Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 20. Locking down selected tasks

This section describes how to lock down for users the following tasks:

  • Printing
  • File saving on disk
  • Repartitioning
  • User logout and user switching

20.1. Locking down printing

You can disable the print dialog from being shown to users. This can be useful if you are giving temporary access to a user or you do not want the user to print to network printers.

Important

The feature only works in applications which support it. Not all GNOME and third party applications have this feature enabled. The changes do not have effect on applications which do not support this feature.

To prevent applications from printing, lock down the org.gnome.desktop.lockdown.disable-printing key:

Procedure

  1. Create the user profile in /etc/dconf/profile/user unless it already exists:

    Copy to Clipboard Toggle word wrap 
    user-db:user
system-db:local

  2. Create a local database for machine-wide settings in the etc/dconf/db/local.d/00-lockdown file:

    Copy to Clipboard Toggle word wrap 
    [org/gnome/desktop/lockdown]

# Prevent applications from printing
disable-printing=true

  3. Override the user’s setting and prevent the user from changing it in the /etc/dconf/db/local.d/locks/lockdown file:

    Copy to Clipboard Toggle word wrap 
    # List the keys used to configure lockdown
/org/gnome/desktop/lockdown/disable-printing

  4. Update the system databases:

    Copy to Clipboard Toggle word wrap 
    # dconf update

Having followed these steps, applications supporting this lockdown key, such as Evolution, Evince, or Gedit, will disable printing.

20.2. Locking file saving on disk

You can disable the Save and Save As dialogs. This can be useful if you are giving temporary access to a user or you do not want the user to save files to the computer.

Important

The feature only works in applications which support it. Not all GNOME and third party applications have this feature enabled. The changes will have no effect on applications which do not support this feature.

To prevent applications from file saving, lock down the org.gnome.desktop.lockdown.disable-save-to-disk key:

Procedure

  1. Create the user profile in /etc/dconf/profile/user unless it already exists:

    Copy to Clipboard Toggle word wrap 
    user-db:user
system-db:local

  2. Create a local database for machine-wide settings in the /etc/dconf/db/local.d/00-lockdown file:

    Copy to Clipboard Toggle word wrap 
    [org/gnome/desktop/lockdown]

# Prevent the user from saving files on disk
disable-save-to-disk=true

  3. Override the user’s setting and prevent the user from changing it in the /etc/dconf/db/local.d/locks/lockdown file:

    Copy to Clipboard Toggle word wrap 
    # Lock this key to disable saving files on disk
/org/gnome/desktop/lockdown/disable-save-to-disk

  4. Update the system databases:

    Copy to Clipboard Toggle word wrap 
    # dconf update

Having followed these steps, applications supporting this lockdown key, for example Videos, Image Viewer, Evolution, Document Viewer, or GNOME Shell, will disable their Save As dialogs.

20.3. Locking repartitioning

polkit enables you to set permissions for individual operations. For udisks2, the utility for disk management services, the configuration is located at /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy. This file contains a set of actions and default values, which can be overridden by system administrator.

Important

polkit configuration stored in /etc overrides the configuration shipped by packages in /usr/share/.

Procedure

  1. Create a file with the same content as in /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy:

    Copy to Clipboard Toggle word wrap 
    cp /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy /etc/share/polkit-1/actions/org.freedesktop.udisks2.policy

    Do not change the /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy file, your changes will be overwritten by the next package update.

  2. Delete the action you do not need, and add the following lines to the /etc/polkit-1/actions/org.freedesktop.udisks2.policy file:

    Copy to Clipboard Toggle word wrap 
    <action id="org.freedesktop.udisks2.modify-device">
  <message>Authentication is required to modify the disks settings</message>
     <defaults>
        <allow_any>no</allow_any>
        <allow_inactive>no</allow_inactive>
        <allow_active>yes</allow_active>
      </defaults>
 </action>

    Replace no by auth_admin if you want to ensure only the root user is able to perform the action.

  3. Save the changes.

When the user tries to change the disks settings, the following message is returned:

Copy to Clipboard Toggle word wrap 
Authentication is required to modify the disks settings.

20.4. Locking down user logout and user switching

To prevent the user from logging out, use the following procedure.

Procedure

  1. Create the /etc/dconf/profile/user profile, which contains the following lines:

    Copy to Clipboard Toggle word wrap 
    user-db:user
system-db:local

    where local is the name of a dconf database

  2. Create the /etc/dconf/db/local.d/ directory if it does not already exist.

  3. Create the /etc/dconf/db/local.d/00-logout key file to provide information for the local database:

    Copy to Clipboard Toggle word wrap 
    [org/gnome/desktop/lockdown]
# Prevent the user from user switching
disable-log-out=true

  4. Override the user’s setting, and prevent the user from changing it in the /etc/dconf/db/local.d/locks/lockdown file:

    Copy to Clipboard Toggle word wrap 
    # Lock this key to disable user logout
/org/gnome/desktop/lockdown/disable-log-out

  5. Update the system databases:

    Copy to Clipboard Toggle word wrap 
    # dconf update
  6. Users must log out and back in again before the system-wide settings take effect.
Important

Users can evade the logout lockdown by switching to a different user. To prevent such scenario, lock down user switching as well.

To lock down user switching, use the following procedure:

Procedure

  1. Create the /etc/dconf/profile/user profile, which contains the following lines:

    Copy to Clipboard Toggle word wrap 
    user-db:user
system-db:local

    where local is the name of a dconf database

  2. Create the /etc/dconf/db/local.d/ directory if it does not already exist.

  3. Create the /etc/dconf/db/local.d/00-user-switching key file to provide information for the local database:

    Copy to Clipboard Toggle word wrap 
    # Prevent the user from user switching
[org/gnome/desktop/lockdown]
disable-user-switching=true

[org/gnome/desktop/screensaver]
user-switch-enabled=false

  4. Override the user’s setting, and prevent the user from changing it in the /etc/dconf/db/local.d/locks/lockdown file:

    Copy to Clipboard Toggle word wrap 
    # Lock this key to disable user switching
/org/gnome/desktop/lockdown/disable-user-switching
/org/gnome/desktop/screensaver/user-switch-enabled

  5. Update the system databases:

    Copy to Clipboard Toggle word wrap 
    # dconf update
  6. Users must log out and back in again before the system-wide settings take effect.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat, Inc.