I’m not sure I understand what nefarious behavior #336 is supposed to prevent either. It did, unfortunately, make x2go unusable in our environment.

I propose one of the following solutions:

1. Revert the behavior (sounds like this isn’t going to happen?)
2. Add a ‘secure path’ boolean session option in the client (you can leave it on by default, I’ll have my users turn it off)
3. In the client, hard code the full path to the x2go server and convert x2go to use all absolute paths (hopefully this prevents all the same things as #336 without the side effect)
4. Option 3, but add an ‘x2go server binary’ string session option in the client in case the admin installed x2go in an alternate location
5. Save the path before setting it (export X2GOSAVEPATH=$PATH; export PATH=<safe_path>; cmd). Then, somewhere after all the x2go stuff has been run, restore the original path

I’ll be happy to test implementations once the core developers determine the best path forward.

Thanks, ~Matt