Red Hat SummitChapter 9. Restricting the desktop session
You can restrict and control various functionalities on the GNOME desktop environment. You can enforce specific configurations and restrictions to maintain system integrity and prevent unauthorized access.
9.1. Disabling user logout and user switching
Disabling user logout and user switching can improve security, prevent user errors, and enforce a specific workflow. This can mitigate unauthorized access to sensitive data and disruptions to the workflow caused by users accidentally logging out or switching to another user.
Prerequisites
- Administrative access.
Procedure
Create a plain text
/etc/dconf/db/local.d/00-logoutkeyfile in the/etc/dconf/db/local.d/directory with the following content:[org/gnome/desktop/lockdown] # Disable user logut disable-log-out=true # Disable user switching disable-user-switching=trueCreate a new file under the
/etc/dconf/db/local.d/locks/directory and list the keys or subpaths you want to lock down:# Lock user logout /org/gnome/desktop/lockdown/disable-log-out # Lock user switching /org/gnome/desktop/lockdown/disable-user-switchingApply the changes to the system databases:
# dconf update
9.2. Disabling printing
Disabling printing can prevent unauthorized access to sensitive documents and potential breaches and safeguard confidential information.
Prerequisites
- Administrative access.
Procedure
Create a plain text
/etc/dconf/db/local.d/00-printingkeyfile in the/etc/dconf/db/local.d/directory with the following content:[org/gnome/desktop/lockdown] # Disable printing disable-printing=trueCreate a new file under the
/etc/dconf/db/local.d/locks/directory and list the keys or subpaths you want to lock down:# Lock printing /org/gnome/desktop/lockdown/disable-printingApply the changes to the system databases:
# dconf update
9.3. Disabling filesaving
Disabling file saving can help to protect sensitive data from unauthorized access and protect against potential data leaks.
Prerequisites
- Administrative access.
Procedure
Create a plain text
/etc/dconf/db/local.d/00-filesavingkeyfile in the/etc/dconf/db/local.d/directory with the following content:[org/gnome/desktop/lockdown] # Disable saving files on disk disable-save-to-disk=trueCreate a new file under the
/etc/dconf/db/local.d/locks/directory and list the keys or subpaths you want to lock down:# Lock file saving /org/gnome/desktop/lockdown/disable-save-to-diskApply the changes to the system databases:
# dconf update
9.4. Disabling the command prompt
Disabling the command prompt can simplify user interactions with the system, prevent inexperienced users from executing potentially harmful commands that might cause system instability or data loss, and reduce the risk of unauthorized changes to system settings or configurations.
Prerequisites
- Administrative access.
Procedure
Create a plain text
/etc/dconf/db/local.d/00-lockdownkeyfile in the/etc/dconf/db/local.d/directory with the following content:[org/gnome/desktop/lockdown] # Disable command prompt disable-command-line=trueCreate a new file under the
/etc/dconf/db/local.d/locks/directory and list the keys or subpaths you want to lock down:# Lock command prompt /org/gnome/desktop/lockdown/disable-command-lineApply the changes to the system databases:
# dconf update- For this settings to take effect, users needs to log out and log back in.
9.5. Disabling repartitioning
You can override the default system settings that control disk management.
Avoid modifying the /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy file directly. Any changes you make will be replaced during the next package update.
Prerequisites
- Administrative access.
Procedure
Copy the
/usr/share/polkit-1/actions/org.freedesktop.udisks2.policyfile under the/etc/share/polkit-1/actions/directory:# cp /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy /etc/share/polkit-1/actions/org.freedesktop.udisks2.policyIn the
/etc/polkit-1/actions/org.freedesktop.udisks2.policyfile, delete any actions that you do not need and add the following lines:<action id="org.freedesktop.udisks2.modify-device"> <message>Authentication is required to modify the disks settings</message> <defaults> <allow_any>no</allow_any> <allow_inactive>no</allow_inactive> <allow_active>yes</allow_active> </defaults> </action>If you want to restrict access only to the root user, replace
<allow_any>no</allow_any>with<allow_any>auth_admin</allow_any>.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}