[X2Go-Dev] x2go "group policies" (was Re: Published Applications)
Denis Cardon
denis.cardon at tranquil-it-systems.fr
Fri Apr 20 10:52:47 CEST 2012
Hi everyone,
Le 20/04/2012 10:06, Stefan Baur a écrit :
> Am 20.04.2012 09:49, schrieb Terje Andersen:
>
>> * what kind of session the user(s)/group(s) should be able to access/use
>
> And again, this can and should be solved by setting proper access rights
> in the file system.
one thing I am missing from nx is in fact the nxacl file. It allowed me
to setup access rights depending no the source ip and login of users and
time of the day. For example I have one group of user that can login
from the internal network only, while another group of road warriors
that can log both from local or remote location. It is very cumbersome
to do at the ssh level, and the nxacl file was very handy to do this.
Perhaps there is a way to reproduce this behavior in x2go, and sorry if
I missed it.
On the file ACL point of view, I thing the apparmor/selinux/nameyourown
framework way to be much more clean. I don't like much the idea to
change ACL on programs because of maintainability, for example on
software upgrade and all (and IMHO security needs maintainability), and
I think a broader framework to be more suitable (no opinion on which one).
my 2 cents,
Cheers,
Denis
>
>> * what kind of bandwidth (LAN/WAN/ADSL/dialup)
>> * printing for certain user(s)/group(s)/server(s)
>> * clipboard - only at server or client
>> * use of shared folders (for the x2go session)
>
>
> These config options would indeed be nice on the server side, though I
> don't see them as a high priority, except for maybe clipboard and shared
> folders (by the way, shared folders and printing require the user to be
> a member of the fuse group, so again this can be managed already using
> existing mechanisms, though limited in the form that you can only
> enable/disable both at once).
> My preferred way of handling this would be using config files in a
> /etc/x2go/forcedconfig.d/ directory, where seperate files with either
> names or ownership/permissions matching the group/user you want to cover
> are stored. That way, it's all in the file system, just like it's
> supposed to be. ;-)
>
> Also, the client should notify the user if a forced setting overrules
> something in his local setting. Otherwise, you're going to confuse the
> heck out of users and first level supporters when the settings don't match.
>
> If you want to discuss this further, I'd suggest changing the title of
> the thread or creating a new one. :-)
>
> -Stefan
> _______________________________________________
> X2Go-Dev mailing list
> X2Go-Dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/x2go-dev
--
Denis Cardon
Tranquil IT Systems
44 bvd des pas enchantés
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.57
http://www.tranquil-it-systems.fr
More information about the x2go-dev
mailing list