Prevent a user from changing desktop settings

Hi guys.

I'm using Ubuntu 20.04 MATE desktop, I have two users now: one is the administrator, the other one is desktop user. I'm using the dconf-editor to modify the desktop settings.
Is there a way to forbid the desktop user to change the desktop settings? For example I don't want the desktop user to change the buttons on the top panel, is it possible?

Some said you can change the ownership of /home/desktopuser/.gconf to root, but I can't see that file in Ubuntu20.04


Numero uno, the article you were reading is most likely from the GNOME 2 days. GConf was the GNOME 2 configuration mechanism; DConf (I know it's confusing) is the new and "improved" (don't get me started on its idiocies) configuration system used by GNOME 3 and MATE alike. Anyway, the directory to change permissions on is /home/desktopuser/.config/dconf, and you can use the following command to make it unwritable by desktopuser:

chmod u-w /home/desktopuser/.config/dconf/user

However, that's not enough to deter anybody who can use the terminal and change permissions! To truly lock the database down, do the following commands as the administrator dude:

sudo chmod 040  /home/desktopuser/.config/dconf/user
sudo chown [name of the administrator] /home/desktopuser/.config/dconf/user

Now the administrator owns the configuration database (you can change ownership to root instead, if you prefer), but the administrator can't read the file themselves; only members of the group desktopuser (which by default is only the user desktopuser) can even read the file, and nobody can write to it.

After you do this, "nobody" can change your desktop settings!

Thanks gordon. I tried your suggestions but it seems not working. Desktop user can still modify the buttons on the top panel.

I found a way to do it on dconf-editor, open dconf-editor and then go to /org/mate/panel/general and tick the locked-down option. This would stop the desktop user change any settings on the top panel. Problem is the desktop user can reopen dconf-editor and untick the locked-down option again. :joy:

just hide dconf in the menu editor, and then hide the menu editor in the menu editor, I have done that as a work around unless they know how to start the menu editor from the command line, there may a way to actually lock the dconf editor, but I don't know it for sure

Whoops, I gave you the wrong command. The chain of commands to follow is:

sudo chown -R administrator /home/desktopuser/.config/dconf
sudo chmod -R 040 /home/desktopuser/.config/dconf

(You can instead use the hot-shot abbreviation for /home/desktopuser, which is ~desktopuser, if you desire.) The previous commands which I gave you didn't work because under Linux and other POSIX-compliant systems, you can actually delete somebody else's file as long as the file owned by someone else is in a directory owned by you. Hence DConf was able to delete the write-protected configuration database and replace the database with one which reflected configuration changes. By write-protecting the parent directory, the database file couldn't be removed; even if you tried to delete the parent directory, you can't delete a non-empty directory until all its files are removed too, so the database is now truly immutable.

However, the panel is set up in such a way that you can actually change it even when the DConf database is locked; the changes just don't get committed to the database, and when you log out and back in, you're back to where you were when you locked the database. So if you really want everything to be immutable, enable the lockdown preference in dconf-editor and then change the permissions on the database.

I hope these tips help you.

1 Like

Sweet, thanks gordon.

Thanks Bernie, this is probably the best way to do it even though the user can still launch dconf-editor on terminal.
I don't know if there is a way to lock the dconf editor but to prevent the desktop user launching the dconf-editor, I might just remove it after configuration. Thank you!

Hi Penn, as root you can prevent anyone from starting the dconf editor by restricting read+execute access to it. On most distros chmod 700 /usr/bin/dconf and chmod 700 /usr/bin/dconf-editor should do the trick.

1 Like

Thanks cvdgenugten, I think you provided the bulletproof option, genius!

1 Like