Hello!
Is there any possibility to limit what session users can start?
Thanks!
-- З повагою, Михайло
Am 30.03.2018 um 15:40 schrieb Михайло Падалка:
Is there any possibility to limit what session users can start?
If you just want to hide entries in Published Application mode, you can replace the symlink /etc/x2go/applications with a real directory and copy the *.desktop files you want into that. Note that users will still be able to run other applications by specifying them by name, either in an xterm or in Single Application mode.
To actually block users from running certain applications, please use standard Linux/Unix mechanisms; in other words, chmod and chown are your friends. For example, if you want people to be unable to run xterm unless they are members of a particular group "newgroup", "chown root:newgroup /usr/bin/xterm && chmod 750 /usr/bin/xterm", then add the users you want to the group "newgroup": "adduser someuserhere newgroup"
Adding blocking functionality to X2Go wouldn't make any sense, because if you have users that can log in to your server via X2Go, they can just as well log in via regular SSH, where an X2Go-only block wouldn't be in effect, and wreak havoc from there (even for GUI applications, as the users could just redirect their DISPLAY variable to point at their own X2Go session running in parallel).
Kind Regards, Stefan Baur
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
Hm... for some reason I did not receive replies to gmail, saw the response on mail-archive :(
If you just want to hide entries in Published Application mode, you can replace the symlink /etc/x2go/applications with a real directory and copy the *.desktop files you want into that. Note that users will still be able to run other applications by specifying them by name, either in an xterm or in Single Application mode.
To actually block users from running certain applications, please use standard Linux/Unix mechanisms; in other words, chmod and chown are your friends. For example, if you want people to be unable to run xterm unless they are members of a particular group "newgroup", "chown root:newgroup /usr/bin/xterm && chmod 750 /usr/bin/xterm", then add the users you want to the group "newgroup": "adduser someuserhere newgroup"
Adding blocking functionality to X2Go wouldn't make any sense, because if you have users that can log in to your server via X2Go, they can just as well log in via regular SSH, where an X2Go-only block wouldn't be in effect, and wreak havoc from there (even for GUI applications, as the users could just redirect their DISPLAY variable to point at their own X2Go session running in parallel).
Thanks for reply. The main intention is to not actually forbid something, but rather to minimize possible user mistakes. There is a long list of options in session setup - KDE, GNOME, ... - which we don't plan to install on the server. But user can choose them and then get an error. I just want all users to start the custom session script, which will setup keyboard (unfortunaly x2go cannot do that from server side :() and run correct session. Do I understand correctly, that current X2Go client cannot do that?
2018-03-30 16:40 GMT+03:00 Михайло Падалка <misha.cn.ua@gmail.com>:
Hello!
Is there any possibility to limit what session users can start?
Thanks!
-- З повагою, Михайло
-- З повагою, Михайло
Am 01.04.2018 um 00:26 schrieb Михайло Падалка:
Thanks for reply. The main intention is to not actually forbid something, but rather to minimize possible user mistakes. There is a long list of options in session setup - KDE, GNOME, ... - which we don't plan to install on the server. But user can choose them and then get an error. I just want all users to start the custom session script, which will setup keyboard (unfortunaly x2go cannot do that from server side :() and run correct session. Do I understand correctly, that current X2Go client cannot do that?
That's something different entirely. You can lock X2GoClient into a display-only mode by specifying --no-session-edit on the command line, or you can have X2GoClient connect to a session broker and deploy the config via the broker, which will automatically trigger --no-session-edit and allows for a more flexible and dynamic deployment of session configurations.
Kind Regards, Stefan Baur
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
2018-04-01 1:36 GMT+03:00 Stefan Baur <X2Go-ML-1@baur-itcs.de>:
Am 01.04.2018 um 00:26 schrieb Михайло Падалка:
Thanks for reply. The main intention is to not actually forbid something, but rather to minimize possible user mistakes. There is a long list of options in session setup - KDE, GNOME, ... - which we don't plan to install on the server. But user can choose them and then get an error. I just want all users to start the custom session script, which will setup keyboard (unfortunaly x2go cannot do that from server side :() and run correct session. Do I understand correctly, that current X2Go client cannot do that?
That's something different entirely. You can lock X2GoClient into a display-only mode by specifying --no-session-edit on the command line, or you can have X2GoClient connect to a session broker and deploy the config via the broker, which will automatically trigger --no-session-edit and allows for a more flexible and dynamic deployment of session configurations.
Thanks, looks like that's what I need! Will try to do that.
-- З повагою, Михайло
Михайло Падалка <misha.cn.ua@gmail.com> schrieb am So., 1. Apr. 2018, 00:31:
I just want all users to start the custom session script, which will setup keyboard (unfortunaly x2go cannot do that from server side :() and run correct session. Do I understand correctly, that current X2Go client cannot do that?
Can you please add some details about those keyboard setup problems?
Uli
2018-04-01 12:00 GMT+03:00 Ulrich Sibiller <ulrich.sibiller@gmail.com>:
Михайло Падалка <misha.cn.ua@gmail.com> schrieb am So., 1. Apr. 2018, 00:31:
I just want all users to start the custom session script, which will setup keyboard (unfortunaly x2go cannot do that from server side :() and run correct session. Do I understand correctly, that current X2Go client cannot do that?
Can you please add some details about those keyboard setup problems?
Of course. I need three keyboard layouts with hotkey to switch them. If I set 'do not configure' in X2Go client, and setup keyboard in standard Debian way, I just get one US layout. If I try to specify layouts in X2Go client separated by comma (the same format as used in /etc/default/keyboard) - I get an error while connecting.
By the way, If I setup keyboard in session startup script, then after session suspend/resume X2Go overrides that and I get just US layout again.
So I discovered another way to fix that. I added a hook scripts in X2Go server extensions directory, to post-start and post-resume folders, and do needed setup from there. This way it works ok.
-- З повагою, Михайло
-
Stefan Baur -
Ulrich Sibiller -
Михайло Падалка