On Mon, Nov 09, 2009 at 12:33:20PM +0900, Nigel Barker wrote:
Where is the setting that prevents a skolelinux user from having the option to shut down a workstation instead of just confirming the logout? I have kids who just log out of laptops and then leave them switched on.
I believe that what you are talking about is related to membership of the group powerdev. Or in newer systems is instead tied to consolekit.
Above the powerdev/consolekit level are tools like GDM, lxsession and whatever is the name of the similar tool in KDE, which presents a dialog for choosing e.g. logout/suspend/poweroff and greying out the options that the underlying mechanism do not allow this particular user.
Below is probably some PAM settings which applies to all users.I guess that you want to disable ability to logout, allowing only shutting down, right?
In principle the most reliable approach is to attack the problem at the bottom - i.e. not just configure KDE to do the right thing - because that lasts only until the students discover some other fun tool on their system that allows them to circumvent your KDE-specific lock-down.
Problem is, that powerdev/consolekit only really manages access to shutting down the system, as that is fundamentally a privileged operation. Killing your own X11 session while leaving the rest of the machine still running - is *not* a privileged operation, so is not governed by the underlying mechanisms.
It is a human right to commit suicide, so to speak, but requires special access to hit the big red Doomsday-machine button.
So the challenge is to protect something that is unprotected by underlying design of the system. :-/
Step 1 is to disable CTRL+ALT+BACKSPACE in xorg config. Then figure out how to configure the obvious mechanisms to silent the non-privileged logout routine while still presenting the shutdown (and remember to also disable restart, as that is just a delayed logut). Then you need to hunt down all methods of quitting or killing the running processes and make them difficult for ordinary users to invoke.
I certainly see the relevancy of this, seen from a school perspective, but expect it to be difficult at best to implement.
Good luck ;-) - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
Attachment:
signature.asc
Description: Digital signature