Disable Desklets on Lm 20.3 and 21? [Solved]

[Sizzle]

I need to develop a Linux Mint Cinnamon 20.3 (and future moving to 21) desktop systems for business use, and we want to completely disable Desklets. We don't want non-admin users messing around with those, and we've seen desklets cause instability problems.

I'm not a 100% Mint newbie, but I'm not seeing how to completely disable all Desklets, and we want it completely gone if the user alt-clicks the desktop.

Is there a way to do this?

[Sizzle]

<Bump>

So no way to disable desklets - or at least no way to hide the "Add Desklets" in the desktop alt-click menu?

It just seems odd that LM asks for a password for -everything- to install / remove / update software. Except for desklets / applets, panel config, etc. - those seem to be wide open. It's a little too easy for a non-admin user to start messing around with the desktop and install low-quality desklets that wind up crashing the system somewhere. And then someone from IT has to get the system untangled again.

I'll post a feature suggestion over at the Cinnamon github - maybe I'm still missing the correct way to manage this on a workplace PC.

[deepakdeshp]

Do you know of any low quality dealers which mess with Mint?Which are they?

[billyswong]

I don't know a good way to disable desklets completely, but if your only concern is 3rd party desklets causing instability, we can disable just that.

When logged in to the user account in need of that disable, type In terminal:

Code: Select all

sudo chown root ~/.local/share/cinnamon/desklets
sudo chmod 755 ~/.local/share/cinnamon/desklets

Afterwards, downloading/installing any 3rd party desklets will be permission denied. There is no GUI interface to do chown so users won't re-enable that by mistake. If you are disabling a non-sudoer user accounts, run the commands in a sudoer account and modify the path to /home/USER_NAME/.local/share/cinnamon/desklets accordingly.

P.s. Oh you can also trash the content in /usr/share/cinnamon/desklets, then even the built-in desklets will also be gone. For safety, you may back them up before deletion.

[Sizzle]

Thanks for those suggestions - those should get the job done. I'll test those out later today!

The other thing we've done that helps is to block access to the URL locations setup in Software Sources - at the firewall level. These machines are mostly NOT on the public internet anyway, and the few that ARE connected to the internet are allowed access to only a few external URLs outside the plant that are required to have working. We typically do not allow any updates to be installed without extensive testing on the master disk images in the lab.

The PC's work for a living as process controllers on a production line - after months of testing they work as well or better than the Windows boxes they are replacing. We're pretty picky about any software that's installed, because these machines have to process machine vision images 30 times per second and never drop a frame. 24/7/365. Uptimes are measured in years, if not decades. Installing some un-tested Desklet by a few curious users has resulted in some undesired consequences for sure.

What we've discovered during testing is that the XFCE / Cinnamon machines that are air-gapped from the 'Net never have a problem. We've only had trouble with the Cinnamon boxes that (did) have access to the 'Net, and a few curious operators started playing around with Desklets during their break. The "Add Desklets" on the desktop menu is too tempting - and no password required. Oops.

The other thing that helped is we gave these guys some older PC"s with Mint installed so they could go play at home to their heart's content on their own boxes.

Now everyone is happy!!

Thanks for the help!

[billyswong]

Blocking update for machines that do access the Internet is risky, especially for updates to browsers. I suggest you guys may do a more timely update for Firefox.

For why desklets installation doesn't ask for password - password prompt usually appear only for operations that may modify the system outside the scope of one's own user account. ".deb" software installation / update / removal affect all users. But those desklets don't. This kind of behaviour also occur for ".flatpak" software installation / update / removal - they don't request password as ".flatpak" software are independent for each users, or at least that's what flatpak promise.

[Sizzle]

These machines connected to the 'Net only access outside URL's via our own custom reporting software - The usual web browser is not installed or used normally. Otherwise Yes the 'Net connected machines still get security updates as required - but we manually apply updates only after they've been tested. In normal day to day operation Desklets aren't really needed or wanted at all, at least for our application.

For the machines air-gapped from the 'net: we usually want them to never get updated once they are running and vetted - we just want them to run 24/7/365 for the next 30 years or so before the next planned equipment overhaul takes place. Of course on occasion if an upgrade / update is needed for whatever reason, it will happen - it takes a while to test and verify, so we tend not to apply updates to these machines very often.

The problem we've seen with Desklets is yes they are supposed to affect only the user account - but we've seen desklets cause display issues on Cinnamon itself as well indirectly having an effect on machine vision processing tasks running in the background. In our case, if Desklets can cause -any- performance issues, we'd like to have them not so easily installed by a curious user.

So with Desklets / Flatpaks etc. It's not the user account integrity we're concerned about, its more the CPU core resources used by these extra "Glam" features that can cause problems - even if it's a small amount.

[deepakdeshp]

Personally speaking updates have never caused a problem for me. May be a good idea to dedicate one machine only for updates, run all your software on it, update it. If say after one week the machine runs well,update the other production machines.

[billyswong]

The problem we've seen with Desklets is yes they are supposed to affect only the user account - but we've seen desklets cause display issues on Cinnamon itself as well indirectly having an effect on machine vision processing tasks running in the background. In our case, if Desklets can cause -any- performance issues, we'd like to have them not so easily installed by a curious user.

So with Desklets / Flatpaks etc. It's not the user account integrity we're concerned about, its more the CPU core resources used by these extra "Glam" features that can cause problems - even if it's a small amount.

When Desklets are regarded as affecting only the current user account, it by no means promises it won't crash one's computer. It is only a promise it won't spread any problem to another user account login in that computer. The password prompt protects stuff that can fry "everyone" using the same computer, assuming everyone use their own distinct accounts. It doesn't protect one from frying "oneself".

To prevent one from frying oneself, we need special measures such as guest session https://easylinuxtipsproject.blogspot.c ... t.html#ID1

[Sizzle]

The problem with guest session on our systems is it's a secure facility, and the policy is no machine is allowed any kind of "guest" session (Internet connected or not).

So in our case: -Anything- installed on the system: - if it uses CPU cycles, it is only installed by root admin, and only after thorough testing. Non-admin users can't install -anything-, they are only allowed to use what's already installed on the machine. Everything a user needs is in place, and everything that is NOT needed is removed. For our application: A user should never need to install any executable code at any workstation at any time. If they seem to be missing something, they have to ask the IT department.

I think we have it pretty well locked down now. But we'll see. Sometimes a curious user clicking around still finds a way...

Thanks!

[deepakdeshp]

Good to know that Mint is used in mission critical systems. Do you use specialized rugged and fault tolerant systems ?How many machine are used?

[billyswong]

There are advantage and disadvantage in using guest session in terms of security.

Advantage:
Any computer operations within the guest session cannot modify system config or read files of other users. While it can still modify per-user config, they will be reset automatically upon logout or reboot. They can't even download files to local drive. (Files will appear in "home" but be gone after logout or reboot)

Disadvantage:
Anyone that reach the computer physically can operate it without password. Hackers get a higher chance to exploit vulnerabilities without opening the case or inserting physical keylogger (which can look like an innocent USB thumb drive).

So guest session is the easiest way to prevent a user shooting oneself in the foot. I still think this idea is not that bad unless your secure facility may let unauthorized persons touch the computers and thus they must be screensaver locked with password when no staff is attending. But as I said, if you allow an unauthorized person touching a machine without any staff watching, the security is in danger already.

[Sizzle]

Good to know that Mint is used in mission critical systems. Do you use specialized rugged and fault tolerant systems ?How many machine are used?

Testing 50 machines with Mint 20.3 / 21 right now, some are Cinnamon, most are XFCE. Once testing is completed around 400~ 500 machines will get software- upgraded next year, more after that. Some of these machines in service have really not been power cycled for 20 or 25 years - so in these cases they will get new hardware. The nice thing about Mint: We try to setup the machines to look and feel just like the WinXP/7 machines that are getting replaced; then the operators are very comfortable with the new systems - much more than some of the other distros. It's very nice.

We figure if Linux is good enough for SpaceX / Starlink / US Navy / Etc / Etc Etc. the base OS should be reliable - after we get done torture-testing these systems over the next several months.

Secure facilities: At these installations there are no USB ports on the machines, the motherboards are in a locked case (Network, keyboard and mouse plugs are locked also)...no real (practical) way to access the hardware without triggering an alarm. Visitors are searched and go thru metal detectors - and all visitors have to be with a production employee at all times. If we go in to service machines you leave any I-thingies at the front security desk...that includes cell phones, cameras, ear buds, USB sticks, whatever. Forget about Bluetooth, cell signal or WiFi : Wideband RF sniffers are in operation all the time. If we bring software updates in on an SSD, we hand it over to the IT department for review and clearance (They have to check sources, internal scans, checksums etc) and once we're inside the facility they will hand us the software updates for machine maintenance on -their- SSD. You never get to plug in any media that was brought from outside the facility.

Any outside network access is usually limited and monitored- and some places have virtually zero access to outside internet, be design.

So if someone manages to sneak out production secrets - they would really have to put some effort into the task. The steps above will keep honest people honest - but there are still ways people try to get around the safeguards. It happens, but we try to make stealing data very difficult.

The concern mostly is not so much hackers, it's locking the machines down so that curious operators can't do something to accidentally mess up the machine - AND companies are REALLY concerned about stolen IP regarding the production processes. That's why no photos / electronics of any kind are allowed in the facility...and get ready to sign your life away on NDA forms too.

[motoryzen]

That's why no photos / electronics of any kind are allowed in the facility...and get ready to sign your life away on NDA forms too.

LOL I love it. Sincerely compliment meant though ftr. Gotta do what you must do.

[billyswong]

Secure facilities: At these installations there are no USB ports on the machines, the motherboards are in a locked case (Network, keyboard and mouse plugs are locked also)...no real (practical) way to access the hardware without triggering an alarm. Visitors are searched and go thru metal detectors - and all visitors have to be with a production employee at all times. If we go in to service machines you leave any I-thingies at the front security desk...that includes cell phones, cameras, ear buds, USB sticks, whatever. Forget about Bluetooth, cell signal or WiFi : Wideband RF sniffers are in operation all the time. If we bring software updates in on an SSD, we hand it over to the IT department for review and clearance (They have to check sources, internal scans, checksums etc) and once we're inside the facility they will hand us the software updates for machine maintenance on -their- SSD. You never get to plug in any media that was brought from outside the facility.

Any outside network access is usually limited and monitored- and some places have virtually zero access to outside internet, be design.

So if someone manages to sneak out production secrets - they would really have to put some effort into the task. The steps above will keep honest people honest - but there are still ways people try to get around the safeguards. It happens, but we try to make stealing data very difficult.

The concern mostly is not so much hackers, it's locking the machines down so that curious operators can't do something to accidentally mess up the machine - AND companies are REALLY concerned about stolen IP regarding the production processes. That's why no photos / electronics of any kind are allowed in the facility...and get ready to sign your life away on NDA forms too.

Wow. so in your case, even Windows update would have been manual operation with some .msu files.

Now I see why your only concern left is operators mess things up by accident. Have you guys opened another maintenance account then remove the operator account from "sudo" group?

[Sizzle]

Yes, the standard operator accounts are removed from the "sudo" group. That's a very good reminder for anyone else doing this type of application.

[deepakdeshp]

. Some of these machines in service have really not been power cycled for 20 or 25 years - so in these cases they will get new hardware

. Just wow at the reliability of the machines, both hardware and software. Do you use any specific fault tolerant hardware for these machines?

[Sizzle]

Special Hardware? ... Early days it was GigaByte and Asus motherboards with the crappy capacitors replaced with high heat / long lifetime units. Power supplies get a capacitor retrofit also. For past 10~15 years we use regular mini ATX size Corvalent industrial motherboards. With good fans. They are built to our spec. with higher grade cpu power supply capacitors.

What helps keeps these rigs running is the fact they are never turned off - Power cycling is where 90% or wear and tear occurs, when the wire bonds in the IC's are thermal cycled, among other issues.

No overclocking or BIOS tweaks. The CPU cores never go to sleep - they are locked to "C states" of 0 or 1. No sleeping, no hibernating. We especially don't like thermal cycling the CPU cores. So they power up and stay powered up.

The fansless motherboards have proved to be too problematic so far. The smaller the Mobo it seems like the shorter lifetime, at least in our tests. We'll take a regular ATX or mini ATX mother board, give it good capacitors, and give it plenty of airflow. It'll run a very long time - at least for us.

Good memory sticks are important. Generally we use Micron with good results. What's funny is the fancy "gaming" memory sticks with the fancy heat spreaders usually fail long before a good quality plain memory stick gives up.

These units are equipped with a cold backup cloned drives - NOT RAID. We want a second cold drive sitting in the machine, ready to plug in if required. We don't need high speed drives, so SSD"s are not essential - but some of our newer machines are getting enterprise SSD's (Kingston Enterprise or Samsung PRO) instead of platter drives. The jury is still out on long term SSD reliability, but so far so good. Otherwise we use Western Digital enterprise "black" platter drives, and generally those last a very long time if they are just running 24/7. Power Up / Down on hard drives makes them die sooner. We want the drives spinning at speed, and stay that way - that gives us long lifetime.

The SSD's do have an advantage if we have to ship a drive to a customer. The problem is if they fail - they fail without warning. A platter drive will tend to give notice that it should get replaced. Platter drives are always used for longer term data storage, along with lots of backups.

Our choices for storage media is more limited these days since our customers can't accept certain components of Chinese manufacture. so we have to be careful what goes into the box, and we pay attention to where it comes from.

The only change we might be making in the future is a move to a motherboard with ECC memory and AMD CPU...AMD gives you ECC support on a CPU with integrated graphics. We don't need a separate graphics card that way - less stuff to break.

[deepakdeshp]

Thank you for the detailed reply. 35 years ago when the ics were at MSI level and 48 k magnetic core memory would occupy a big cupboard size rack. We would supply machines to Indian military. They had ruggedized versions of the ice. Good to know that nowadays VLSI commodity hardware is so reliable and rugged.

You must be keeping the environment cool too. You mentioned provision for disk redundancy. Without mirroring how does the standby disk keep upto date with the current data? What other redundancy is implemented like standby machines CPUs memory etc. The failure rate of the machines must be high too with them never powered off. I have been powering off my laptop daily for more than 10 years now. Things that failed are battery,screen and even motherboard was changed.

[Midnight True]

I need to develop a Linux Mint Cinnamon 20.3 (and future moving to 21) desktop systems for business use, and we want to completely disable Desklets. We don't want non-admin users messing around with those, and we've seen desklets cause instability problems.

I'm not a 100% Mint newbie, but I'm not seeing how to completely disable all Desklets, and we want it completely gone if the user alt-clicks the desktop.

Is there a way to do this?

How about using a Window Manager?