Ask Your Question

Restrict desktops for users

asked 2014-06-14 15:41:05 -0600

segfault gravatar image

updated 2014-06-16 09:15:20 -0600

I'm going to install Fedoray 20 with Sugar Desktop for the kids, but want to be able to use a normal desktop environment for myself. How can I restrict their accounts so that they can only log into Sugar Desktop? Maybe using an ACL to prevent their accounts from reading some critical files, but which ones? Or is there a better way?


I'd like to use one of the Scripting Integration Points in GDM, but these scripts only get the username as an environment variable. How can I find out what desktop environment they are trying to use? Can I look at some running process, or some file in their home directory to find out which desktop environment they've requested?

edit retag flag offensive close merge delete


Does wmctrl work well for this in fedora?

segfault gravatar imagesegfault ( 2014-06-16 12:46:30 -0600 )edit

well, this should give the environment name: wmctrl -m | sed -n -e 's/Name: //' -e 1p, but when it is run in the GDM integration script it will only return GNOME Shell regardless of what desktop environment the user has chosen.

segfault gravatar imagesegfault ( 2014-06-16 19:04:38 -0600 )edit

2 Answers

Sort by ยป oldest newest most voted

answered 2017-11-12 20:33:19 -0600

I'm not especially concerned about security here in the kids' Sugar sessions, so I got this working this way:

  1. Create a kid's account.
  2. Logout as myself, login to Sugar as the kid.
  3. Logout as the kid, log back in as myself.
  4. Remove the password from the kid's account: sudo passwd -d username

Now, when you click on the kid's user name at the GDM login screen, it will login directly to Sugar without prompting for session selection.

edit flag offensive delete link more

answered 2014-06-15 03:50:32 -0600

FranciscoD_ gravatar image

I'm not sure if this can be done. I found a configuration option that lets you specify what session to use by default, but this can be modified by the user himself.

This post mentions the same thing, with a little more information:

I think this is a good enhancement to request upstream to include. The administrator should be optionally able to control the session users wish to use.

edit flag offensive delete link more


Thanks, that's a good starting place. On that GDM page there is documentation for integrations scripts that look like exactly what I need. I can just make a PostLogin script, and check the username vs the session they've requested and return 1 if it doesn't match up. I need more detailed documentation on these scripts though. For example, if they are running as root, then how do I know what user is being logged in? Are there parameters passed to the script or am I supposed to look at environment variables, and if so which ones?

segfault gravatar imagesegfault ( 2014-06-15 11:00:30 -0600 )edit

The user name is set in an environment variable, but precious little else.

segfault gravatar imagesegfault ( 2014-06-16 09:05:20 -0600 )edit

@mether Good find but unfortunately none of the environment variables they mention are set in the environment for these integration scripts. When I get a chance I'll post the entire list of environment variables I have, but there are less than a dozen of them.

segfault gravatar imagesegfault ( 2014-06-16 12:40:47 -0600 )edit

Question Tools



Asked: 2014-06-14 15:41:05 -0600

Seen: 143 times

Last updated: Jun 16 '14