2009/11/9 Jonas Smedegaard <[email protected]>: > On Mon, Nov 09, 2009 at 12:33:20PM +0900, Nigel Barker wrote: >> >> Where is the setting that prevents a skolelinux user from having the >> option to shut down a workstation instead of just confirming the logout? I >> have kids who just log out of laptops and then leave them switched on. > > I believe that what you are talking about is related to membership of the > group powerdev. Or in newer systems is instead tied to consolekit. > > Above the powerdev/consolekit level are tools like GDM, lxsession and > whatever is the name of the similar tool in KDE, which presents a dialog for > choosing e.g. logout/suspend/poweroff and greying out the options that the > underlying mechanism do not allow this particular user.
The login manager in KDE control centre didn't fix it. Thats why I thought there must be a skolelinux setting. > > Below is probably some PAM settings which applies to all users. > > > I guess that you want to disable ability to logout, allowing only shutting > down, right? That would be excellent, but just the default debian behaviour would be fine - a choice of "end current session, shutdown, restart, cancel" > > In principle the most reliable approach is to attack the problem at the > bottom - i.e. not just configure KDE to do the right thing - because that > lasts only until the students discover some other fun tool on their system > that allows them to circumvent your KDE-specific lock-down. > > Problem is, that powerdev/consolekit only really manages access to shutting > down the system, as that is fundamentally a privileged operation. Killing > your own X11 session while leaving the rest of the machine still running - > is *not* a privileged operation, so is not governed by the underlying > mechanisms. But its normal debian behaviour to allow users to shut down the machine on logout. At least on laptops it is. > > It is a human right to commit suicide, so to speak, but requires special > access to hit the big red Doomsday-machine button. > > So the challenge is to protect something that is unprotected by underlying > design of the system. :-/ > > Step 1 is to disable CTRL+ALT+BACKSPACE in xorg config. Then figure out how I wouldn't do this. There are several cases where it is a good thing - frozen session, student hit lock instead of logout and walked away, projector not detected and the Fn-key toggle doesn't work, ... I have had to re-enable this feature on the one remaining ubuntu machine we have in school. > to configure the obvious mechanisms to silent the non-privileged logout > routine while still presenting the shutdown (and remember to also disable > restart, as that is just a delayed logut). Then you need to hunt down all > methods of quitting or killing the running processes and make them difficult > for ordinary users to invoke. > > I certainly see the relevancy of this, seen from a school perspective, but > expect it to be difficult at best to implement. > > Good luck ;-) > But not to me, because this stuff is way too hard for me. However, your message has had me thinking about this and the more I do, the more I wonder why we don't allow shutdown of workstations in skolelinux? Apart from a local login to an ltspserver, in what other case would it be bad for a user to shut down the machine instead of logging out? Perhaps only if someone else is about to use it. In my school many workstations are left on overnight. Perhaps this would be improved if shutdown were a logout option? My suggestion is for normal debian behaviour, except on ltspservers. cheers nigel -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
