all applications' "Save as" dialogs.
10.3.2.2. Panel
- Lock down the panels
-
If true, the panel will not allow any changes to the configuration of the panel. Individual applets may need to be locked down separately however. The panel must be restarted for this to take effect.
- Disable force quit
-
If true, the panel will not allow a user to force an application to quit by removing access to the force quit button.
- Disable lock screen
-
If true, the panel will not allow a user to lock their screen, by removing access to the lock screen menu entries.
- Disable log out
-
If true, the panel will not allow a user to log out, by removing access to the log out menu entries.
10.3.2.3. Epiphany Web Browser
- Disable quit
-
User is not allowed to close Epiphany.
- Disable arbitrary URL
-
Disable the user's ability to type in a URL to Epiphany.
- Disable bookmark editing
-
Disable the user's ability to add or edit bookmarks.
- Disable history
-
Disable all historical information by disabling back and forward navigation, not allowing the history dialog and hiding the most used bookmarks list.
- Disable javascript chrome
-
Disable JavaScript's control over window chrome.
- Disable toolbar editing
-
Disable the user's ability to edit toolbars.
- Force fullscreen mode
-
Locks Epiphany in fullscreen mode.
- Hide menubar
-
Hide the menubar by default. The menubar can still be accessed using F10.
- Disable unsafe protocols
-
Disables loading of content from unsafe protocols. Safe protocols are http and https.
10.3.2.4. GNOME Screensaver
- Lock on activation
-
Set this to TRUE to lock the screen when the screensaver goes active.
- Allow log out
-
Set this to TRUE to offer an option in unlock dialog to logging out after a delay. The Delay is specified in the "logout_delay" key.
- Allow user switching
-
Set this to TRUE to offer an option in the unlock dialog to switch to a different user account.