On Tue, 2011-08-02 at 16:59 +0200, Mike Gabriel wrote:
Hi,
On Di 02 Aug 2011 16:46:56 CEST Reinhard Tartler wrote:
On Tue, Aug 02, 2011 at 15:41:55 (CEST), Mike Gabriel wrote:
Hi Morty,
On Di 02 Aug 2011 15:28:57 CEST Moritz Struebe wrote:
What is the rationale for the extra group? Is there a good reason for disallowing someone to share his/her desktop?
the desktopsharing is a tricky feature anyway as it grants many ways for a user who is allowed to share another's desktop to manipulate the user profile.
This sounds to me as desktop sharing was a somewhat insecure feature anyway. In this case, why do you rely on a system group instead of for instance maintaining a /etc/x2go/allowdesktopshareing.users file that contains all users that are allowed to use the feature?
x2godesktopsharing falls into a daemon (in user space) and a client
(the systray)--I think it is this way around. And these two
communicate via a socket file. And the write access is granted by
group membership. No group membership, no desktop access.Greets, Mike <snip> I haven't thought it through thoroughly but I believe what you propose makes sense. Allowing it to be disabled allows one to shut down the social engineering vector. Yes, users need to grant access but they also do when they should not - John