RE: Re: [X2go-dev] concept for X2go session lock-down to kiosk-mode (was Re: X2go is insecure)

Hi list,

Reading all comments on my stone in the pond I still think it is not really clear what the problem is (and my proposed solution)

I do not want to secure the entire server. I only want a door that can be locked. So I allow a user to use the terminal. Okay he is allowed to use the terminal and so he can do anything he likes. No problem.

Or I say on the server the user may only use program XYZ. XYZ starts and that is all. If XYZ deletes my system that is Okay by me. The user had access to that program and that is it.

This can be enforced by my simple solution. From the client a command is sent, say "Start terminal". Then in the wrapper, the user is matched with the command and if the match exists, the command is allowed and is executed. If not, the request is rejected.

Maybe this can be achieved also by apparmor, but it looks to me that apparmor is intended to secure the entire system which is really not what I want. (Or maybe I am mistaken because of lack of knowledge of apparmor)

Dick Kniep

-----Oorspronkelijk bericht-----
Van: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Verzonden: wo 30-03-11 20:22:45
Aan: x2go-dev@lists.berlios.de; Dick Kniep <dick.kniep@lindix.nl>;
Onderwerp: Re: [X2go-dev] concept for X2go session lock-down to kiosk-mode (was Re: X2go is insecure)

Hi Dick,

On Mi 30 Mär 2011 18:46:49 CEST Dick Kniep wrote:

> We have developed the wrapper that does exactly what I describe
> here. Currently it is lacking a screen where an authorized user can
> change the authorization db, but that will come on short notice.
>
> I hope it is a little clearer now what the problem is and how it can
> be solved.

What I have been thinking the last day is that it might be much more
generic and by far more effective to use the apparmor tool for this
kind of lock-down. However, I have never played with apparmor, only in
cases when the rules package maintainers had included in their
packages were too strict...

Greets,
Mike

--

DAS-NETZWERKTEAM
mike gabriel, dorfstr. 27, 24245 barmissen
fon: +49 (4302) 281418, fax: +49 (4302) 281419

GnuPG Key ID 0xB588399B
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb