Ubuntu – How to ‘lockdown’ system-wide settings with `dconf`

automountdconfgnomeusb

I want to ‘lockdown’ a particular key/value combination in dconf, so that only superusers will be able to modify that particular setting. In order to achieve this it is necessary to add a ‘lock’ to the system database, so that no equivalent key/value listed in a higher order database (in the dconf profile) can take precedence.

For a detailed explanation of the concept of a dconf profile and the related ‘key files’ please see the Gnome System Administrators Wiki.

From the System Admin Wiki:

Lockdown is supported by creating a 'locks' subdirectory in the key file directory (ie: /etc/dconf/db/local.d/locks). The files contained in this directory contain a list of keys to lock, one per line.

My keyfile directory shows as ‘ibus.d’, as opposed to ‘local.d’ given in the example:

:/etc/dconf/db/ibus.d$

By checking the dconf profile /etc/dconf/profile/ibus, this would appear correct:

Contents of 'ibus' file: user-db:user \ system-db:ibus

As per the Wiki:

  1. Create an appropriate key file:

    ==> /etc/dconf/db/ibus.d/00-media-handling ==<

    [org/gnome/desktop/media-handling]

    automount=false

  2. Create a ‘locks’ subdirectory and add an appropriate file:

    ==> /etc/dconf/db/ibus.d/locks/00_media-handling-lock ==<

    /org/gnome/desktop/media-handling/automount

In my case I have set, and locked, the automount key, for the org.gnome.desktop.media-handling schema, to 'false'.

Finally run sudo dconf update. For good measure I also reboot the machine.

The expected behaviour, upon attaching a USB drive, would be for the device not to automount. This, however, is not the case. If I attach a USB drive and run df:

/dev/sdb1 983344 192 983152 1% /media/user/xxxx-xxxx

Assuming I am at fault; I have started from ‘scratch’ numerous times, each time following the (identical) instructions from varied sources, including examples given on this site; example one and two.
Each time to no avail. Please could you kindly enlighten as to where I could be going wrong?
(Ubuntu 16.04)

Best Answer

The profile file must be /etc/dconf/profile/user

From man 7 dconf:

On startup, dconf consults the DCONF_PROFILE environment variable.
If set, dconf will attempt to open the named profile, aborting if that fails.
If the environment variable is not set, it will attempt to open the profile named "user"
and if that fails, it will fall back to an internal hard-wired configuration.

I've added that file:

cat /etc/dconf/profile/user
user-db:user
system-db:local

Then I've put my lockdown file in /etc/dconf/db/local.d/lock

And finally I run dconf update

I had to logout and login again as I was using the hard-wired configuration. Now it works.

Related Question