Ok... So I see that my questions turned on the heating :)
So let me see if I understand well :)
It is possible to restrict users/groups access to "published applications" with Extended Attributes...
But I still have a question about that... In a clustered environment, the Extended Attributes on allmachine suppose to be the same... right ?
User access to only "published applications" can be achieved only if it doesn't exist a Desktop Environment...
Greetings, Vasilica Petcu
Am 20.04.2012 13:57, schrieb Vasilica Petcu:
Ok... So I see that my questions turned on the heating :)
Popcorn anyone? ;-) Or ice-cream? ;-)
- It is possible to restrict users/groups access to "published applications" with Extended Attributes...
But I still have a question about that... In a clustered environment, the Extended Attributes on all machine suppose to be the same... right ?
I don't have experience with clusters, but I'd say, if EAs (or more generally speaking, file ownership/permissions) don't match across individual cluster members, your cluster is somehow out of sync, which sounds bad.
- User access to only "published applications" can be achieved only if it doesn't exist a Desktop Environment...
To sum it up, you can:
- opt to not install a DE at all
- limit access to it via file system attributes (make e.g. startkde executable only for owner and a specific group, and only add users that are supposed to run startkde to this group)
- limit access to it via apparmor/SELinux etc., as suggested by Mike.
-Stefan
On 2012-04-20 13:57, Vasilica Petcu wrote:
- User access to only "published applications" can be achieved only if it doesn't exist a Desktop Environment...
No, no and no. x2go is just like "ssh -X". You can't do restrict anything you can't restrict with "ssh -x". There are tool kits that allow to do that, but x2go - opposed to the nx-approach - can not do that - and is still more secure (I won't explain why, because that needs quite a bit insight on how security in linux works).
Cheers Morty
-- Dipl.-Ing. Moritz 'Morty' Struebe (Wissenschaftlicher Mitarbeiter) Lehrstuhl für Informatik 4 (Verteilte Systeme und Betriebssysteme) Friedrich-Alexander-Universität Erlangen-Nürnberg Martensstr. 1 91058 Erlangen
Tel : +49 9131 85-25419 Fax : +49 9131 85-28732 eMail : struebe@informatik.uni-erlangen.de WWW : http://www4.informatik.uni-erlangen.de/~morty
Hi Morty, hi Vasilica
On Fr 20 Apr 2012 15:59:27 CEST Moritz Struebe wrote:
On 2012-04-20 13:57, Vasilica Petcu wrote:
- User access to only "published applications" can be achieved only if it doesn't exist a Desktop Environment...
No, no and no. x2go is just like "ssh -X". You can't do restrict anything you can't restrict with "ssh -x". There are tool kits that allow to do that, but x2go - opposed to the nx-approach - can not do that - and is still more secure (I won't explain why, because that needs quite a bit insight on how security in linux works).
Maybe a misunderstanding here...
If I hear Vasilica correctly: uninstall GNOME, KDE, LXDE, etc. and you
won't be able to launch desktop sessions. This is indeed correct!
Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
On 2012-04-20 16:21, Mike Gabriel wrote:
On Fr 20 Apr 2012 15:59:27 CEST Moritz Struebe wrote:
On 2012-04-20 13:57, Vasilica Petcu wrote:
- User access to only "published applications" can be achieved only if it doesn't exist a Desktop Environment...
No, no and no. x2go is just like "ssh -X". You can't do restrict anything you can't restrict with "ssh -x". There are tool kits that allow to do that, but x2go - opposed to the nx-approach - can not do that - and is still more secure (I won't explain why, because that needs quite a bit insight on how security in linux works).
Maybe a misunderstanding here...
If I hear Vasilica correctly: uninstall GNOME, KDE, LXDE, etc. and you won't be able to launch desktop sessions. This is indeed correct!
He said "User access to only "published applications" " and this is wrong. I can start any application I wish. And even if there is some kind of restriction I can still start a second SSH and start any application by redirecting X to the already established x2go connection.
Morty
-- Dipl.-Ing. Moritz 'Morty' Struebe (Wissenschaftlicher Mitarbeiter) Lehrstuhl für Informatik 4 (Verteilte Systeme und Betriebssysteme) Friedrich-Alexander-Universität Erlangen-Nürnberg Martensstr. 1 91058 Erlangen
Tel : +49 9131 85-25419 Fax : +49 9131 85-28732 eMail : struebe@informatik.uni-erlangen.de WWW : http://www4.informatik.uni-erlangen.de/~morty
-
Mike Gabriel -
Moritz Struebe -
Stefan Baur -
Vasilica Petcu