Disable command-line access
To disable command-line access for your desktop user, you need to make configuration changes in a number of different contexts. Bear in mind that the following steps do not remove the desktop user's permissions to access a command line, but rather remove the ways that the desktop user could access the command line.
Set the org.gnome.desktop.lockdown.disable-command-line GSettings key, which prevents the user from accessing the terminal or specifying a command line to be executed (the Alt+F2 command prompt).
Prevent users from accessing the Alt+F2 command prompt.
Disable switching to virtual terminals (VTs) with the Ctrl+Alt+function key shortcuts by modifying the X server configuration.
Remove Terminal and all other terminal applications from the Activities overview in GNOME Shell. You will also need to prevent the user from installing a new terminal application.
Disable the command prompt
Create the user profile which contains the following lines:
local is the name of a dconf database.
Create a local database for machine-wide settings in /etc/dconf/db/local.d/00-lockdown:
# Specify the dconf path [org/gnome/desktop/lockdown] # Disable the command prompt disable-command-line=true
Override the user’s setting and prevent the user from changing it in /etc/dconf/db/local.d/locks/lockdown:
# List the keys used to configure lockdown /org/gnome/desktop/lockdown/disable-command-line
Update the system databases:
# dconf update
Users must log out and back in again before the system-wide settings take effect.
Disable dropping to a virtual terminal
Users can normally use the Ctrl+Alt+function key shortcuts (for example, Ctrl+Alt+F2) to switch from the GNOME desktop to a virtual terminal.
If the computer is running the X Window System, you can disable access to all virtual terminals by adding a DontVTSwitch option to the Serverflags section in an X configuration file in the /etc/X11/xorg.conf.d/ directory.
Create or edit an X configuration file in /etc/X11/xorg.conf.d/. For example, /etc/X11/xorg.conf.d/10-xorg.conf:
Section "Serverflags" Option "DontVTSwitch" "yes" EndSection
Restart the X server for the changes to take effect.