1

I would like to give a user (mom and dad) only access to these 4 applications:

  • Google Chrome
  • Libreoffice Calc and Writer
  • vlcplayer

Of course they are locked in the user home directory. And also of course: They must be able to change volume and print documents. It is close to a kiosk ;-)

What is the best way to tackle this? I'm running 12.04(64).

(pessulus and lockout are not available?)

Community
  • 1
Jorrit
  • 11

2 Answers2

0

Give them a separate user account without administrative privileges. If they don't need to save stuff beyond the length of a session, a temporary guest account will do.

David Foerster
  • 36,264
  • 56
  • 94
  • 147
  • 3
    Giving them a separate account is always a good idea: it will stop them doing anything that can break the system but it wont limit them to just the small number of applications that the question is asking about. – Warren Hill Sep 26 '13 at 12:57
  • 1
    That's right, but I think Jorrit actually wants to prevent other users from accessing or accidentally tampering with his stuff and restricting usable applications is just a (questionable) means to an end. – David Foerster Sep 29 '13 at 22:24
  • Of course, it is my intention that users can't break stuff. My parents are real computer noobs. Even saving a. Doc is too difficult for them. "Less is more"

    Moreover, it is quite frustrating to nowhere find the answer to this question. All searches end in "Guest" en "Kiosk" etc. etc. That will do, but isn't satisfaction.

    Same question: How to limit user access to selected applications? Other cases: (future case?)but in a small office, Synology DS212 + file server, desktopts 4, 6 Users (2 full-time, four part-time)

     – Jorrit Oct 01 '13 at 19:01
0

If you really want to restrict access to applications for some user(s), there are a few things that come to my mind. All of them involve a separate user account and none seem really satisfying to me.

  • If you just want to hide diversity and complexity as to not confuse users, override all “unnecessary” application starters. Something along the lines of the following untested shell script:

    cp -R {/usr,~/.local}/share/applications
find ~/.local/share/applications -name \*.desktop -exec sed -i -e '/^NoDisplay=/d;/^\[Desktop Entry\]$/a NoDisplay=true' \{\} +

    Then delete the starters of allowed applications in ~/.local/share/applications. You can do a similar things for MIME types that you don't want them to open (with some applications).

  • Write some apparmor rules that forbid user "parents" to execute anything except allowed applications. This is potentially difficult, because many applications rely on external programs and shell scripts, and some have their real binary executables somewhere in /usr/lib. It may work for a very limited set of applications though.

    A sensible set of programs to allow would be stuff from the packages "coreutils", "bash", "python", "perl", and any dependencies of allowed applications.

    I would also do disable the application starters as explained above as to not have a bunch of dysfunctional starters in the dash, dock, application menu, or wherever.

David Foerster
  • 36,264
  • 56
  • 94
  • 147