Manually setting the policy file location (Linux)

[Jim Adamson]

I am helping with the set up of a Linux-based Library kiosk thin client solution. We are using Chromium 42 for the web browser, which is launched by a shell script. Various Chromium command line flags are set, which vary depending on the particular thin client's use. For example, there are thin clients for Library study room bookings and thin clients for searching the Library catalogue. We are using a json file to set allowed (whitelisted) sites and other policies, as outlined at https://www.chromium.org/administrators/linux-quick-start. This file lives in /etc/chromium/policies/managed. What we'd like to do is vary this file according to use, i.e. have Chromium read in the policy file from a specified location, for example:

/usr/bin/chromium-browser --managed-policy-file=/home/libcat/.config/chromium-browser/policies/managed/policy-libcat.json

However, according to http://peter.sh/experiments/chromium-command-line-switches no such command line option exists, although --device-management-url looks potentially useful. I've had a look at https://www.chromium.org/developers/how-tos/enterprise/running-the-cloud-policy-test-server and I am wondering if this would be a reasonable approach? Thanks for any ideas.

[pdknsk]

If this were configurable, users could just override enforced policies.

[Jim Adamson]

I'm not going to pretend to understand what's technically viable here, but couldn't such a command line specified policy file only take effect if /etc/chromium/policies/managed/policy.json didn't exist?

In my scenario, we're talking about a locked down setup anyway. Do you have any suggestions as to how my end-goal might be achieved?

[Christoph Schütte]

That depends of course strongly on your concrete setup and requirements, but when you say thin linux clients I immediately think LTSP :)

In that case, maybe I would try to have client-specific specs in lts.conf (they are usually prefixed by  [<mac address>]) and have that contain a use-case specific RC script (RCFILE_XX) which simply installs the right symlink, e.g. /etc/chromium/policies/managed => /home/libcat/.config/chromium-browser/policies/managed/policy-libcat.json.

Would that work for you?

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev

[Jim Adamson]

Hello Christoph,

Thanks for the thought. We are using Redhat 6 with Sun Ray Server. I did wonder about the possibility of using a symlink but the symlink would need to redirect to a different path depending on the linux user (each use-case has a different linux $USER).

So creating a symlink with ln -s /home/\$USER/.config/chromium/policies/managed/policy.json /etc/chromium-browser/policies/managed/policy.json is possible but of course it doesn't have the desired effect; when Chromium is launched the $USER variable is treated literally rather than being expanded. 

Chrooting Chromium is another possibility but my colleague thinks it'll be a pain to set up.

Jim

[howard liao]

i'm also trying to build simple server on redhat linux, have you successfully done with it? if yes, how ?

在 2015年7月31日星期五 UTC+8下午8:10:39，Jim Adamson写道：

[Jim Adamson]

Hi Howard,

In the end we settled on having separate VMs for each use-case...so each VM has its own Chromium policy.json file. For us, there are only a handful of use-cases, and we don't foresee any new use-cases arising, so having a VM per use-case is OK.

I'm sorry this probably doesn't help much.

Jim