If I read the below correctly if I do a fresh install for a friend using my info for admin and then once on the desktop create a standard account he won’t be able to change system setting?
“A non-admin (standard) user in KDE Plasma has full control over their own environment, can install apps like Flatpaks, save files in their home directory, and use general software, but cannot make system-wide changes, install software for all users, manage other users, or alter core system configurations; for those tasks, they need administrator (root) credentials via sudo or a similar prompt.
What a non-admin account can do:
Personal Files: Create, edit, and delete files in their own /home/username directory.
Software Installation: Install applications available as user packages, like Flatpaks.
Desktop Customization: Change themes, wallpapers, panel layouts, and application settings within their profile.
Basic Operations: Browse the web, use office suites, listen to music, etc..
What a non-admin account cannot do (needs admin/root):
System Updates: Install system-wide software or perform OS updates (requires sudo).
User Management: Add, remove, or modify other user accounts.
Hardware Changes: Configure system hardware or drivers.
System Settings: Modify critical system configurations, network settings (globally), or manage services.
How it works in Plasma (Linux):
Plasma runs on Linux, a multi-user system where “root” is the super-administrator.
Standard users are generally part of groups that don’t grant root access.
When a non-admin tries a privileged action, Plasma will prompt for an administrator’s password to temporarily elevate privileges (using pkexec, sudo, etc.). “
Correct. The standard account will not be able to change system settings that require administrator privileges.
However, they can change all system settings that don’t require administrator privileges.
They can customize their own desktop environment but will be prompted for the administrator password to modify critical system configurations, network settings, perform updates, or manage hardware.
The USER has full control over their home directory - if they copy a colour scheme (in /usr/share system folder) and save an edited copy, it will be saved in ~/.local/share.
You can test this by creating for yourself a new USER to find out what you can and cannot do.
Is there any reason I can’t use Edit Applications and under the Advanced tab - Run As Different User and put in the admin account name so as to be prompted for the admin password each time to launch and use system settings in the standard / guest account?
It’s a bit confusing, if our ‘test’ user wishes to open System Settings, then it’s obviously for the ‘test’ user account’s settings - it seems odd that you’d run that as another user…
So you’re saying even though I specifieced my admin user when the standard user clicks System Settings he won’t be prompted for the admin password to launch System Systems and they will just open like normal? If so that seems like a oversite involving permissions.
OK just created a test standard test account on my machine and while attempting to launch System Settings after setting it up to only be opened by my admin account it would not open after entering the admin password. I do thing permissions need to be looked at, cause that by rights should have worked without issue.
Glad your solution works. It’s primarily a Linux thing rather than a KDE thing.
However, keep in mind that the user can always boot single into Linux and have admin rights on everything to undo any protections you may have configured. While figuring this out used to be prohibitively difficult for normal users, their friendly AI assistant can easily guide them through it these days.
How do they do that if you set an account password, a BIOS/UEFI password and disable USB and USB booting?
Maybe they’ll remove the system disk, but then if you think that’s a risk you encrypt.
You could also construct a steel cage to physically restrict access to the device - or with a laptop, simply sleep with it under your pillow and set up perimeter alarms around the bed…
Really it depends on the level of your paranoia - are we trying to guard againt the NSA, some secret government agencies bent on getting in? Or simply keep family members from bypassing security?
The perimeter alarms around the bed are a nice touch! LOL Disabling USB would probably be enough. Whatever you have, it’s a safe bet the alphabet soup agencies already have it if it ever crossed their minds.