Let me get this out of the way …appologies …I thought the account setup questions that asked all the specs of our machines would make that info visible on posts … it seems to be only generally survey overview data for the dev team and not actually visible by those wanting to lend a hand.
So… we are using a bunch of old iMacs
CPU: i5-3470
RAM: 16GB
GPU: NVIDIA GTX 675m
Driver: Nvidia 390
Kernel: 6.5.13-7
MANJARO KDE desktop
Primary applications: Code-OSS(code), KdenLiven, Orca Slicer appimage, Inkscape, Gimp, Blender, Firefox and Chromium browsers both, Arduino I/O board IDE, and Freecad Mechanical added through KDE software manager.
Primary concern is wifi password visibility in system settings for low privileged users and retention of passwords.
Secondary concern is restricting access to other settings access for self same low privileged users.
Many thanks @cscs for recommending the creation of a group-user.
Creating a group-less user worked to hide network settings setup by admin and yet still use that network.
However…
Testing further shows that the user student in the student group can still change other settings …notably they can change the screen and remove security certificates.
If the student account attempts to access a hotspot …they can do it, but upon attempting to go back to the original network set up by admin the password is requested rather than reused.
I chose to store the password admin added as encrypted for that user only so that made sense, wifi isnt kicked out and disconnected when simply logging out to switch accounts without a full shut down.
It turns out student was just bumming the wifi that admin had turned on.
Practically speaking this still has some use as an indicator somthing hinky is going on at a particular computer station because students can’t easily switch back to the school’s wifi from a hotspot to hide the fact they spent class on their personal unfiltered internet.
If I enter the wifi password it works to get online but is not visible. …hooray!
Restarting and only entering the student account with no other users paving the way to network access indicates that the password entered was not stored. …bummer.
I’ve noticed that forcing KDE wallet to use the same wallet for “local passwords” , manually entering the password, and restarting still forgets the wifi…so it was hidden but far too dependent on admin starting up wifi first …O can’t do that for every machine every day.
…but I may have a temporary solution that leverages the groupless account still…
While not ideal, I removed all wifi networks under all users and then re-added the intended network, then allowed unencrypted password storage for all users while logged in as admin.
This guaranteed that the password was available to the student account, no need to provide it every restart…but of course it was now visible.
So I found a forum mention of encrypting this password in a form that is still usable as plaintext.
The konsole command …
wpa_passphrase
Returns a lengthy encrypted string.
This massive string of gobbledygunk characters replaces the original passkey in system settings network manager and it gets interpreted identically as the original thus working as unencrypted plaintext for the admin …and for the groupless unpriveleged studnet account.
What everyone sees is in plaintext is gobbledygunk … but everyone is allowed on the wifi.
What remains to be determined at this late hour of the night is if that long string which is totally visible to the student account can be decrypted easily in some cut and paste website or using some other konsole command they can google-up in a few seconds. I’m hoping its not that easy… or why have it at all?
I’m never an advocate for security-through-obscurity so for now I’ll begrudgingly call this a temporary solution at best until I can find a way to harden things more concretely.
At the very least I can stave off a time consuming reimaging of all the lab machines for another weekend as this keeps things from being as obvious as the nose on students’ faces.
The topic of a “kiosk mode” came up when I ran this up the flagpole among some local friends so I’ll have to investigate the options for that type of desktop environement limitation later. My memory of kiosk linux usage was as a one app full screen effect that couldnt be exited without a special keyboard combination. …not exactly compatible with ditching chromebooks for a modern OS that can run a variety of multiple FOSS apps for various school projects.
Tommorow I’ll read up on manually editing parameter files since the advanced control of system settings permissions are all grayed out even for admin and root …understandably so.
Thanks for the fast reply …this has been great to learn about … que the Manjaro support forum auto reponse AI bot telling us all we did this entire exchange all wrong …