Feature changed by: Todd R (TheBlackCat) Feature #312876, revision 3 Title: Deny individual users' access to screen-saver settings openSUSE Distribution: Unconfirmed Priority Requester: Important Requested by: Per Jessen (pjessen) Partner organization: openSUSE.org Description: This is an extension of feature#312871, but because it's a little more involved than changing a simple default, I thought it would be better to have a separate feature request. The screen-saver settings for time- out and "require password" are security settings that really should not be freely available to the individual user. I propose that we 1) set a reasonable default (60sec, 15sec, always require passwd) (see feature#312871) and 2) only let these settings be modified by someone with root-access. To a regular user, the timeout and "require password" settings should appear "greyed out", clearly indicating "not available". Use Case: Office user - the user is able to select a screen-saver, but the other settings cannot be accessed, accidentally or otherwise. The install or admin person need not change anything to get a sane security setup for the desktop. SOHO or home users - same as above, but the default screen-saver settings may be changed by switching to root access. Business case (Partner benefit): openSUSE.org: This is simply a reasonable security measure, fitting nicely into the overall security-conscious profile of openSUSE. Security measures (firewall, apparmor, encryption etc) are typically accessible only with root-access; it's only sensible that we apply this principle to the screen-saver settings too. + Discussion: + #1: Todd R (theblackcat) (2011-10-25 16:37:32) + I think this is backwards. If offices or home users think it is that + important to prevent users from changing their screensaver settings, + then they can use kiosk to prevent it. If they have that serious of + security concerns they should be using kiosk to prevent dangerous + actions anyway, so this shouldn't be much additional trouble (it took + me about ten seconds on google to find the relevant kiosk settings). + However, implementing this makes it extremely difficult in environments + where screen locking is not important. For most home users this would + add zero security benefit but a ton of hassle. It also makes things + very difficult for offices that think users can make their own judgment + about whether a screen locker helps or hampers them, and this would + wreck security models that prevent users from having root access. So if + we keep things as-is it is fairly easy to add restrictions to prevent + changing the settings, so the burden on people who want the feature is + small. However, if we go with this suggestion, then it adds a huge + burden to people who don't want it. + Things like apparmor, disk settings, and firewall are things that users + should never have any need to touch. But desktop customization + settings, like screensavers, are things that users very often do change + and are often allowed to change to suit their own work habits. You may + think that preventing users from changing their locker settings is an + important measure for security, but that is up to each office to decide + and implement. The tools to do so are already available. -- openSUSE Feature: https://features.opensuse.org/312876