Linux is infinitely configurable. It's so flexible it runs on mainframes, cell phones, PCs, even gaming stations and digital video recorders (DVRs). This is one of its biggest strengths especially for those who want control or the freedom to tailor a desktop PC to their specific needs. It is also a boon to the system administrator who may want to configure the desktop to the point where it serves user needs, not their whims. Depending on your organization your desktop may be locked down so you can't install unnecessary programs that can cause the system to fail. In cases like schools there might be a reason to restrict functions. Linux can accommodate customization just like Windows does through the use of policies.

KDE's KIOSK framework provides a mechanism for managing and specifically restricting the KDE environment so users can't perform undesireable actions on their desktop. This capability is extremely useful in situations where PCs are used by multiple users or are left unattended as in libraries and other places to allow limited access to PC functions. As a Windows user you might be familiar with ini files where you can set certain parameters for the Windows operating system and programs. An interesting example is when you set the shell= line in the system.ini in Windows 98. It can replace the Windows shell with Word or another application and run the operating system with only one application. In KDE there are a number of configuration files that store settings like the Windows ini files. The KIOSK Admin tool can be used to configure and lock down a number of features in the KDE desktop. It works by creating profiles for certain types of users and applying those profiles to user accounts. Different accounts can be subject to different limitations, making it possible to turn a PC into a low-maintenances public access terminal kept in an immutable state that allows no permanent changes other than those made by an administrator.

The kinds of things you can do with KIOSK are very broad but the things that KIOSK can do fall into three basic categories.

• Lock Down - You can lock down the K Panel so that no changes are made or configure network proxy settings so they are unchangeable. Users are then unable to circumvent proxies that filter content that doesn't fall within appropriate use policies.
• Disable - KIOSK can be used to limit functionality. This might include taking advantage of certain programs or features like Desktop Sharing that are available to the fully privileged user. You can disable the Logout option, the Run Command, and a host of others.
• Look-and-Feel - You can pre-configure a desktop so themes and other settings are static and the cosmetic aspects of the operating system stay intact.

This is handy when making a public use terminal that may advertise a company or organization. The desktop wallpaper and the look-and-feel can be maintained to represent the organization's interests without fear that vandals will change the wallpaper or leave inappropriate messages on the system.

Summary
KIOSK Admin Tool isn't so much an extension of KDE functionality as it is a systems management tool that can be used by a corporate systems administrator or parent who might be concerned about how his children are using their PCs. It's a great way to set up shared workstations among a great number of users or just a few. The tool isn't that well documented but the KIOSK Mailing List provides a good forum and valuable archives on how to do things or troubleshoot problems. While you could edit and tweak configuration files individually this type of tool, it's helpful in centralizing many common Linux configuration files into an easy-to-use menu driven interface.

Other Resources:
KDE KIOSK Mode HOWTO - www.tldp.org/HOWTO/KDE-KIOSK-Mode/
KDE KIOSK Mailing List - https://mail.kde.org/mailman/listinfo/kde-KIOSK

Sidebar:

Interview with KIOSK Admin Tool Creater Waldo Bastian

LWM: I noticed the KIOSK Tool was included with SuSE 9.2 but that's the first I've seen of it. Can you give me some history on it?

Bastian: KIOSK and generic lock-down functionality were added to KDE 3.0 and from there it has slowly progressed based on feedback from our users. The functionality was originally aimed at making public terminals public-proof, hence the name KIOSK, but it quickly became clear that similar functionality is also very valuable in an enterprise setting where it can be put to use to reduce support costs.

What was still missing was an easy-to-use way for system administrators to unlock its potential. I started with the development of a graphical administration tool for it, the KIOSK Admin Tool, at the beginning of 2004. The aim was to have it ready in time for the Novell Linux Desktop.

LWM: It seems like the idea to lock down a Linux desktop would be appealing to other distributions as well. Is KIOSK dependent on anything outside of KDE?

Bastian: All the functionality provided by the KIOSK Admin Tool is part of the standard KDE platform; there are no outside dependencies.

LWM: Is there a home page for KIOSK, other than http://extragear.kde.org/apps/KIOSKtool.php?

Bastian: http://extragear.kde.org/apps/KIOSKtool.php is the homepage of the KIOSK Admin tool but the System Administration section on the KDE Web site also contains valuable information for administrators who want to deploy KDE. It is here: www.kde.org/areas/sysadmin/

Another good source of information is the kde-KIOSK@kde.org mailing list. You'll find many people there who have successfully used the KIOSK framework while deploying KDE. See https://mail.kde.org/mailman/listinfo/kde-KIOSK

LWM: Do you have any favorite KIOSK success stories?

Bastian: My favorite is about a new school in Denmark that's using KDE and SUSE and KIOSK to provide the teaching staff and the 138 children with desktops. KIOSK provides both young and old with a safe computing environment where they don't have to be afraid of breaking anything. As with many schools they don't have a big budget, so they use a thin client setup that allows them to run one central server with a mixture of old and very old PCs as clients

• Figure 1
• Figure 2