[X2go-dev] Use case for an x2go user-group
Alexander Wuerstlein
snalwuer at cip.informatik.uni-erlangen.de
Fri Feb 18 22:55:15 CET 2011
On 11-02-18 22:24, John A. Sullivan III <jsullivan at opensourcedevel.com> wrote:
> On Fri, 2011-02-18 at 21:02 +0100, Alexander Wuerstlein wrote:
> > On 11-02-18 20:34, Gerry Reno <greno at verizon.net> wrote:
> > > On 02/18/2011 02:14 PM, Alexander Wuerstlein wrote:
> > > > On 11-02-18 19:59, Gerry Reno <greno at verizon.net> wrote:
> > > >
> > > >> On 02/18/2011 01:18 PM, Reinhard Tartler wrote:
> > > >>
> > > >>> On Fri, Feb 18, 2011 at 18:52:28 (CET), John A. Sullivan III wrote:
> Hey - that wasn't me - that was Gerry :)
Oh, I'm sorry, that was an accident when deleting stuff...
> > > >> Are you implying that every user on any x2go server would be able to
> > > >> launch a remote x2go desktop by default?
> > > >>
> > > > Yes.
> > > >
> > >
> > > That would be a security hole.
> >
> > In what sense? That would only be a security hole if x2go were less
> > secure than simple ssh logins. If that is the case, those security
> > problems should of course be fixed. But I don't see the risk in allowing
> > x2go usage to users who can use ssh anyways.
>
> I'm thinking we should err on the side of security and make it secure by
> default with the option to loosen. That said, is there a way to achieve
> all goals? We do need to stop the sudo log spam. We do need to prevent
> misfired installations that required great expertise to sort out. What
> if, instead of using sudo, we did lock down the x2go scripts by default
> with restricted ownership as suggested to those who responded to this
> thread concerned about security. That leaves us with maintaining local
> groups but that is not the end of the world. It eliminates the sudo
> problem and makes us secure by default rather than exception.
Sounds like a good idea.
Ciao,
Alexander Wuerstlein.
More information about the x2go-dev
mailing list