Re: Lockdown or Kiosk configuration

Tue, 22 Sep 2009 22:08:13 -0700 

On Wed, 2009-09-16 at 21:20 -0700, Micheal Wall wrote:
> Greetings,
> 
> I am interested in locking down nm-applet. I would like users to be able to 
> connect to connections I've already configured (right-click-->edit 
> connections...). However, I do not want users to be able to edit connections 
> or disable networking (anything on the context menu). I would like to disable 
> the context menu. I am willing to try anything, including re-compiling code 
> if necessary. Anyone have suggestions?

1) you'll want to make your connections "System" connections, which you
can do in the connection editor by checking the "Available to all users"
checkbox.  Any user can choose a system connection, but you can disallow
any or all users from modify those connections.

2) you'll want to use GConf mandatory settings to lock down
the /system/networking/connections directory so that users cannot create
connections themselves

3) You can likely use D-Bus permissions in
the /etc/dbus-1/system.d/NetworkManager.conf file to restrict the
"sleep" and "wake" methods to root-only in both the "polict
at_console=true" and "default" contexts of that file:

                <deny send_destination="org.freedesktop.NetworkManager"
                       send_interface="org.freedesktop.NetworkManager"
                       send_type="method_call"
                       send_member="sleep"/>

                <deny send_destination="org.freedesktop.NetworkManager"
                       send_interface="org.freedesktop.NetworkManager"
                       send_type="method_call"
                       send_member="wake"/>

                <deny send_destination="org.freedesktop.NetworkManager"
                       send_interface="org.freedesktop.NetworkManager"
                       send_type="method_call"
                       send_member="Sleep"/>

                <deny send_destination="org.freedesktop.NetworkManager"
                       send_interface="org.freedesktop.DBus.Properties"
                       send_type="method_call"
                       send_member="Set"/>

I believe that's the necessary bits.

Or, since you can rebuild the applet, you can take out the UI elements
(but users would still be able to use dbus-send from the command line to
do what the UI does) and remove this code from the "setup_widgets()"
function:

        g_signal_connect (applet->status_icon, "popup-menu",
                          G_CALLBACK (status_icon_popup_menu_cb), applet);

which will disable showing the context menu.

Dan


_______________________________________________
NetworkManager-list mailing list
[email protected]
http://mail.gnome.org/mailman/listinfo/networkmanager-list

Reply via email to