On 7/7/07, guenther <[EMAIL PROTECTED]> wrote: > > > In a deployment scenario, the desktop administrator should ideally be > > able to define a restricted set of directories which users in a > > profile will be able to view. For example, a user may only be allowed > > to view the contents of his home directory and its subdirectories. > [...] > > > Thoughts/comments/suggestions are welcome :-). > > Clearly, this is just about defining "a view", not security related in > any sense of the word, right? >
No - this is not at all security related. > If you are thinking security, this is the wrong approach. File ownership > and permissions do this, or ACLs. This is not the duty of the graphical > interface to handle and enforce. Can these users log in via a virtual > terminal? Can they launch gnome-terminal, xterm, bash... Or even emacs? > No - they cannot. This kind of restriction would be implemented along with the other lockdown options (/desktop/gnome/lockdown/disable_command_line) :-) > What is wrong with seeing the contents or /usr/share/icons? Ever set a > custom icon for a launcher? What is bad about seeing the contents > of /usr/share/man? Yelp does display man pages... This list goes on and > on. > I agree that for a normal desktop user, there's no harm in seeing the contents of /usr/share/icon or browsing through /usr/share/man. However this kind of feature is targeted towards more specialised kind of scenarios. For example, here's a usestory from the initial spec document created by my SoC mentor: <quote> Let's go back to Alicia, the administrator for the internet cafe. She wants her customers to be able to save files on their home directories: she can afford to give students a modest amount of space on her server's hard drive so that they can do school work and keep it there. However, Alicia wants to simplify the students' view of the software by only showing the contents of home directories: she doesn't want students to see "File System" nor "Network Servers" in the Nautilus places sidebar. Alicia would therefore like to say that only certain directories (and their subdirectories) should be visible to certain users. One of the customers, Ricardo Tapia, should only be able to see /home/premium-customers/ricardo and its subdirectories --- he certainly doesn't care to see /usr or /var. Similarly, this limited view of the file system should also be seen in the GTK+ file chooser. See the section called "Scenario: Lock-down" in http://primates.ximian.com/~federico/docs/file-chooser-extension-spec/index.html </quote> Again, adding to the above, I have seen people administering LTSP in University Internet browsing centers being uncomfortable with the fact that users can find out the usernames of all the users in the system simply by navigating via their file manager to /home (LTSP exports the user home directories via NFS). I have actually watched students randomly clicking on other users home directories from /home - of course, they do not succeed in most of the cases, but what if some user manages to mess up his/her home directory permissions ? These users are not "expert users" or "power users", and they often have very little knowledge of file permissions, etc. In such a situation, restricting the "view" of nautilus to $HOME only, along with restricting command line access would make the job of the LTSP administrator much easier. > Btw, would that GConf key you proposed be owned by the user? ;) No - it would be a mandatory setting in most situations, I guess. Warm regards, Sayamindu -- Sayamindu Dasgupta [http://sayamindu.randomink.org/ramblings] -- nautilus-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/nautilus-list
