Este conteúdo não está disponível no idioma selecionado.
Chapter 9. Restricting the desktop session
You can restrict and control various functionalities on the GNOME desktop environment. You can enforce specific configurations and restrictions to maintain system integrity and prevent unauthorized access.
9.1. Disabling user logout and user switching
Disabling user logout and user switching can improve security, prevent user errors, and enforce a specific workflow. This can mitigate unauthorized access to sensitive data and disruptions to the workflow caused by users accidentally logging out or switching to another user.
Prerequisites
- Administrative access.
Procedure
Create a plain text
/etc/dconf/db/local.d/00-logout
keyfile in the/etc/dconf/db/local.d/
directory with the following content:[org/gnome/desktop/lockdown] # Disable user logut disable-log-out=true # Disable user switching disable-user-switching=true
Create a new file under the
/etc/dconf/db/local.d/locks/
directory and list the keys or subpaths you want to lock down:# Lock user logout /org/gnome/desktop/lockdown/disable-log-out # Lock user switching /org/gnome/desktop/lockdown/disable-user-switching
Apply the changes to the system databases:
# dconf update
9.2. Disabling printing
Disabling printing can prevent unauthorized access to sensitive documents and potential breaches and safeguard confidential information.
Prerequisites
- Administrative access.
Procedure
Create a plain text
/etc/dconf/db/local.d/00-printing
keyfile in the/etc/dconf/db/local.d/
directory with the following content:[org/gnome/desktop/lockdown] # Disable printing disable-printing=true
Create a new file under the
/etc/dconf/db/local.d/locks/
directory and list the keys or subpaths you want to lock down:# Lock printing /org/gnome/desktop/lockdown/disable-printing
Apply the changes to the system databases:
# dconf update
9.3. Disabling filesaving
Disabling file saving can help to protect sensitive data from unauthorized access and protect against potential data leaks.
Prerequisites
- Administrative access.
Procedure
Create a plain text
/etc/dconf/db/local.d/00-filesaving
keyfile in the/etc/dconf/db/local.d/
directory with the following content:[org/gnome/desktop/lockdown] # Disable saving files on disk disable-save-to-disk=true
Create a new file under the
/etc/dconf/db/local.d/locks/
directory and list the keys or subpaths you want to lock down:# Lock file saving /org/gnome/desktop/lockdown/disable-save-to-disk
Apply the changes to the system databases:
# dconf update
9.4. Disabling the command prompt
Disabling the command prompt can simplify user interactions with the system, prevent inexperienced users from executing potentially harmful commands that might cause system instability or data loss, and reduce the risk of unauthorized changes to system settings or configurations.
Prerequisites
- Administrative access.
Procedure
Create a plain text
/etc/dconf/db/local.d/00-lockdown
keyfile in the/etc/dconf/db/local.d/
directory with the following content:[org/gnome/desktop/lockdown] # Disable command prompt disable-command-line=true
Create a new file under the
/etc/dconf/db/local.d/locks/
directory and list the keys or subpaths you want to lock down:# Lock command prompt /org/gnome/desktop/lockdown/disable-command-line
Apply the changes to the system databases:
# dconf update
- For this settings to take effect, users needs to log out and log back in.
9.5. Disabling repartitioning
You can override the default system settings that control disk management.
Avoid modifying the /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy
file directly. Any changes you make will be replaced during the next package update.
Prerequisites
- Administrative access.
Procedure
Copy the
/usr/share/polkit-1/actions/org.freedesktop.udisks2.policy
file under the/etc/share/polkit-1/actions/
directory:# cp /usr/share/polkit-1/actions/org.freedesktop.udisks2.policy /etc/share/polkit-1/actions/org.freedesktop.udisks2.policy
In the
/etc/polkit-1/actions/org.freedesktop.udisks2.policy
file, delete any actions that you do not need and add the following lines:<action id="org.freedesktop.udisks2.modify-device"> <message>Authentication is required to modify the disks settings</message> <defaults> <allow_any>no</allow_any> <allow_inactive>no</allow_inactive> <allow_active>yes</allow_active> </defaults> </action>
If you want to restrict access only to the root user, replace
<allow_any>no</allow_any>
with<allow_any>auth_admin</allow_any>
.