Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 12. Restricting the desktop session

You can restrict and control various functionalities of the GNOME desktop environment. You can enforce specific configurations and restrictions to maintain system integrity and prevent unauthorized access.

12.1. Disabling user logout and user switching
Copier lien

Disabling user logout and user switching can improve security, prevent user errors, and enforce a specific workflow. This can mitigate unauthorized access to sensitive data and disruptions to the workflow caused by users accidentally logging out or switching to another user.

Prerequisites

  • Administrative access.

Procedure

  1. Create a plain text /etc/dconf/db/local.d/00-logout keyfile in the /etc/dconf/db/local.d/ directory with the following content: 

    [org/gnome/desktop/lockdown]
# Disable user logut
disable-log-out=true

# Disable user switching
disable-user-switching=true
    Copy to Clipboard Toggle word wrap

  2. Create a new file under the /etc/dconf/db/local.d/locks/ directory and list the keys or subpaths you want to lock down: 

    # Lock user logout
/org/gnome/desktop/lockdown/disable-log-out

# Lock user switching
/org/gnome/desktop/lockdown/disable-user-switching
    Copy to Clipboard Toggle word wrap

  3. Apply the changes to the system databases: 

    # dconf update
    Copy to Clipboard Toggle word wrap

12.2. Disabling printing
Copier lien

Disabling printing can prevent unauthorized access to sensitive documents and safeguard confidential information from potential breaches.

Prerequisites

  • Administrative access.

Procedure

  1. Create a plain text /etc/dconf/db/local.d/00-printing keyfile in the /etc/dconf/db/local.d/ directory with the following content: 

    [org/gnome/desktop/lockdown]
# Disable printing
disable-printing=true
    Copy to Clipboard Toggle word wrap

  2. Create a new file under the /etc/dconf/db/local.d/locks/ directory and list the keys or subpaths you want to lock down: 

    # Lock printing
/org/gnome/desktop/lockdown/disable-printing
    Copy to Clipboard Toggle word wrap

  3. Apply the changes to the system databases: 

    # dconf update
    Copy to Clipboard Toggle word wrap

12.3. Disabling file saving
Copier lien

Preventing files from being saved on the system can help protect sensitive data from unauthorized access and protect against potential data leaks.

Prerequisites

  • Administrative access

Procedure

  1. Create a plain text /etc/dconf/db/local.d/00-filesaving keyfile in the /etc/dconf/db/local.d/ directory with the following content: 

    [org/gnome/desktop/lockdown]
# Disable saving files on disk
disable-save-to-disk=true
    Copy to Clipboard Toggle word wrap

  2. Create a new file under the /etc/dconf/db/local.d/locks/ directory and list the keys or subpaths you want to lock down: 

    # Lock file saving
/org/gnome/desktop/lockdown/disable-save-to-disk
    Copy to Clipboard Toggle word wrap

  3. Apply the changes to the system databases: 

    # dconf update
    Copy to Clipboard Toggle word wrap

12.4. Disabling the shell prompt
Copier lien

Disabling the shell prompt can simplify user interactions with the system, prevent inexperienced users from executing potentially harmful commands that might cause system instability or data loss, and reduce the risk of unauthorized changes to system settings or configurations.

Prerequisites

  • Administrative access.

Procedure

  1. Create a plain text /etc/dconf/db/local.d/00-lockdown keyfile in the /etc/dconf/db/local.d/ directory with the following content: 

    [org/gnome/desktop/lockdown]

# Disable command prompt
disable-command-line=true
    Copy to Clipboard Toggle word wrap

  2. Create a new file under the /etc/dconf/db/local.d/locks/ directory and list the keys or subpaths you want to lock down: 

    # Lock command prompt
/org/gnome/desktop/lockdown/disable-command-line
    Copy to Clipboard Toggle word wrap

  3. Apply the changes to the system databases: 

    # dconf update
    Copy to Clipboard Toggle word wrap
  4. For this settings to take effect, users needs to log out and log back in.

12.5. Disabling repartitioning
Copier lien

You can override the default system settings that control disk management.

Important

Avoid modifying the /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy file directly. Any changes you make will be replaced during the next package update.

Prerequisites

  • Administrative access.

Procedure

  1. Copy the /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy file under the /etc/share/polkit-1/actions/ directory: 

    # cp /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy /etc/share/polkit-1/actions/org.freedesktop.udisks2.policy
    Copy to Clipboard Toggle word wrap

  2. In the /etc/polkit-1/actions/org.freedesktop.udisks2.policy file, delete any actions that you do not need and add the following lines: 

    <action id="org.freedesktop.udisks2.modify-device">
  <message>Authentication is required to modify the disks settings</message>
     <defaults>
        <allow_any>no</allow_any>
        <allow_inactive>no</allow_inactive>
        <allow_active>yes</allow_active>
      </defaults>
 </action>
    Copy to Clipboard Toggle word wrap

    If you want to restrict access only to the root user, replace <allow_any>no</allow_any> with <allow_any>auth_admin</allow_any>.

12.6. Restricting the session to a single application
Copier lien

You can start the GNOME session in single-application mode, also known as kiosk mode. In this session, GNOME displays only a full-screen window of the application that you have selected.

12.6.1. Single-application mode
Copier lien

Single-application mode is a modified GNOME session that reconfigures the Mutter window manager into an interactive kiosk. This session locks down certain behavior to make the standard desktop more restrictive. The user can interact only with a single application selected by the administrator.

You can set up single-application mode for several use cases, such as:

  • In the communication, entertainment, or education fields
  • As a self-serve machine
  • As an event manager
  • As a registration point

The GNOME Kiosk utility provides the single-application mode configuration and sessions.

The following single-application sessions are available:

Search Appliance Session
This session always starts the Mozilla Firefox web browser at the www.google.com website.
Kiosk Script Session
This session starts an arbitrary application that you specify in a shell script.

12.6.2. Enabling search appliance mode
Copier lien

You can restrict the GNOME session to the Google search engine in a web browser by installing and enabling the Search Appliance Session.

Prerequisites

  • Administrative access.

Procedure

  1. Install the GNOME Kiosk packages: 

    # dnf install gnome-kiosk gnome-kiosk-search-appliance
    Copy to Clipboard Toggle word wrap
  2. At the GNOME login screen, select Search Appliance Session from the gear button menu and log in as the single-application user.
  3. The Mozilla Firefox browser opens as a full-screen window in its kiosk mode. It shows the Google search page.

12.6.3. Enabling single-application mode
Copier lien

You can install and enable the Kiosk Script Session to restrict the GNOME session to a selected single application. This configuration provides a secure and isolated environment for the target application.

Procedure

  1. Install the GNOME Kiosk packages: 

    # dnf install gnome-kiosk gnome-kiosk-script-session
    Copy to Clipboard Toggle word wrap
  2. At the GNOME login screen, select Kiosk Script Session from the gear button menu and log in as the single-application user.

  3. The gedit text editor opens as a full-screen window. It shows the shell script that configures which application runs in your single-application session.

    Edit the shell script and enter the application that you want to start in the single-application session.

    For example, to start the Mozilla Firefox browser, enter the following content: 

    #!/usr/bin/sh

firefox --kiosk https://example.org
    Copy to Clipboard Toggle word wrap
  4. Save the script file.

  5. Close the gedit window.

    The session terminates and restarts with your selected application.

  6. The next time you log in to the single-application session, your selected application runs.
Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat