still trying to lock xfce...

[Brian J. Tarricone]

Alvise wrote:

> Brian J. Tarricone wrote:
>
>> this reminds me of something i was thinking about a while ago... is 
>> this really the best way to implement a systemwide-restricted config? 
>> it seems to me that this places a bit of a burden on the system 
>> admin, since they'll need to make damned sure that the user can't run 
>> a terminal.
>
> But... if I could lock the apps in the panel without any terminal in 
> it and edit the desktop menu taking away the "Run program", "Terminal" 
> and similar. If I make sure that user-accessible apps don't provide 
> terminals (like kate do).
> Would there be any other way for an user to access a terminal?

none that i can think of offhand, but that doesn't mean someone couldn't 
figure something out. hell, i remember in win32 computer kiosks, i used 
to defeat a bunch of their protection schemes by messing with netscape's 
"helper apps" and then typing file://c|/windows/explorer.exe in the 
address bar. i'm sure the admins didn't think of that when they let me 
run a web browser and nothing else (but of course the entire point of 
the kiosk was to allow me to run a web browser). i'm not saying you 
could get around it in this way (though maybe you could); i'm just 
saying that just because you think you've thought of everything doesn't 
mean you have.

environment variables are _not_ a security-related feature. i'm 
naturally wary when you try to take something that has nothing to do 
with security and use it in a security context. something like i 
suggested on the xfce4-dev list - allow/disallow lists in well-defined 
system locations - uses a well-known system security feature: file 
permissions. after/if my xfdesktop work slows down quite a bit, i intend 
to implement such a system (assuming i don't lose my motivation ^_~).

-brian