On Mon, May 4, 2020 at 1:15 PM Stefan Baur <X2Go-ML-1@baur-itcs.de> wrote:
You need to realize the truth: What a user can see (as in "access"), they can copy.
Well, I basically agree with what you wrote. But the OP was mentioning he just wants to provide _one_ single published application.
Now let us assume some pre-conditions:
Then all we'd need was
The user then can still configure arbitrary sessions but they will either always fail or ignore the user's command and run the one application in question. We could also provide a server side setting that only allows published application connects.
It will not work out of the box but I am pretty sure it could be implemented.
Also, IIRC Mihai added an explicit bash call into certain commands to make it work fur users with a different login shell. And obviously the original rbash instructions worked before. So you could also try to set that up and do some research where to remove the explicit bash calls.
Comments?
Uli