Bug 1292011 - Lockdown items shouldn't be editable in dconf-editor
Lockdown items shouldn't be editable in dconf-editor
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: dconf (Show other bugs)
7.2
x86_64 Linux
high Severity unspecified
: rc
: ---
Assigned To: Marek Kašík
Desktop QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-16 03:09 EST by Ladislav Kolacek
Modified: 2016-01-25 09:20 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-16 14:36:23 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ladislav Kolacek 2015-12-16 03:09:57 EST
Description of problem:

Version-Release number of selected component (if applicable):
kernel-3.10.0-327.el7.x86_64
dconf-0.22.0-2.el7.x86_64
dconf-editor-0.22.0-2.el7.x86_64

How reproducible:
always

Steps to Reproduce: 
 1. Follow steps to prevent the user to logging out and switching to another user
    Section 13.8 Locking Down User Logout and User Switching on web:
    http://jenkinscat.gsslab.pnq.redhat.com:8080/view/RHEL7/job/doc-Red_Hat_Enterprise_Linux-7-Desktop_Migration_and_Administration_Guide%20%28html-single%29/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#lockdown-logout
 
 2. Make sure you have dconf-editor installed 
 3. Run dconf-editor
 4. Use <ctrl+f> shortcut and try to find 'lockdown' 
 5. Hit button 'Next' until 'disable-log-out' and 'disable-log-out' appear
 6. Try to uncheck 'disable-log-out' and 'disable-log-out'checkbox

Actual results:
Logging out and switching to another user was enabled by dconf-editor.

Expected results:
Lockdown items shouldn't be editable in dconf-editor (especially not as regular user).
Comment 1 Ladislav Kolacek 2015-12-16 03:18:23 EST
In scenario (task 5 and 6) is a mistake. Second checkbox is 'disable-user-switching'
Comment 2 Rui Matos 2015-12-16 14:36:23 EST
Seems like that's an old copy of the official docs which you can see at 

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/custom-default-values-system-settings.html#lock-down-specific-settings

and it seems that that copy is just wrong in the syntax to use on the locks file: instead of org.gnome.desktop.lockdown.disable-log-out you should use /org/gnome/desktop/lockdown/disable-log-out .
Comment 3 Jana Heves 2015-12-17 06:04:04 EST
Dear Rui,

The link to jenkinscat actually provides the most recent changes in the master branch. CCS uses jenkinscat for staging and previewing of our latest docs.

Thank you very much for spotting the mistake in our docs and letting us know!
In this commit [1], I fixed all the three procedure with incorrect lockdown keys.

Do you think that the procedure on locking logout is otherwise correct [2]?

Vláďa pointed out to me that the sysadmin can lockdown these settings as per the procedure but (if I get it correctly) the user (with root privileges?) can easily revert this behaviour via dconf-editor and gsettings. 
So, (all?) the lockdown items ARE editable in dconf-editor and that's correct GNOME behaviour. 

Would it be enough to add an admonition to [3] saying something like:
"The user with root privileges can revert lockdown settings using dconf-editor and gsettings." (or shall we even say how?)

Thank you very much for your answers in advance!
jana

[1] https://gitlab.cee.redhat.com/red-hat-enterprise-linux-documentation/doc-Red_Hat_Enterprise_Linux-7-Desktop_Migration_and_Administration_Guide/commit/4fddab26b55fede76de7af00d6ddbddb075ec475

[2] http://jenkinscat.gsslab.pnq.redhat.com:8080/view/RHEL7/job/doc-Red_Hat_Enterprise_Linux-7-Desktop_Migration_and_Administration_Guide%20%28html-single%29/lastSuccessfulBuild/artifact/tmp/en-US/html-single/index.html#lockdown-logout

[3] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/custom-default-values-system-settings.html#lock-down-specific-settings
Comment 4 Rui Matos 2015-12-17 07:17:06 EST
(In reply to Jana Heves from comment #3)
> The link to jenkinscat actually provides the most recent changes in the
> master branch. CCS uses jenkinscat for staging and previewing of our latest
> docs.

Ok, I was not aware of this.

> Thank you very much for spotting the mistake in our docs and letting us know!
> In this commit [1], I fixed all the three procedure with incorrect lockdown
> keys.
> 
> Do you think that the procedure on locking logout is otherwise correct [2]?

I see that the syntax is incorrect in some of those cases in [2]. The lockfile syntax is simply the full path to each locked setting, one per line. So it should always be in the form:

/path/to/key-name

note the leading / .

> Vláďa pointed out to me that the sysadmin can lockdown these settings as per
> the procedure

Yes.

> but (if I get it correctly) the user (with root privileges?)

A user with access to the root account can always do anything. They can just delete the lock files for instance or steal your (browser) cookies :-)

> can easily revert this behaviour via dconf-editor and gsettings. 
> So, (all?) the lockdown items ARE editable in dconf-editor and that's
> correct GNOME behaviour. 

No, a regular user account should not be able to work around the locks specified in dconf lock files. This case reported here only happened, as far as I can tell, because the wrong syntax was being used for the lock file so obviously the lock wasn't being enforced. With the correct syntax in the lock file, a user should not be able to change a locked key's value using dconf-editor or any other mechanism.

Note You need to log in before you can comment on or make changes to this bug.