still trying to lock xfce...

[Jasper Huijsmans]

On Tue, Mar 16, 2004 at 05:51:32AM -0500, Brian J. Tarricone wrote:
> Alvise wrote:
> 
> >I hope you plan to apply the XFCE_DISABLE_USER_CONFIG on the whole 
> >panel, because it could turn xfce in a wonderful system for limited 
> >enviroments!
> 
> this reminds me of something i was thinking about a while ago... is this 
> really the best way to implement a systemwide-restricted config? it 
> seems to me that this places a bit of a burden on the system admin, 
> since they'll need to make damned sure that the user can't run a 
> terminal. if the user can do that, all they have to do is:
> 
> $ unset XFCE_DISABLE_USER_CONFIG
> $ killall xfwm4 && nohup xfwm4&
> $ killall xfdesktop && nohup xfdesktop&
> .....(and so on)....
> 
> and they've effectively defeated the lockdown (granted, if not using 
> xfce4-session, they can't restart the session-controlling app). 
> depending on the environment, preventing users from running a terminal 
> may be easy, or it may be hard. the only "foolproof" method i can think 
> of to lock down the environment is to check for a file, say 
> $sysconfdir/xfce4/xfce_disable_user_config, and, if present, lock down 
> the DE. (i'm sure there are other ways, but this seems easiest.) with 
> this method, only users with write access to $sysconfdir (usually /etc) 
> can change the system's lockdown state. even better would be to have 
> said file contain a list of users for which the system is locked down, 
> or, conversely, a list of users that are exempt from the lockdown.
> 
> just an idle thought, dunno if anyone feels like messing with this...

Fully agreed. This has been brought up by me and others several times,
but unfortunately no-one has found the time to actually implement
something.

I hadn't thought about the different users before. Another thing is
perhaps to make it a little more configurable than all-or-nothing. I can
imageine allowing a user to change the theme, but not the panel
contents.

	Jasper