Hi BUGHUNTER,
On Do 15 Mär 2012 22:38:46 CET BUGHUNTER wrote:
How about installing X2Go + applications on the server and then setting up a chroot with --bind mounts and tmpfs directories. Each chroot jail will have _one_ homedir and ,,linked-in''-FHS-compliant directories.
well, how exactly the chroot should be setup so that everything works?
Never chrooted X2Go myself, so you are the first one to develop that ;-)
Tricky approach this will be...
if there is no best-practice in doing this already: how are people preventing users from walking up the directory tree?
No best practice here. I am not scared of people walking through the
Unix-Directory tree. If your file permissions are sane, this should
not be a problem. I love transparency, so I am not at all scared of
this.
One might argue that a chroot is not really needed (if you have no problem with users reading your /etc - why not) or e.g. SELinux might be the better way to setup tighter server-side security precautions - I am open to any solution, but I will prefer the one that is already in use somewhere and is best supported by x2go developers. I would not like to live on an island with this - should be easily reproducable and no super-specialized ultra-individual setup... ;)
We will supported anything you come up with. It has to make (generic)
sense, of course. :-)
Looks for me like best solution would be if x2go-server had a chroot feature, like e.g. ftp daemons - all other solutions look like maintenance hell. Any chance in getting this on the development road map? If it is tricky (certainly it is!) - this is one more argument for doing it the right way once and forever... one config variable
It would be awesome if we could get to a point where we finally have
such an option.
chroot-users=yes
and everybody will go crazy :)))
Indeed!
Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...