Bug 1292011
| Summary: | Lockdown items shouldn't be editable in dconf-editor | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Ladislav Kolacek <lkolacek> |
| Component: | dconf | Assignee: | Marek Kašík <mkasik> |
| Status: | CLOSED NOTABUG | QA Contact: | Desktop QE <desktop-qa-list> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.2 | CC: | jsvarova, rmatos, tpelka, vbenes |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-12-16 19:36:23 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
In scenario (task 5 and 6) is a mistake. Second checkbox is 'disable-user-switching' Seems like that's an old copy of the official docs which you can see at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/custom-default-values-system-settings.html#lock-down-specific-settings and it seems that that copy is just wrong in the syntax to use on the locks file: instead of org.gnome.desktop.lockdown.disable-log-out you should use /org/gnome/desktop/lockdown/disable-log-out . Dear Rui, The link to jenkinscat actually provides the most recent changes in the master branch. CCS uses jenkinscat for staging and previewing of our latest docs. Thank you very much for spotting the mistake in our docs and letting us know! In this commit [1], I fixed all the three procedure with incorrect lockdown keys. Do you think that the procedure on locking logout is otherwise correct [2]? Vláďa pointed out to me that the sysadmin can lockdown these settings as per the procedure but (if I get it correctly) the user (with root privileges?) can easily revert this behaviour via dconf-editor and gsettings. So, (all?) the lockdown items ARE editable in dconf-editor and that's correct GNOME behaviour. Would it be enough to add an admonition to [3] saying something like: "The user with root privileges can revert lockdown settings using dconf-editor and gsettings." (or shall we even say how?) Thank you very much for your answers in advance! jana [1] https://gitlab.cee.redhat.com/red-hat-enterprise-linux-documentation/doc-Red_Hat_Enterprise_Linux-7-Desktop_Migration_and_Administration_Guide/commit/4fddab26b55fede76de7af00d6ddbddb075ec475 [2] http://jenkinscat.gsslab.pnq.redhat.com:8080/view/RHEL7/job/doc-Red_Hat_Enterprise_Linux-7-Desktop_Migration_and_Administration_Guide%20%28html-single%29/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#lockdown-logout [3] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/custom-default-values-system-settings.html#lock-down-specific-settings (In reply to Jana Heves from comment #3) > The link to jenkinscat actually provides the most recent changes in the > master branch. CCS uses jenkinscat for staging and previewing of our latest > docs. Ok, I was not aware of this. > Thank you very much for spotting the mistake in our docs and letting us know! > In this commit [1], I fixed all the three procedure with incorrect lockdown > keys. > > Do you think that the procedure on locking logout is otherwise correct [2]? I see that the syntax is incorrect in some of those cases in [2]. The lockfile syntax is simply the full path to each locked setting, one per line. So it should always be in the form: /path/to/key-name note the leading / . > Vláďa pointed out to me that the sysadmin can lockdown these settings as per > the procedure Yes. > but (if I get it correctly) the user (with root privileges?) A user with access to the root account can always do anything. They can just delete the lock files for instance or steal your (browser) cookies :-) > can easily revert this behaviour via dconf-editor and gsettings. > So, (all?) the lockdown items ARE editable in dconf-editor and that's > correct GNOME behaviour. No, a regular user account should not be able to work around the locks specified in dconf lock files. This case reported here only happened, as far as I can tell, because the wrong syntax was being used for the lock file so obviously the lock wasn't being enforced. With the correct syntax in the lock file, a user should not be able to change a locked key's value using dconf-editor or any other mechanism. |
Description of problem: Version-Release number of selected component (if applicable): kernel-3.10.0-327.el7.x86_64 dconf-0.22.0-2.el7.x86_64 dconf-editor-0.22.0-2.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Follow steps to prevent the user to logging out and switching to another user Section 13.8 Locking Down User Logout and User Switching on web: http://jenkinscat.gsslab.pnq.redhat.com:8080/view/RHEL7/job/doc-Red_Hat_Enterprise_Linux-7-Desktop_Migration_and_Administration_Guide%20%28html-single%29/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#lockdown-logout 2. Make sure you have dconf-editor installed 3. Run dconf-editor 4. Use <ctrl+f> shortcut and try to find 'lockdown' 5. Hit button 'Next' until 'disable-log-out' and 'disable-log-out' appear 6. Try to uncheck 'disable-log-out' and 'disable-log-out'checkbox Actual results: Logging out and switching to another user was enabled by dconf-editor. Expected results: Lockdown items shouldn't be editable in dconf-editor (especially not as regular user).