restricting access to Startup applications for non-root user

It is a directory:

~/.config/autostart

in each user directory and

/etc/xdg/autostart 

for global usage (there is no need to touch that one).

  • Log in with your admin account and change the user and group to your admin account:

    sudo chown $USER:$USER /home/*/.config/autostart
    

    where * are all your normal users.

That will prevent them from writing. The "others" is already set to r-x so no write access.


You also need to prevent users from changing a setting called $XDG_CONFIG_HOME and that is going to be difficult ... a user can set it directly from command line for that session only.

So if you want to prevent that you likely need to also disable access to the terminal and to any altering of ~/.profile.