Hello,
I think you should try looking at the documentation for SSH, since that's the service that authenticates users. If i remember right, theres an option specifically for limiting users to their home directory only.
Thank you very much for your hint, you are probably thinking about ChrootDirectory here.
SSH is only one piece of the puzzle and we need to know how x2go behaves in a chroot, but even before that how to install x2go correctly into a chroot.
Are there static builds of the x2go-server available?
Also it might be possible that x2gpo-server itself offers any ind of chroot feature or at least supports it in one or the other way.
Thanks!
Have a nice day, Bughunter
Hi BUGHUNTER,
On Do 15 Mär 2012 13:28:02 CET BUGHUNTER wrote:
Hello,
I think you should try looking at the documentation for SSH, since that's the service that authenticates users. If i remember right, theres an option specifically for limiting users to their home directory only.
Thank you very much for your hint, you are probably thinking about ChrootDirectory here.
SSH is only one piece of the puzzle and we need to know how x2go behaves in a chroot, but even before that how to install x2go correctly into a chroot.
Are there static builds of the x2go-server available?
Also it might be possible that x2gpo-server itself offers any ind of chroot feature or at least supports it in one or the other way.
I try to hear what you aim at... My guess: one central installation of
X2Go and a desktop shell (GNOME, KDE, ...) or single applications.
Whereas the software rests in one single installations each user is
presented with his/her own chroot.
How about installing X2Go + applications on the server and then
setting up a chroot with --bind mounts and tmpfs directories. Each
chroot jail will have _one_ homedir and ,,linked-in''-FHS-compliant
directories.
Tricky approach this will be...
Greets, Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
Hello Mike,
I try to hear what you aim at... My guess: one central installation of X2Go and a desktop shell (GNOME, KDE, ...) or single applications.
yes, that is right!
Whereas the software rests in one single installations each user is
presented with his/her own chroot.
Having to setup applications for each user would be pita I think...
How about installing X2Go + applications on the server and then
setting up a chroot with --bind mounts and tmpfs directories. Each
chroot jail will have _one_ homedir and ,,linked-in''-FHS-compliant
directories.
well, how exactly the chroot should be setup so that everything works?
Tricky approach this will be...
if there is no best-practice in doing this already: how are people preventing users from walking up the directory tree?
One might argue that a chroot is not really needed (if you have no problem with users reading your /etc - why not) or e.g. SELinux might be the better way to setup tighter server-side security precautions - I am open to any solution, but I will prefer the one that is already in use somewhere and is best supported by x2go developers. I would not like to live on an island with this - should be easily reproducable and no super-specialized ultra-individual setup... ;)
Looks for me like best solution would be if x2go-server had a chroot feature, like e.g. ftp daemons - all other solutions look like maintenance hell. Any chance in getting this on the development road map? If it is tricky (certainly it is!) - this is one more argument for doing it the right way once and forever... one config variable
chroot-users=yes
and everybody will go crazy :)))
Thanks for your attention, Bughunter
On Thu, 2012-03-15 at 22:38 +0100, BUGHUNTER wrote:
Hello Mike,
I try to hear what you aim at... My guess: one central installation of X2Go and a desktop shell (GNOME, KDE, ...) or single applications.
yes, that is right!
Whereas the software rests in one single installations each user is
presented with his/her own chroot.Having to setup applications for each user would be pita I think...
How about installing X2Go + applications on the server and then
setting up a chroot with --bind mounts and tmpfs directories. Each
chroot jail will have _one_ homedir and ,,linked-in''-FHS-compliant
directories.well, how exactly the chroot should be setup so that everything works?
Tricky approach this will be...
if there is no best-practice in doing this already: how are people preventing users from walking up the directory tree?
One might argue that a chroot is not really needed (if you have no problem with users reading your /etc - why not) or e.g. SELinux might be the better way to setup tighter server-side security precautions - I am open to any solution, but I will prefer the one that is already in use somewhere and is best supported by x2go developers. I would not like to live on an island with this - should be easily reproducable and no super-specialized ultra-individual setup... ;)
Looks for me like best solution would be if x2go-server had a chroot feature, like e.g. ftp daemons - all other solutions look like maintenance hell. Any chance in getting this on the development road map? If it is tricky (certainly it is!) - this is one more argument for doing it the right way once and forever... one config variable
chroot-users=yes
and everybody will go crazy :))) <snip> By placing each user in their own VServer (thus each user has their own X2Go Server), one gains the advantage of a fixed IP address per user which is great for non-repudiation.
Because VServer uses a single file system, one can use mount binds to do very creative things between the VServers such as using KDE KIOSK or XDG shared directories to centralize administration of applications across all the X2Go servers. Hope that helps - John
Hi BUGHUNTER,
On Do 15 Mär 2012 22:38:46 CET BUGHUNTER wrote:
How about installing X2Go + applications on the server and then setting up a chroot with --bind mounts and tmpfs directories. Each chroot jail will have _one_ homedir and ,,linked-in''-FHS-compliant directories.
well, how exactly the chroot should be setup so that everything works?
Never chrooted X2Go myself, so you are the first one to develop that ;-)
Tricky approach this will be...
if there is no best-practice in doing this already: how are people preventing users from walking up the directory tree?
No best practice here. I am not scared of people walking through the
Unix-Directory tree. If your file permissions are sane, this should
not be a problem. I love transparency, so I am not at all scared of
this.
One might argue that a chroot is not really needed (if you have no problem with users reading your /etc - why not) or e.g. SELinux might be the better way to setup tighter server-side security precautions - I am open to any solution, but I will prefer the one that is already in use somewhere and is best supported by x2go developers. I would not like to live on an island with this - should be easily reproducable and no super-specialized ultra-individual setup... ;)
We will supported anything you come up with. It has to make (generic)
sense, of course. :-)
Looks for me like best solution would be if x2go-server had a chroot feature, like e.g. ftp daemons - all other solutions look like maintenance hell. Any chance in getting this on the development road map? If it is tricky (certainly it is!) - this is one more argument for doing it the right way once and forever... one config variable
It would be awesome if we could get to a point where we finally have
such an option.
chroot-users=yes
and everybody will go crazy :)))
Indeed!
Mike
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
-
BUGHUNTER -
John A. Sullivan III -
Mike Gabriel