[X2go-Dev] rename of x2godesktopsharing group
John A. Sullivan III
jsullivan at opensourcedevel.com
Tue Aug 2 17:34:49 CEST 2011
On Tue, 2011-08-02 at 16:59 +0200, Mike Gabriel wrote:
> Hi,
>
> On Di 02 Aug 2011 16:46:56 CEST Reinhard Tartler wrote:
>
> > On Tue, Aug 02, 2011 at 15:41:55 (CEST), Mike Gabriel wrote:
> >
> >> Hi Morty,
> >>
> >> On Di 02 Aug 2011 15:28:57 CEST Moritz Struebe wrote:
> >>
> >>> What is the rationale for the extra group? Is there a good reason for
> >>> disallowing someone to share his/her desktop?
> >>
> >> the desktopsharing is a tricky feature anyway as it grants many ways
> >> for a user who is allowed to share another's desktop to manipulate the
> >> user profile.
> >
> > This sounds to me as desktop sharing was a somewhat insecure feature
> > anyway. In this case, why do you rely on a system group instead of for
> > instance maintaining a /etc/x2go/allowdesktopshareing.users file that
> > contains all users that are allowed to use the feature?
>
> x2godesktopsharing falls into a daemon (in user space) and a client
> (the systray)--I think it is this way around. And these two
> communicate via a socket file. And the write access is granted by
> group membership. No group membership, no desktop access.
>
> Greets,
> Mike
<snip>
I haven't thought it through thoroughly but I believe what you propose
makes sense. Allowing it to be disabled allows one to shut down the
social engineering vector. Yes, users need to grant access but they
also do when they should not - John
More information about the x2go-dev
mailing list