On Fri, Feb 18, 2011 at 18:52:28 (CET), John A. Sullivan III wrote: > On Fri, 2011-02-18 at 17:18 +0100, Reinhard Tartler wrote: >> <snip>The question is if there was a legitimate use-case for having users >> that can login via ssh, but are not in the x2gousers group, i.e., cannot >> login via x2go. > <snip> > It's a bit of a stretch but I could see it in hosted environments like > ours. Although we do not do this specifically, let's say there is an > application server which is also hosting X2Go desktops. The client may > have an external consultant/support person who should not have a > billable X2Go desktop but does need console access to support the > application via, say, a VPN connection. > > Come to think of it, I suppose that is not just a hosting issue. A > company using X2Go may not want to give desktop access to consultants > who are supporting applications running on the same server. That sounds > like poor practice but there may be some legitimate reason to do that > which we haven't considered. Is that more in line with what you were > asking? Thanks - John
Indeed, that would. AFAIUI, you also agree that this is a pretty obscure corner case that is not worth to have as default. Therefore, I suggest to drop the sudo stuff completely and install x2gowrapper as 'suid x2gouser' so that no additional configuration is necessary. With this change, the use-case above doesn't work anymore. In order to restore that functionality, the database schema would need to be extended to implement a blacklist. And in fact, your explanation kindof confirms that a blacklist would be more suited than the current whitelist (i.e., the x2gousers group) approach. -- Gruesse/greetings, Reinhard Tartler, KeyID 945348A4 _______________________________________________ X2go-dev mailing list [email protected] https://lists.berlios.de/mailman/listinfo/x2go-dev
