Hi everyone,
Le 20/04/2012 10:06, Stefan Baur a écrit :
Am 20.04.2012 09:49, schrieb Terje Andersen:
- what kind of session the user(s)/group(s) should be able to access/use
And again, this can and should be solved by setting proper access rights in the file system.
one thing I am missing from nx is in fact the nxacl file. It allowed me to setup access rights depending no the source ip and login of users and time of the day. For example I have one group of user that can login from the internal network only, while another group of road warriors that can log both from local or remote location. It is very cumbersome to do at the ssh level, and the nxacl file was very handy to do this. Perhaps there is a way to reproduce this behavior in x2go, and sorry if I missed it.
On the file ACL point of view, I thing the apparmor/selinux/nameyourown framework way to be much more clean. I don't like much the idea to change ACL on programs because of maintainability, for example on software upgrade and all (and IMHO security needs maintainability), and I think a broader framework to be more suitable (no opinion on which one).
my 2 cents,
Cheers,
Denis
- what kind of bandwidth (LAN/WAN/ADSL/dialup)
- printing for certain user(s)/group(s)/server(s)
- clipboard - only at server or client
- use of shared folders (for the x2go session)
These config options would indeed be nice on the server side, though I don't see them as a high priority, except for maybe clipboard and shared folders (by the way, shared folders and printing require the user to be a member of the fuse group, so again this can be managed already using existing mechanisms, though limited in the form that you can only enable/disable both at once). My preferred way of handling this would be using config files in a /etc/x2go/forcedconfig.d/ directory, where seperate files with either names or ownership/permissions matching the group/user you want to cover are stored. That way, it's all in the file system, just like it's supposed to be. ;-)
Also, the client should notify the user if a forced setting overrules something in his local setting. Otherwise, you're going to confuse the heck out of users and first level supporters when the settings don't match.
If you want to discuss this further, I'd suggest changing the title of the thread or creating a new one. :-)
-Stefan
X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
-- Denis Cardon Tranquil IT Systems 44 bvd des pas enchantés 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.57 http://www.tranquil-it-systems.fr