On Thu, 2012-03-15 at 22:38 +0100, BUGHUNTER wrote:
Hello Mike,
I try to hear what you aim at... My guess: one central installation of X2Go and a desktop shell (GNOME, KDE, ...) or single applications.
yes, that is right!
Whereas the software rests in one single installations each user is
presented with his/her own chroot.Having to setup applications for each user would be pita I think...
How about installing X2Go + applications on the server and then
setting up a chroot with --bind mounts and tmpfs directories. Each
chroot jail will have _one_ homedir and ,,linked-in''-FHS-compliant
directories.well, how exactly the chroot should be setup so that everything works?
Tricky approach this will be...
if there is no best-practice in doing this already: how are people preventing users from walking up the directory tree?
One might argue that a chroot is not really needed (if you have no problem with users reading your /etc - why not) or e.g. SELinux might be the better way to setup tighter server-side security precautions - I am open to any solution, but I will prefer the one that is already in use somewhere and is best supported by x2go developers. I would not like to live on an island with this - should be easily reproducable and no super-specialized ultra-individual setup... ;)
Looks for me like best solution would be if x2go-server had a chroot feature, like e.g. ftp daemons - all other solutions look like maintenance hell. Any chance in getting this on the development road map? If it is tricky (certainly it is!) - this is one more argument for doing it the right way once and forever... one config variable
chroot-users=yes
and everybody will go crazy :))) <snip> By placing each user in their own VServer (thus each user has their own X2Go Server), one gains the advantage of a fixed IP address per user which is great for non-repudiation.
Because VServer uses a single file system, one can use mount binds to do very creative things between the VServers such as using KDE KIOSK or XDG shared directories to centralize administration of applications across all the X2Go servers. Hope that helps - John