Lock down GNOME with Pessulus
There are many reasons why you might want to lock down a desktop. Say you run an internet cafe and you don't want your users to be able to do certain things. Or what if your Linux box is being used as a kiosk and you don't want users to be able to exit out of the browser or run any unwanted programs or commands. How do you manage this task?
It's actually quite simple. For the GNOME desktop there is a handy tool call Pessulus that allows you to lock down certain aspects of the desktop. I will warn you though, in order to get the most out of this you need to be using the Epiphany web browser as that is the only browser Pessulus supports. Remember, Epiphany is still the official web browser of the GNOME desktop - even though Epiphany isn't installed by default on most distributions (go figure).
Installations
There are two tools you must install: Pessulus and Ephiphany. These are quite simple to install. All you need to do is follow these steps:
- Open up your Add/Remove Software tool.
- Search for "lockdown" (or "pessulus") - no quotes.
- Mark Pessulus for installation.
- Search for "epiphany" (no quotes).
- Mark Epiphany for installation.
- Click Apply to install.
Depending upon your distribution, there may or may not be a need to install any dependencies. If there are, allow this.
Once installed you are ready to begin locking down the desktop.
Use
To use Pessulus click Alt-F2 Â and then type pessulus. This will open up the main (and only) window for the lockdown tool (see Figure 1). In this window there are four tabs:
General: Here you can disable general features for the GNOME desktop. Most notably is the ability to disable the command line and save to disk. This is ideal for a Kiosk or cafe situation.
Panel: In this tab you can disable force quit, you can lock down the panel, disable logout, and disable specific applets.
Epiphany Web Browser: In this tab you can disable quit, disable arbitrary URL, disable bookmark editing, disable history, disable javascript, disable toolbar editing, force fullscreen, hide the menubar, and disable unsafe protocols.
GNOME Screensaver: In this tab you can disable lock screen, enable lock on activation, allow/disallow logout, allow/disallow user switching.
One of the only issues you might find is that installing Pessulus actually adds a menu entry called "Lockdown Editor". I would suggest you rename that menu entry to some obscure title so the user won't have any idea what it does. If you completely remove the Pessulus menu entry you will have a hard time starting the tool as the disabling of the command line (in Pessulus) also disables the Alt-F2 run dialog. Of course you could opt to not disable command line and still have the option of using the command line to start up the tool. That depends on how secure you want that kiosk to be.
Final thoughts
Locking down the GNOME desktop doesn't have to be a horrible challenge. Instead of going through the Gconf-editor, just use a tool like Pessulus to make sure your GNOME desktop is in a state of lockdown so the users can't do anything you do not want them to do.
Advertisement
Hey great write up here, i was wondering if there is a way to use epiphany to only open up few certain websites to use as a kiosk.
I wonder… If you disable the command line, and remove lockdown editor from the menu. But have created a shortcut to launch pessulus, will that work? In short, do shortcuts work while in this kiosk mode?
Thanks for this great post. One thing that keeps on bothering me is how to skip epiphany auto recovery. I found a few ideas from my google searches, but nothing works so far.