[X2go-dev] Use case for an x2go user-group
Reinhard Tartler
siretart at tauware.de
Fri Feb 18 19:18:12 CET 2011
On Fri, Feb 18, 2011 at 18:52:28 (CET), John A. Sullivan III wrote:
> On Fri, 2011-02-18 at 17:18 +0100, Reinhard Tartler wrote:
>> <snip>The question is if there was a legitimate use-case for having users
>> that can login via ssh, but are not in the x2gousers group, i.e., cannot
>> login via x2go.
> <snip>
> It's a bit of a stretch but I could see it in hosted environments like
> ours. Although we do not do this specifically, let's say there is an
> application server which is also hosting X2Go desktops. The client may
> have an external consultant/support person who should not have a
> billable X2Go desktop but does need console access to support the
> application via, say, a VPN connection.
>
> Come to think of it, I suppose that is not just a hosting issue. A
> company using X2Go may not want to give desktop access to consultants
> who are supporting applications running on the same server. That sounds
> like poor practice but there may be some legitimate reason to do that
> which we haven't considered. Is that more in line with what you were
> asking? Thanks - John
Indeed, that would.
AFAIUI, you also agree that this is a pretty obscure corner case that is
not worth to have as default. Therefore, I suggest to drop the sudo
stuff completely and install x2gowrapper as 'suid x2gouser' so that no
additional configuration is necessary. With this change, the use-case
above doesn't work anymore.
In order to restore that functionality, the database schema would need
to be extended to implement a blacklist. And in fact, your explanation
kindof confirms that a blacklist would be more suited than the current
whitelist (i.e., the x2gousers group) approach.
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
More information about the x2go-dev
mailing list