Hi!
I really need to "sandbox" the user as much as possible.
I managed to rewrite the x2go client so the clipboard sharing is "none" whatever they select.
But is it also possible to turn off the classic X (PRIMARY) cut and paste-model?
Ideally I want to keep it working "inside" the g2go-login, but I can live with a way to completely turn it off.
So what I whant to achive is this:
- No selection with mouse INSIDE the x2go-session should be middle-button-pasted outside the x2go-session
- No middle middle-button-paste inside the x2go-session should "grab" information from the outside system.
- All this must be activated on the server side -- but there it can be rather hard core fiddling...
Any ideas?
/Erik Starbäck
Am 03.02.2017 um 08:12 schrieb Erik Starbäck:
Hi!
I really need to "sandbox" the user as much as possible.
I managed to rewrite the x2go client so the clipboard sharing is "none" whatever they select.
Why would you need to rewrite the client for that?
/etc/x2go/x2goagent.options *on the server* has:
# Enforce clipboard behaviour in X2Go sessions globally (for all connecting clients) # Possible values for the -clipboard option: both, server, client, none # If this option stays commented out, clients can choose the sessions' clipboard behaviour... #X2GO_NXAGENT_DEFAULT_OPTIONS+=" -clipboard both"
so setting
X2GO_NXAGENT_DEFAULT_OPTIONS+=" -clipboard none"
should do what you want.
But is it also possible to turn off the classic X (PRIMARY) cut and paste-model?
Ideally I want to keep it working "inside" the g2go-login, but I can live with a way to completely turn it off.
So what I whant to achive is this:
- No selection with mouse INSIDE the x2go-session should be middle-button-pasted outside the x2go-session
- No middle middle-button-paste inside the x2go-session should "grab" information from the outside system.
- All this must be activated on the server side -- but there it can be rather hard core fiddling...
If setting the above parameter doesn't help keeping copy/paste limited to the X2Go session, then it's not working correctly and you should file a bug.
May I ask what you are trying to achieve? Something like this, maybe? <http://wiki.x2go.org/doku.php/doc:success-stories:electronic-glovebox>
-Stefan
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
Hurray!
Thank you it worked!
But it did MORE than just override the client option, becuse without this setting the client setting "disable clipboard completely" does still share the "PRIMARY X clipboard stuff (middle click and stuff...)"
What I try to achieve is a graphical login for handling sensitive data. All import and export to the system need to be logged. (we use sftp)
Of course the users can screenshot the display, but at least it should be a bit unpractical to get a lot of stuff out from the system.
So generic ssh is not allowed The folder sharing stuff is turned off (I hope :-) (Just changes a couple of x2g-programs to "exit 0" :-) And now no simple cut and paste
Thanks again!
/Erik Starbäck
On Fri, Feb 3, 2017 at 10:23 AM, Stefan Baur <X2Go-ML-1@baur-itcs.de> wrote:
Am 03.02.2017 um 08:12 schrieb Erik Starbäck:
Hi!
I really need to "sandbox" the user as much as possible.
I managed to rewrite the x2go client so the clipboard sharing is "none" whatever they select.
Why would you need to rewrite the client for that?
/etc/x2go/x2goagent.options *on the server* has:
# Enforce clipboard behaviour in X2Go sessions globally (for all connecting clients) # Possible values for the -clipboard option: both, server, client, none # If this option stays commented out, clients can choose the sessions' clipboard behaviour... #X2GO_NXAGENT_DEFAULT_OPTIONS+=" -clipboard both"
so setting
X2GO_NXAGENT_DEFAULT_OPTIONS+=" -clipboard none"
should do what you want.
But is it also possible to turn off the classic X (PRIMARY) cut and paste-model?
Ideally I want to keep it working "inside" the g2go-login, but I can live with a way to completely turn it off.
So what I whant to achive is this:
- No selection with mouse INSIDE the x2go-session should be middle-button-pasted outside the x2go-session
- No middle middle-button-paste inside the x2go-session should "grab" information from the outside system.
- All this must be activated on the server side -- but there it can be rather hard core fiddling...
If setting the above parameter doesn't help keeping copy/paste limited to the X2Go session, then it's not working correctly and you should file a bug.
May I ask what you are trying to achieve? Something like this, maybe? <http://wiki.x2go.org/doku.php/doc:success-stories:electronic-glovebox>
-Stefan
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
x2go-user mailing list x2go-user@lists.x2go.org http://lists.x2go.org/listinfo/x2go-user
Am 03.02.2017 um 11:08 schrieb Erik Starbäck:
But it did MORE than just override the client option, becuse without this setting the client setting "disable clipboard completely" does still share the "PRIMARY X clipboard stuff (middle click and stuff...)"
Whether or not PRIMARY clipboard is used is a global setting in X2GoClient, not a per-session setting (If you're interested why it is like that, we'd have to ask the developers.). Go to Options -> Settings -> X-Server settings and check the box to disable it.
What I try to achieve is a graphical login for handling sensitive data. All import and export to the system need to be logged. (we use sftp)
Of course the users can screenshot the display, but at least it should be a bit unpractical to get a lot of stuff out from the system.
So generic ssh is not allowed The folder sharing stuff is turned off (I hope :-) (Just changes a couple of x2g-programs to "exit 0" :-) And now no simple cut and paste
There is a command line parameter to X2GoClient that hides all folder sharing options. However, if users are able to run X2GoClient without parameters (or run their own copy by plugging in USB media, possibly booting from it), then they can bypass it. However, changing /etc/x2go/x2goserver.conf's umask value might add some additional annoyance for people that try to bypass your setting. :->
Oh, and since you're using X2Go in a commercial environment ...
<shameless plug> X2Go also has a commercial side, where various companies - including my own - offer support contracts with guaranteed response times as well as consultancy and paid-for development work if someone wants to see a bug fixed or a new feature added in a certain time frame. What makes my company special is, IMHO:
- I'm the current X2Go Project/Community Coordinator, so the development lead and the developers tend to listen to me.
- As far as I know, we are the only company providing X2Go support that isn't a one-man-show.
- We sub-contract other developers from the X2Go community on demand, so you only have one person you need to talk to - me - and you will only receive one invoice, even if the task involved several freelance or part-time X2Go developers.
Our hourly rate for consultancy work and fixing issues outside of a support contract is 110 EUR. With a support contract, you get guaranteed response times and lower hourly rates if you buy a certain amount of hours in advance. </shameless plug>
Kind Regards, Stefan Baur
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
-
Erik Starbäck -
Stefan Baur