Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 20. Locking down selected tasks

This section describes how to lock down for users the following tasks:

  • Printing
  • File saving on disk
  • Repartitioning
  • User logout and user switching

20.1. Locking down printing
Copia collegamento

You can disable the print dialog from being shown to users. This can be useful if you are giving temporary access to a user or you do not want the user to print to network printers.

Important

The feature only works in applications which support it. Not all GNOME and third party applications have this feature enabled. The changes do not have effect on applications which do not support this feature.

To prevent applications from printing, lock down the org.gnome.desktop.lockdown.disable-printing key:

Procedure

  1. Create the user profile in /etc/dconf/profile/user unless it already exists: 

    user-db:user
system-db:local
    Copy to Clipboard Toggle word wrap

  2. Create a local database for machine-wide settings in the etc/dconf/db/local.d/00-lockdown file: 

    [org/gnome/desktop/lockdown]

# Prevent applications from printing
disable-printing=true
    Copy to Clipboard Toggle word wrap

  3. Override the user’s setting and prevent the user from changing it in the /etc/dconf/db/local.d/locks/lockdown file: 

    # List the keys used to configure lockdown
/org/gnome/desktop/lockdown/disable-printing
    Copy to Clipboard Toggle word wrap

  4. Update the system databases: 

    # dconf update
    Copy to Clipboard Toggle word wrap

Having followed these steps, applications supporting this lockdown key, such as Evolution, Evince, or Gedit, will disable printing.

20.2. Locking file saving on disk
Copia collegamento

You can disable the Save and Save As dialogs. This can be useful if you are giving temporary access to a user or you do not want the user to save files to the computer.

Important

The feature only works in applications which support it. Not all GNOME and third party applications have this feature enabled. The changes will have no effect on applications which do not support this feature.

To prevent applications from file saving, lock down the org.gnome.desktop.lockdown.disable-save-to-disk key:

Procedure

  1. Create the user profile in /etc/dconf/profile/user unless it already exists: 

    user-db:user
system-db:local
    Copy to Clipboard Toggle word wrap

  2. Create a local database for machine-wide settings in the /etc/dconf/db/local.d/00-lockdown file: 

    [org/gnome/desktop/lockdown]

# Prevent the user from saving files on disk
disable-save-to-disk=true
    Copy to Clipboard Toggle word wrap

  3. Override the user’s setting and prevent the user from changing it in the /etc/dconf/db/local.d/locks/lockdown file: 

    # Lock this key to disable saving files on disk
/org/gnome/desktop/lockdown/disable-save-to-disk
    Copy to Clipboard Toggle word wrap

  4. Update the system databases: 

    # dconf update
    Copy to Clipboard Toggle word wrap

Having followed these steps, applications supporting this lockdown key, for example Videos, Image Viewer, Evolution, Document Viewer, or GNOME Shell, will disable their Save As dialogs.

20.3. Locking repartitioning
Copia collegamento

polkit enables you to set permissions for individual operations. For udisks2, the utility for disk management services, the configuration is located at /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy. This file contains a set of actions and default values, which can be overridden by system administrator.

Important

polkit configuration stored in /etc overrides the configuration shipped by packages in /usr/share/.

Procedure

  1. Create a file with the same content as in /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy: 

    cp /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy /etc/share/polkit-1/actions/org.freedesktop.udisks2.policy
    Copy to Clipboard Toggle word wrap

    Do not change the /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy file, your changes will be overwritten by the next package update.

  2. Delete the action you do not need, and add the following lines to the /etc/polkit-1/actions/org.freedesktop.udisks2.policy file: 

    <action id="org.freedesktop.udisks2.modify-device">
  <message>Authentication is required to modify the disks settings</message>
     <defaults>
        <allow_any>no</allow_any>
        <allow_inactive>no</allow_inactive>
        <allow_active>yes</allow_active>
      </defaults>
 </action>
    Copy to Clipboard Toggle word wrap

    Replace no by auth_admin if you want to ensure only the root user is able to perform the action.

  3. Save the changes.

When the user tries to change the disks settings, the following message is returned: 

Authentication is required to modify the disks settings.
Copy to Clipboard Toggle word wrap

20.4. Locking down user logout and user switching
Copia collegamento

To prevent the user from logging out, use the following procedure.

Procedure

  1. Create the /etc/dconf/profile/user profile, which contains the following lines: 

    user-db:user
system-db:local
    Copy to Clipboard Toggle word wrap

    where local is the name of a dconf database

  2. Create the /etc/dconf/db/local.d/ directory if it does not already exist.

  3. Create the /etc/dconf/db/local.d/00-logout key file to provide information for the local database: 

    [org/gnome/desktop/lockdown]
# Prevent the user from user switching
disable-log-out=true
    Copy to Clipboard Toggle word wrap

  4. Override the user’s setting, and prevent the user from changing it in the /etc/dconf/db/local.d/locks/lockdown file: 

    # Lock this key to disable user logout
/org/gnome/desktop/lockdown/disable-log-out
    Copy to Clipboard Toggle word wrap

  5. Update the system databases: 

    # dconf update
    Copy to Clipboard Toggle word wrap
  6. Users must log out and back in again before the system-wide settings take effect.
Important

Users can evade the logout lockdown by switching to a different user. To prevent such scenario, lock down user switching as well.

To lock down user switching, use the following procedure:

Procedure

  1. Create the /etc/dconf/profile/user profile, which contains the following lines: 

    user-db:user
system-db:local
    Copy to Clipboard Toggle word wrap

    where local is the name of a dconf database

  2. Create the /etc/dconf/db/local.d/ directory if it does not already exist.

  3. Create the /etc/dconf/db/local.d/00-user-switching key file to provide information for the local database: 

    # Prevent the user from user switching
[org/gnome/desktop/lockdown]
disable-user-switching=true

[org/gnome/desktop/screensaver]
user-switch-enabled=false
    Copy to Clipboard Toggle word wrap

  4. Override the user’s setting, and prevent the user from changing it in the /etc/dconf/db/local.d/locks/lockdown file: 

    # Lock this key to disable user switching
/org/gnome/desktop/lockdown/disable-user-switching
/org/gnome/desktop/screensaver/user-switch-enabled
    Copy to Clipboard Toggle word wrap

  5. Update the system databases: 

    # dconf update
    Copy to Clipboard Toggle word wrap
  6. Users must log out and back in again before the system-wide settings take effect.
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat