What I need is to allow a remote user access to a host machine (Ubuntu) via VNC. The catch is that the user should only be allowed to use a specific software and nothing else.
My solution for now is to use x-gtk-vnc to embed a specific Xwindow in a html page on the client side. This works… except that and pop-up options will not register on the client side (since they are considered separate windows).
Possible solution #1 revolves around using a script to report when a new window is open. However, I don't know of any shell commands that can do so, (xwininfo requires you to pick a window) and I will probably have to hardcode tonnes of possible pop-ups into the html.
Possible solution #2 revolves around creating a bare virtual desktop where the software of interest runs as the main application (cannot be minimised or closed and no taskbars, etc…) and all pop-up menus appear in the foreground. Unfortunately, I have no idea how to do so. I can connect to the specific desktop using x-gtk-vnc embedded in a html as well.
Could anyone point me in the right direction with either solution? Personally prefer #2. Other solutions are welcomed as well.
Best Answer
Solution 2 will be much easier.
Assuming you're using the
vnc4viewer
package included with Ubuntu, just edit the~/.vnc/xstartup
script for the user account the remote user will be running under and replace it with the following contents:That will fire up GNOME's
metacity
window manager all by itself, so popup windows can be handled sanely. (They can even Alt+Tab around if they need to.) While the user will be able to minimize and resize the window, it will just give the user a bare desktop they can do nothing with. No panel, no menus, no icon, nothing. The script will also restart the program if it is exited for any reason.Once you've done that, just fire up
vncserver
and you're golden. You can put this command in your/etc/rc.local
file (or write a proper initscript), before theexit 0
line to have the server start on every boot:That will start the server on desktop
:7
(port 5907) so any other VNC servers you might otherwise start won't get in the way and you'll have a predictable desktop number to put in the HTML file.Make sure you're using a separate user account for the remote user that is sufficiently locked down, because even when they only have access to one program there are still many ways they can gain further access to the system. (File dialogs, commands that might open a shell, etc.)
Note that while it's possible to use any window manager and most people would use simple ones like
twm
(or whatever it is the kids are using these days), I stuck withmetacity
because it's included by default and to keep things simple.