[X2Go-User] x2go + chroot

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Fri Mar 16 09:19:57 CET 2012


On Do 15 Mär 2012 22:38:46 CET BUGHUNTER wrote:

>> How about installing X2Go + applications on the server and then
>> setting up a chroot with --bind mounts and tmpfs directories. Each
>> chroot jail will have _one_ homedir and ,,linked-in''-FHS-compliant
>> directories.
> well, how exactly the chroot should be setup so that everything works?

Never chrooted X2Go myself, so you are the first one to develop that ;-)

>> Tricky approach this will be...
> if there is no best-practice in doing this already: how are people
> preventing users from walking up the directory tree?

No best practice here. I am not scared of people walking through the  
Unix-Directory tree. If your file permissions are sane, this should  
not be a problem. I love transparency, so I am not at all scared of  

> One might argue that a chroot is not really needed (if you have no
> problem with users reading your /etc - why not) or e.g. SELinux might
> be the better way to setup tighter server-side security precautions -
> I am open to any solution, but I will prefer the one that is already
> in use somewhere and is best supported by x2go developers. I would not
> like to live on an island with this - should be easily reproducable
> and no super-specialized ultra-individual setup... ;)

We will supported anything you come up with. It has to make (generic)  
sense, of course. :-)

> Looks for me like best solution would be if x2go-server had a chroot
> feature, like e.g. ftp daemons - all other solutions look like
> maintenance hell. Any chance in getting this on the development road
> map? If it is tricky (certainly it is!) - this is one more argument
> for doing it the right way once and forever... one config variable

It would be awesome if we could get to a point where we finally have  
such an option.

> chroot-users=yes
> and everybody will go crazy :)))




mike gabriel, dorfstr. 27, 24245 barmissen
fon: +49 (4302) 281418, fax: +49 (4302) 281419

GnuPG Key ID 0xB588399B
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: Digitale PGP-Unterschrift
URL: <http://lists.x2go.org/pipermail/x2go-user/attachments/20120316/cdf9f0f4/attachment.pgp>

More information about the x2go-user mailing list