Score:0

Ubuntu

restricting access to Startup applications for non-root user

Etienne Charpy

10/22/22, 10:33 AM

I have been trying to make it so that non-root users cannot access the startup applications preferences, which makes you select which apps start up on launch and change these settings. Is there a way to do that, perhaps by making root the owner of the startup applications preference app?

I couldn't find anything on this. All the articles I found talk about running apps requiring root access or just how to use the startup application interface.

1 + 1

permissions

security

startup-applications

Rinzwind

10/22/22, 5:39 PM

It might be easier to create a "reset" so you restore the default to what you want it to be than what I provided as an answer. So to track changes and then trigger a reset.

Score:1

Ubuntu

Rinzwind

10/22/22, 11:20 AM

It is a directory:

~/.config/autostart

in each user directory and

/etc/xdg/autostart

for global usage (there is no need to touch that one).

Log in with your admin account and change the user and group to your admin account:
```
sudo chown $USER:$USER /home/*/.config/autostart
```
where * are all your normal users.

That will prevent them from writing. The "others" is already set to r-x so no write access.

You also need to prevent users from changing a setting called $XDG_CONFIG_HOME and that is going to be difficult ... a user can set it directly from command line for that session only.

So if you want to prevent that you likely need to also disable access to the terminal and to any altering of ~/.profile.

0 + 14

vanadium

10/22/22, 12:43 PM

It is maybe more elegant to change owner and group to "root" instead of to a particular user with sudo privileged, so just a `sudo chown root:root /home/*/.config/autostart`

Etienne Charpy

10/22/22, 1:11 PM

@Rinzwind would changing ownership make it impossible for one who is not owner to add/remove startup applications in the list?

Etienne Charpy

10/22/22, 1:13 PM

@vanadium same question!

vanadium

10/22/22, 1:30 PM

Changing ownership will prevent the user to write to the folder, thus cause changes in the "Startup Application Preferences" not taking effect. You could also hide that application from the view of the user.

Etienne Charpy

10/22/22, 1:53 PM

@vanadium Thanks that's great!

steeldriver

10/22/22, 2:41 PM

Can users circumvent this by setting `$XDG_CONFIG_HOME` to specify an alternate location?

Etienne Charpy

10/22/22, 3:11 PM

@vanadium the terminal states that chown cannot access: /home/*/.config/autostart

Rinzwind

10/22/22, 3:23 PM

@EtienneCharpy change the * to each of your users. It will fail if you have a dir in /home/ that is not user (and does not have .config. ALSO make sure it is Ubuntu you use; other OS might not use the xdg concept.

steeldriver

10/22/22, 4:23 PM

... to answer my own question - yes they can (unless the administrator takes extra steps to prevent the user from setting `$XDG_CONFIG_HOME` for their session). The user can also simply *rename* the root-owned `~/.config/autostart` and create their own user-owned one (`mv` only needs write permission on `~/.config/`).

Rinzwind

10/22/22, 5:35 PM

@steeldriver thanks, That is going to be more difficult to prevent :P

steeldriver

10/22/22, 6:06 PM

@Rinzwind yeah historically \*nix has taken a hands-off approach to users' own sessions. I think it might be *slightly* more difficult than modifying `.profile` since `XDG_CONFIG_HOME` needs to be set before the session starts. In the olden days (if memory serves...), users' GUI sessions were started via a login shell and so settings in `.profile` would indeed be inherited by desktop sessions, but I don't think they are any longer (?). But sessions started from a display manager do appear to pick up exports in `~/.xsessionrc` (which is how I tested setting an alternate `XDG_CONFIG_HOME`).

vanadium

10/23/22, 9:25 AM

Do you want to "hard-lock" it or is it sufficient to "keep the honest people out"?

Etienne Charpy

10/23/22, 12:05 PM

@Rinzwind. Should it be both users or just the non-admin one instead of *? SEE: sudo chown $USERNAME1:$USERNAME1 /home/USERNAME1 USERNAME2/.config/autostart OR sudo chown $USERNAME1:$USERNAME1 /home/USERNAME2/.config/autostart Where username1 is admin and username2 is not.

Rinzwind

10/23/22, 1:53 PM

the last one @EtienneCharpy set them all to your admin account.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: restricting access to Startup applications for non-root user

TH: การจำกัดการเข้าถึงแอปพลิเคชันเริ่มต้นสำหรับผู้ใช้ที่ไม่ใช่รูท

RO: restricționarea accesului la aplicațiile de pornire pentru utilizatorii non-root

RU: ограничение доступа к запускаемым приложениям для пользователя без полномочий root

VI: hạn chế quyền truy cập vào các ứng dụng Khởi động cho người dùng không root

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.