[X2Go-User] x2go + chroot
John A. Sullivan III
jsullivan at opensourcedevel.com
Thu Mar 15 22:55:05 CET 2012
On Thu, 2012-03-15 at 22:38 +0100, BUGHUNTER wrote:
> Hello Mike,
>
> > I try to hear what you aim at... My guess: one central installation of
> > X2Go and a desktop shell (GNOME, KDE, ...) or single applications.
>
> yes, that is right!
>
> > Whereas the software rests in one single installations each user is
> > presented with his/her own chroot.
>
> Having to setup applications for each user would be pita I think...
>
> > How about installing X2Go + applications on the server and then
> > setting up a chroot with --bind mounts and tmpfs directories. Each
> > chroot jail will have _one_ homedir and ,,linked-in''-FHS-compliant
> > directories.
>
> well, how exactly the chroot should be setup so that everything works?
>
> > Tricky approach this will be...
>
> if there is no best-practice in doing this already: how are people
> preventing users from walking up the directory tree?
>
> One might argue that a chroot is not really needed (if you have no
> problem with users reading your /etc - why not) or e.g. SELinux might
> be the better way to setup tighter server-side security precautions -
> I am open to any solution, but I will prefer the one that is already
> in use somewhere and is best supported by x2go developers. I would not
> like to live on an island with this - should be easily reproducable
> and no super-specialized ultra-individual setup... ;)
>
> Looks for me like best solution would be if x2go-server had a chroot
> feature, like e.g. ftp daemons - all other solutions look like
> maintenance hell. Any chance in getting this on the development road
> map? If it is tricky (certainly it is!) - this is one more argument
> for doing it the right way once and forever... one config variable
>
> chroot-users=yes
>
> and everybody will go crazy :)))
<snip>
By placing each user in their own VServer (thus each user has their own
X2Go Server), one gains the advantage of a fixed IP address per user
which is great for non-repudiation.
Because VServer uses a single file system, one can use mount binds to do
very creative things between the VServers such as using KDE KIOSK or XDG
shared directories to centralize administration of applications across
all the X2Go servers. Hope that helps - John
More information about the x2go-user
mailing list