Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


O'Reilly Book Excerpts: Linux Desktop Hacks

Hacking the Linux Desktop

Editor's note: Modifying stuff to suit individual desire is the credo of hackers everywhere. These two excerpts from Linux Desktop Hacks let you modify Linux to suit your desires: control how you access your own desktop, and how users access theirs. (And check back here next week for two more hacks from the book--the first on viewing Microsoft Word documents in a terminal, the second on creating an internet phone.)

Access Windows and Mac OS X from Linux

BeginnerHack 30

Related Reading

Linux Desktop Hacks
Tips & Tools for Customizing and Optimizing your OS
By Nicholas Petreley, Jono Bacon

No need to move to another computer; just sit put and access them all.

Although you don't need to go far to hear someone extolling the benefits of Linux and free software, many people still need to use other operating systems, such as Microsoft Windows and Apple Mac OS X. Aside from personal choice, other reasons to use non-Linux operating systems include running applications that are available only on a particular OS, an employer mandating that you use a particular platform, or even a need to test software and services across different platforms. For some, the solution is a huge desk set up to accommodate three computers with three monitors and three keyboards/mice; however, there is a better way.

This hack uses a piece of software called Virtual Network Computer (VNC). This useful little tool allows you to essentially redirect your monitor output to another computer on a network, and accept keyboard and mouse input from the remote computer. With this software you can run the VNC server on a Windows machine and view the Windows desktop on your Linux machine. Likewise, you can run the VNC server on your Linux machine and view your Linux desktop on a Windows-based desktop. VNC is available for most Unix-based OSes, such as Linux, FreeBSD, Solaris, etc., as well as Microsoft Windows and Mac OS X. VNC gives you the ability to pull together these disparate operating systems on a single desktop.

Configure a Linux VNC Server

VNC comes in a few different guises, but most attention is focused on the RealVNC and TightVNC variants. Of the two versions, TightVNC appears to be the better performer and you can get it from http://www.tightvnc.com/download.html. A number of different packages are available for the supported platforms, and you need both the server (to provide a VNC resource to connect to) and the viewer (to connect to another VNC resource). You should be able to install a recent version of TightVNC using your distributions package manager.

If you run a Mac and want to access your Mac OS X desktop from your Linux machine, you need the OSXvnc package from http://www.redstonesoftware.com/vnc.html as RealVNC and TightVNC do not natively support Mac OS X. A VNC client for Mac OS X is also available within the Fink packaging system at http://fink.sourceforge.net.

To run a VNC server on Linux you must launch the server and give it a special display number to connect to. This usually starts at 1 and increases by one for each new server created. As an example, if you run a VNC server on a machine with the address 192.168.0.2, you would access the first VNC resource as 192.168.0.2:1. To run the server, specify the screen resolution and color depth with the -geometry and -depth command-line options:

foo@bar:~$ vncserver -geometry 1024x768 -depth 24

These settings are parameters for your virtual screen, not the real settings of the machine you are running the server on. This means the physical screen might be displaying an image at 1280x1024 in 8-bit color, but you can view it remotely at 1024x768 in 24-bit color. Of course, the machine you are viewing the image on must support your choices.

TIP: You can specify a nonstandard resolution--for instance, 990x745. Doing this allows you to maximize the size of the remote image on your desktop without obscuring your local desktop's toolbars and panels.

When you first run the server, you are prompted for a password. This password is used to ensure that clients are who they say they are, and the password is stored and remains the same each time you use the VNC server (you can change the password later with vncpasswd if you need to). When the password is successfully entered, the server indicates which display number it has been given.

While the server is running, all applications that are used appear on the VNC display as well as the normal screen on the computer (if a monitor is attached). You can also route applications to display only on the VNC server by using the DISPLAY environment variable and specifying the hostname and display number:

foo@bar:~$ mozilla -display 192.168.0.2:1 &

To stop the VNC server, you need to use the -kill option and the display number assigned earlier when you started the server:

foo@bar:~$ vncserver -kill :1

Connect to a VNC Server

To connect to the VNC server from a Linux machine, you can use the vncviewer tool that is included with the VNC software. This simple little program is used like this:

foo@bar:~$ vncviewer 192.168.0.2:1

In this command, you specify the IP address, a colon (:), and then the display number to connect to. When you run the command, you are prompted for the VNC server password and then the VNC desktop is displayed.

Configure a Windows VNC Server

Installing the Windows VNC server is a fairly painless process. Once installed, it can be configured as a Windows Service so that it is always running (like a daemon in Linux). The benefit of running the server as a service is that you will still be able to access the server when the machine is locked or the user has logged out.

Download the Windows installer from the TightVNC web site. It is a typical Windows installer that offers no surprises.

To use the VNC server as a service, tick each box that refers to the VNC Server System Service in the VNC installation routine. When you have done this, the Server Options dialog box will appear, and you must configure at least the Authentication tab to run the server. In this tab, you should select the VNC 3.3 Authentication option and use the Set Password field to define the password for the server. You should never disable authentication unless you are 100% sure the host network is secure.

To start and stop your server, use the standard Windows Services configuration tool to start and stop the service.

Configure a Mac OS X VNC Server

The official VNC distribution does not include support for Mac OS X; however, a VNC server is freely available from Redstone Software (http://www.redstonesoftware.com/vnc.html), called OSXvnc. This software is available as a Mac OS X disk image file (.dmg). Download the software and then double-click it in the Finder. A window will pop up with the program inside it; drag the program to the desktop. Now if you double-click the icon on the desktop, the VNC Settings dialog will appear. For a quick and easy VNC connection, the defaults are fine, and you can just click the Start Server button to begin the connection.

View Your Desktop in a Web Browser

One intriguing feature of the VNC server is that it includes a small web server that exports the VNC desktop to a browser using a special Java applet. To access your VNC server, connect to port 5801 with a Java-enabled web browser. This port number is appended to the hostname/IP address in the same way as a normal web resource:

http://foo.com:5801

This port number actually maps to the VNC display you are running. If you are running display number 1, use port 5801; display number 2 is port 5802, etc.

TIP: Some distributions, notably Debian, package the Java applet separately from the VNC server package.

When you are running any server on the Internet, you should take steps to ensure that it is protected with a firewall. A firewall keeps all unwanted traffic away from your server. If you are running a firewall already, you should ensure that ports 5800-5805 are available for use. If you want to be extra secure, only open port 5801 for use and make sure you always run off desktop number 1. Another option is to encrypt your VNC connection with an SSH tunnel [Hack #32] .

Lock Down KDE with Kiosk Mode

ModerateHack 43

Control exactly what your users can tinker with, and what they can't change at all.

System administrators typically spend a lot of their time fixing trivial problems for users who have accidentally changed their settings in some way. When an inexperienced user moves a desktop icon into the trash or sets a mime-type to open with the wrong program, he might be unable to reverse his changes. Calls to the system administrator for help are a poor use of everyone's time. It would be better if the user had never been able to make undesirable changes.

Perhaps you just want to set up a Linux desktop for your grandmother but she keeps changing the layout of the application toolbars without meaning to. The new look confuses her so much that she calls you all the time asking for help, or worse, she gives up on Linux or computers. Wouldn't it be great if you could protect your grandmother from herself?

For computers in a public setting such as an Internet café or library, problems such as these turn into more than just timewasters; they can prevent others from using the machine or cause distress for users. Have you heard the common anecdote of the script kiddy who has changed the background wallpaper on all the machines in a library to pornographic photos?

Enter the Kiosk

KDE has traditionally been one of the most configurable desktop environments available, but KDE 3.2.3 pushed the fold and added the Kiosk framework, which allows for any or all of the configuration options to be marked as unchangeable. With Kiosk you can create profiles that are attached to users or groups of users. A profile can define any KDE setting, but usually includes the contents of the desktop, panel, and K Menus, as well as the choice of wallpaper, default fonts, and widget style. You can also specify important system settings, such as the network proxy and file associations. Most importantly, all these options can be set to be unchangeable by the user. This means grandma will never accidentally delete her web browser icon, and a bored teenager can't change the library's computer wallpaper to something that will give grandma a heart attack.

The easiest way to set up a Kiosk profile is to use the Kiosk Admin Tool. Some distributions include this by default or include a package for it. If you need to, you can download the source from its web site at http://extragear.kde.org/apps/kiosktool.php.

Start the Kiosk tool (as a normal user; there's no need to run as root) by selecting K-menu→System→Kiosk Admin Tool, or with the kiosktool command, and click Add New Profile. Give this profile a name such as "locked-down" and click OK to save. When prompted, provide your root password to save the new profile. Now click Manage Users and add a user policy to link a user to your new locked-down profile. You can also add Linux user groups to the policy. The Kiosk tool links to /etc/group, which is where you should manage group membership. To configure a profile, select it in the list and then click Next. The next screen presents numerous modules, each with specific configuration options in it. Ticking an option will lock down its corresponding feature. The settings will be saved when you click Back.

Some of the modules offer graphical setup for their settings. For example, under the Desktop Icons module you can load a temporary desktop to replace your normal one. Switch to a different virtual desktop (Ctrl-F2) if you have windows covering your background. You can add, remove, and move any of the icons on the temporary desktop. When you click Save in Kiosk Admin Tool, the settings for this desktop will be saved and your normal desktop will be loaded again. This makes configuring the setup for your Kiosk profile as easy as configuring your own desktop.

A general breakdown of the types of settings you will find in the most important modules follows:

General

Contains the settings that control the global properties for all KDE programs and includes the ability to run commands, log out, or move toolbars. Disabling Konsole removes not only its entry from the K Menu, but also the embedded Konsoles in Konqueror and Kate.

Desktop Icons

Settings to prevent users from moving or deleting desktop icons.

KDE Menu

Controls which programs are available from the K Menu.

Themeing

Prevents users from changing the widget style, color, or font settings.

Konqueror

Stops the user from being able to browse outside his home directory.

Menu Actions

Turns off standard menu actions such as open, print, paste, settings, etc., from all KDE applications.

File Associations

Ensures that files can be opened only with the specified programs.

Network Proxy

Enforces the use of your web proxy. Uses a web proxy to restrict which web sites a user can browse.

Panel

Used to lock down the panel, prevents users from adding or removing the items you place here, and enables you to prevent panel context menus from working.

The Kiosk framework has been used in large enterprise deployments of KDE. Administrators report that it cuts the time taken up by user support by half, because it reduces the number of small but time-consuming problems users have. If you are considering using Kiosk in a public setting you might want to make yourself familiar with the KDE configuration file format. Browse through /etc/kde-profile to see the settings made by the Kiosk Admin Tool. Adding [$i] to a configuration option, group of options, or file makes them unchangeable by users.

Kiosk is not a substitute for using Unix filesystem permissions or other security settings. You should also make sure you set X to not be killable with Ctrl-Alt-Backspace, and prevent users from changing to a text console. Finally, make sure the login manager does not allow users to log in to any other desktop environment that has not been locked down.

--Jonathan Riddle


View catalog information for Linux Desktop Hacks

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.