Hi Morty,
On Sa 19 Mär 2011 19:09:52 CET Moritz Strübe wrote:
Hi Mike,
to make this reasonable there must be ways to actually enforce this. Currently a little tweaking of the client will allow you to circumvent any of these rules: Start x2goagent "manually" - the db is only convenience, desktop-mode is client-related only, you can patch the client to start any command you wish, audio is only a matter of setting the right environment variables, etc. Basically x2go is just an optimized x-forwarding. So doing rights-control on this level would be to block the main road and leave the side roads open. While this might be enough for a lot of scenarios it might also let administrators think, that there rules are actually enforced. All in all it would be just as safe as doing all the rights-management in the client.... The right way of doing this, would be to the learn about Linux system administration and use the sufficient tools already provided to you (e.g. ACLs). Everything else creates false feeling of security.
What exactly are you aiming at? Best way to control apps on a Linux
host (X2go server) is the apparmor framework. Are you thinking of this?
BTW: I am also looking forward to the gsecurity patch that will be
part some way ahead future Debian kernels:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605090
(With grsecurity amongst others you can hide processes from the ps aux
list and restrict the list of processes to those owned by the user...)
Greets, Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...