pátek 13. srpna 2010

Kiosk in KDE 4

Hello World! I hope this reaches you on the first try :-)

I've been working on my BS thesis with the name "Parental mode in KDE". The name can be a bit misleading, because I was mainly working on some kdelibs internals (integration of KAuth into Kiosk) and the Kiosk Admin Tool application.

The first part of the work uncovered some nasty things in PolicyKit and ended with a simple outcome: using KAuth/PolicyKit as a back-end for Kiosk is too problematic and would require rewriting a good part of PolicyKit to make it work at all. For example: unlike Kiosk, PolicyKit doesn't have support for profiles that could be assigned to users and groups, is much slower compared to KConfig/Kiosk, and in the PolicyKit1 incarnation isn't stable enough for heavy use. See freedesktop bugs 29394 and 29069 for some details. Only positive outcome up to now is that Dario Freddi fixed some problems I found in KAuth. I wanted to do it but he was faster ;-)

Nevertheless, working with Kiosk gave me some insight into how it works and that it's in much better state than people believe. So, on to the real stuff.

Kiosk Tool

The original KioskTool for KDE 3 is probably rather well-known compared to the newer KDE 4 port that currently resides in extragear. While the older version is much more complete, even in the first few minutes of use, I encountered segfaults.

A lot of work has been done already in the unfinished KDE 4 port and what it really needed to become usable again was just a bit of polishing, refactoring and bug-hunting. So, that's what I did :) Screenshots should help.

First a few from the KDE 4 port before I started working on it.
This is pretty much what greets you when you first start the application.
A list of profiles... and not very informative.
Changing some settings of a profile.
The dialog doesn't fit on smaller netbook screens.
Assigning user and group profiles can be rather unfriendly.
On top of the unusable GUI, it had a few other problems. The 'upload profiles to server' feature didn't work and only caused segmentation faults. This was really easy to fix :-)
Also, there was no way to set up the default profile structure when you don't have it already on your system. This wasn't so trivial and I resolved the problem after redoing the GUI. It will bug you about it when you run the program for the first time (and won't let you further if you don't let it create the files).
I mostly worked on the profile management and assignment part and the actual profile editor is mostly untouched.
This is how the first screen looks now. It is obvious which profiles
are assigned to users and their groups and which are effective.
Changes can be saved or discarded.
Group profiles got the same treatment. It is now possible to change the order in which group
profiles are applied.
The profile management part now shows all the properties.
Assigning a profile uses the same profile view, so it's easier to pick the right one.
The dialog for editing profile properties now fits on the screen.
It really needs the same model-view treatment as the management part though.
This new version resides in the playground. It is apparent that much more work is required to make it really shine, but at least I made it a bit more usable and a lot less crash-happy :-)

Here's the updated TODO list with things I'd like to do next:
  • Fix the stuff that resides in deprecated/. This has been used for translations in the past. A new 'extractxml' that can handle the new .kiosk files is required.
    But then: how to make it work with .kiosk files provided by other app developers? Maybe the script would have to be globally accessible.
  • Properly separate GUI from data for the profile properties dialog.
  • Document how the profile editor components work, how profile editing itself works. Apply more model-view goodness.
  • The KioskSync/KioskRun classes are crufty and mostly undocumented. Suspected hidden bugs...
  • Remove the PolicyKit stuff (the PKLA convertor KAction).
  • Make sure all parts of kiosktool work on small screens (netbooks, etc.)
  • Add editor for URL (file) restrictions
  • Make it possible to select targeted KDE version?

Plenty of things to keep me busy ;-)

Kiosk in general

Kiosk in KDE 4 mostly works. It is possible to create, assign and manage Kiosk profiles that contain configuration files. That means pretty much every setting can still be locked down.
The real problems are in the action and resource restriction area, where for example restricting the desktop wallpaper resources won't have much of an effect on the dialog used for selecting them. While none of the wallpapers from the user's home directory will show up, it can be easily circumvented by simply using the Open button to pick a file manually. Other examples can be found easily.

With the Kiosk Admin Tool on the way towards greatness again, the only real problem now is that Kiosk isn't used by developers. It's quite easy: determine what could be locked down and how, pick a good name for your actions, describe them in a .kiosk file and make it install along with your application. Or maybe wait a bit for the Kiosk Admin Tool to get more polished as some of the details there might need a bit of tweaking.

Comments are welcome :)

10 komentářů:

  1. Awesome work.

    One useful approach would be to make contact with sysadmins working with KDE and find out their lockdown requirements so that they can be addressed in Kiosk and apps' kiosk files.

    I'm not sure that blogs will reach them - perhaps distributions' user lists would. If you decide to go this route I can ask for you on openSUSE lists.

  2. Hey!
    It's great to have such project going forward. It's always been one of our deployment advantages and we were forgetting about it.

    Keep rocking!

  3. wstephenson:
    That would be very helpful. Gathering requirements certainly sounds like a good idea.
    Up to this point, I just hacked the thing together so it can stand on its own feet so to speak, but to go forward, I'll need something to guide me.

    Thank you :)

    I won't have reliable net connection next week, but should be able to at least read e-mails every day.

  4. dup:
    Well, you'll need development packages for kde along with subversion (svn) and a bunch of compiler stuff (gcc, cmake).

    Then in a terminal:
    svn checkout svn://anonsvn.kde.org/home/kde/trunk/playground/sysadmin/kiosktool/
    cd kiosktool
    mkdir build
    cd build
    cmake ..

    This should produce a runnable binary

  5. You can also take a look at how digikam is built:

    The svn path is a bit different, but the steps are the same.

  6. Bad link :)
    This is the right one:

  7. ok, was able to install.But not much keys to restrict yet.For example ,how to disable rigth mouse button menu on kicker or kickoff and how to disable konsole in konqueror .

  8. Thanks for Posting ! first time I have found a genuine post related to Kiosks