Restricting an account's window manager choices

Question

On Red Hat Linux, how can a particular account be restricted to logging in with a particular window manager? For example, only fvwm2 is allowed but KDE and GNOME are not. Or can the disallowed window managers be forced to exit?

Answer 1

The only way I can think to do this involves using groups. You would set up groups that correspond to each window manager and add an account to the groups of the window manager (or managers) of choice. Change the group owner of each window manager to the corresponding group. Remove permissions for "other" to execute the different window managers. Now, in order to start a window manager, you will need to have permission to execute it. Since you only have permission to execute the window managers that correspond to your group membership, you can make it so that particular users can only execute certain window managers.

This actually seems very hard to maintain and not particularly scalable and I wouldn't recommend it. You might just as well configure the account with an alias for the "correct" window manager and ask your users to invoke the window manager via the alias instead. It won't stop a determined user, but might accomplish most of what you want without the complications of maintaining the groups.

Answer 2

Perhaps what you really want is to limit the (virtual) memory or other resources that they can use. If so see the ulimit command.

Answer 3

Colleagues of mine found the following solution:

.dmrc should be

[Desktop]
Session=default

.Xclients-default, .xinitrc, and .xsessions should have

application-for-user-to-interact-with &
/usr/local/bin/fvwm2 -f $HOME/system.fvwm2rc

gnome-login-script should be

pkill -n gnome-session
pkill -n gconfd

kde-login-script should be

pkill -n kwrapper
pkill -n gconfd

Modify /etc/X11/gdm/gdm.conf so it specifies

ShowLastSession=false
DefaultSession=default.desktop

Add to ~lcsoper/.bash_profile:

if [ "$TERM" != "dumb" -a "$SSH_CLIENT" != "" ]; then
    application-for-user-to-interact-with
fi
kill -9 $$

to terminate the session if something other than the default was selected. As long as the user can't change shells or modify .bashrc, then only the "default" window manager can run.