Hi Mike,
to make this reasonable there must be ways to actually enforce this.
Currently a little tweaking of the client will allow you to
circumvent any of these rules: Start x2goagent "manually" - the db
is only convenience, desktop-mode is client-related only, you can
patch the client to start any command you wish, audio is only a
matter of setting the right environment variables, etc. Basically
x2go is just an optimized x-forwarding. So doing rights-control on
this level would be to block the main road and leave the side roads
open. While this might be enough for a lot of scenarios it might
also let administrators think, that there rules are actually
enforced. All in all it would be just as safe as doing all the
rights-management in the client....
The right way of doing this, would be to the learn about Linux
system administration and use the sufficient tools already provided
to you (e.g. ACLs). Everything else creates false feeling of
security.
Cheers
Morty
Am 19.03.2011 17:11, Mike Gabriel schrieb:
Hi there,
Here is a feature request proposal for the post-Baikal release
(Rebun):
The handshake on session start should be extended in the following
way:
o login as user
o call a script x2gofeatures (or similar)
o this script replies with some file format that states
- user may / must not start an X2go session
- user may / must not start in rootless/desktop mode
- available commands to execute (KDE, TERMINAL,
/usr/bin/xterm...)
- user may / must not print
- user may / must not use audio
- ...
o the client should obey to this returned list of features
o if the user tries to hack some feature that he/she is not
allowed to
use, the server of course also has to deny this feature (and
maybe even
the whole session)
Greets,
Mike
_______________________________________________
X2go-dev mailing list
X2go-dev@lists.berlios.de
https://lists.berlios.de/mailman/listinfo/x2go-dev