Locking Down the GNOME Desktop

From MicroFocusInternationalWiki
Jump to: navigation, search

The GNOME Desktop provides a type of "registry" called GCONF that will allow you to "Lock Down" certain aspects of the desktop. Modifying GCONF is somewhat staightforward as you simply use the "gconftool-2" command line program.

NOTE: Currently there is no easy way to "push out" these settings over a network (like you can with GPOs or System Policies) and it is difficult to have different settings for different users/groups, but work is being done on this. Also if you would rather use a graphical tool to set restrictions you can also use "sabayon" (included with SLED10) to do the job, however I find using the gconftool-2 utility quite a bit easier.

Note about Locking Down Firefox

In order to lock down Firefox with GConf, it is necessary to change the Mozilla preference config.use_system_prefs from its default value to true. On SLED 10 Service Pack 2, edit /usr/lib/firefox/local-configuration.js to include the line:

lockPref("config.use_system_prefs", true);

For information about setting locked preferences on earlier versions of SLED 10, see the instructions on customizing Firefox on SLED

In order to lock down Firefox with GConf on SLED 11: Add this line: lockPref("config.use_system_prefs", true); To this file: "/usr/lib/firefox/defaults/preferences/firefox-lockdown.js"

Finding the settings to Lock Down

Just as Windows has regedit to view the registry settings, GNOME has gconf-editor to view it's settings.


As you can see, all of the settings are organized in a "virtual filesystem" and can be easily traversed to find the setting you need. Once you locate the correct setting, simply note the information you need. In the above shot, you can set the homepage for Firefox with the "/apps/firefox/general/homepage_url" setting, which happens to be a "String" set to "www.google.com".

So the actual command that you would run on a command line would be:

gconftool-2 --direct \
--config-source xml:readwrite:/etc/opt/gnome/gconf/gconf.xml.mandatory \
--type string --set /apps/firefox/general/homepage_url www.google.com

Do not fret if you don't understand any of that command, the next section will explain it.

Using the gconftool-2 Utility

From the above example you will notice that there are quite a few arguments to the gconftool-2 utility. Once you get past the shock of the command, it is really quite easy to run.

The first option --direct simply tells the utility to not change the setting now but write it out to a file - this, of course, is what you will always want to do to lock down the Desktop.

Mandatory or Default Settings

GCONF has two schemes it reads it's settings from: the gconf.xml.mandatory directory and the gconf.xml.defaults directory. You specify whether you want the setting to be Mandatory for all users (which they cannot change) or simply the default setting (that users can later change) by changing the file that gcontool-2 actually writes to. This is done with the --config-source option.

For SLED10, the --config-source option will be one of the two below:

--config-source xml:readwrite:/etc/opt/gnome/gconf/gconf.xml.mandatory
--config-source xml:readwrite:/etc/opt/gnome/gconf/gconf.xml.defaults

The Key Type and Setting the Key

The next option you have is the Key type - This tells gconftool-2 what "type" the actual object is that you are setting. You can find out the key type of the setting you want to regulate by double clicking on the object within the gconf-editor.

Gconf Edit Key.png

GCONF uses many different types, they are: string, bool, int, float and list.

The next setting --set will change depending upon what key type it is. For instance you will not enter a number if the key type is "bool", it will have to be either "true" or "false".

Most of the settings are easy to implement, however you may have a little difficulty with some, so here are some examples:

string example

The following command sets a Mandatory Background Image:

gconftool-2 --direct \
--config-source xml:readwrite:/etc/opt/gnome/gconf/gconf.xml.mandatory \
--type string --set /desktop/gnome/background/picture_filename /usr/share/wallpapers/default-1600x1200.jpg

bool example

The following command sets the "Include a delete command" within Nautilus the default behaviour:

gconftool-2 --direct \
--config-source xml:readwrite:/etc/opt/gnome/gconf/gconf.xml.defaults \
--type bool --set /apps/nautilus/preferences/enable_delete True

int example

The following command set the number of workspaces to 4 by default (SLED defaults to 1 unless you are running Xgl).

gconftool-2 --direct \
--config-source xml:readwrite:/etc/opt/gnome/gconf/gconf.xml.defaults \
--type int --set /apps/metacity/general/num_workspaces 4

list example

The List type took me a while to get right, the following will change the Main Menu default Favorite Applications to something more suitable for an office.

gconftool-2 --direct \
--config-source xml:readwrite:/etc/opt/gnome/gconf/gconf.xml.defaults \
--type list --list-type=string --set /desktop/gnome/applications/main-menu/file-area/user_specified_apps \

Implementing the Settings

Since currently there isn't an easy way to set these changes for an entire network, you must run all of the gconftool-2 commands on each machine (as root). The easiest way I have found is to simply create a text file that lists all of the needed commands to lock down your workstations, then simply run:

sh ./Workstaion_Settings.txt

on every workstation on your network.

Authors Listed Below