Hi All, That is perhaps a naive question. I have never had much tho do with desktops. Now, we offer remote Linux desktop (Gnome mostly) to users with x2go. Is there a way to configure GNOME (or another) desktop somehow locked to the particular users and perhaps even particular apps? I.e., so that any Filemanager would stay under selected paths the user has access to? Access itself is not a problem, as it is controlled by UNIX groups, but just browsing say /home with a few thousand user directories gets slow and disk/CPU-intensive. (Or perhaps the way would be to auto mount users, but thats a rather big change for the rest of the system too) -- Grigory Shamov Westgrid/ComputeCanada Site Lead University of Manitoba E2-588 EITC Building, (204) 474-9625
On 2017-02-02 Grigory Shamov wrote:
Hi All,
somehow locked to the particular users and perhaps even particular apps?
Particular users can probably be handled with custom pam rules/settings. Particular apps is much harder. I think you'd need to create an install (perhaps virtual) that just has the apps you want those users to use.
I.e., so that any Filemanager would stay under selected paths the user has access to?
That's chroot-y if you want the OS to only show the user what's in /home/foo in a secure way. However, there's no chroot method that will lock them in one data path without requiring copies of the relevant bins/libs/etc for the apps you want to run. I don't even think any of the recent developments like cgroups, docker, etc, can help you here. Even trying to hardlink everything into a chroot environment under the user's home dir wouldn't work I don't think because of the complexity of login managers, and X in general. Now you might be able to find a file manager that can be set to limit views to certain paths, but without something at the OS layer locking things down they can always escape somehow if they know what they are doing (or bring up a shell). If I'm understanding what it is you're trying to do correctly, I'm afraid there may be no solution. However, if you perhaps redefine your policy goals of what exactly you're trying to protect against, perhaps you can achieve those goals without locking things down as drastically as you think you need to.
The Linux Terminal Server Project was geared toward this, but it now appears un-maintained since 2013, which is fine because it's not a download but built into the distributions that support it. http://www.ltsp.org/ Perhaps you are already aware/using it, but if not you might be able to get some useful ideas. Alternatively, you could spin a new virtual machine for each desktop which is actually more typical way this is done these days. It requires more resources, the trade off is better security, though they could still navigate around the file system. John On Thu, Feb 2, 2017 at 5:24 PM, Trevor Cordes <trevor@tecnopolis.ca> wrote:
On 2017-02-02 Grigory Shamov wrote:
Hi All,
somehow locked to the particular users and perhaps even particular apps?
Particular users can probably be handled with custom pam rules/settings. Particular apps is much harder. I think you'd need to create an install (perhaps virtual) that just has the apps you want those users to use.
I.e., so that any Filemanager would stay under selected paths the user has access to?
That's chroot-y if you want the OS to only show the user what's in /home/foo in a secure way. However, there's no chroot method that will lock them in one data path without requiring copies of the relevant bins/libs/etc for the apps you want to run. I don't even think any of the recent developments like cgroups, docker, etc, can help you here.
Even trying to hardlink everything into a chroot environment under the user's home dir wouldn't work I don't think because of the complexity of login managers, and X in general.
Now you might be able to find a file manager that can be set to limit views to certain paths, but without something at the OS layer locking things down they can always escape somehow if they know what they are doing (or bring up a shell).
If I'm understanding what it is you're trying to do correctly, I'm afraid there may be no solution. However, if you perhaps redefine your policy goals of what exactly you're trying to protect against, perhaps you can achieve those goals without locking things down as drastically as you think you need to. _______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable
-- John Lange
Hi John, Thanks! I was not aware of LTSP, will take a look. -- Grigory Shamov Westgrid/ComputeCanada Site Lead University of Manitoba E2-588 EITC Building, (204) 474-9625 From: Roundtable <roundtable-bounces@muug.ca<mailto:roundtable-bounces@muug.ca>> on behalf of John Lange <john@johnlange.ca<mailto:john@johnlange.ca>> Reply-To: Continuation of Round Table discussion <roundtable@muug.ca<mailto:roundtable@muug.ca>> Date: Thursday, February 2, 2017 at 6:41 PM To: Continuation of Round Table discussion <roundtable@muug.ca<mailto:roundtable@muug.ca>> Subject: Re: [RndTbl] limited Linux Desktop? The Linux Terminal Server Project was geared toward this, but it now appears un-maintained since 2013, which is fine because it's not a download but built into the distributions that support it. http://www.ltsp.org/ Perhaps you are already aware/using it, but if not you might be able to get some useful ideas. Alternatively, you could spin a new virtual machine for each desktop which is actually more typical way this is done these days. It requires more resources, the trade off is better security, though they could still navigate around the file system. John On Thu, Feb 2, 2017 at 5:24 PM, Trevor Cordes <trevor@tecnopolis.ca<mailto:trevor@tecnopolis.ca>> wrote: On 2017-02-02 Grigory Shamov wrote:
Hi All,
somehow locked to the particular users and perhaps even particular apps?
Particular users can probably be handled with custom pam rules/settings. Particular apps is much harder. I think you'd need to create an install (perhaps virtual) that just has the apps you want those users to use.
I.e., so that any Filemanager would stay under selected paths the user has access to?
That's chroot-y if you want the OS to only show the user what's in /home/foo in a secure way. However, there's no chroot method that will lock them in one data path without requiring copies of the relevant bins/libs/etc for the apps you want to run. I don't even think any of the recent developments like cgroups, docker, etc, can help you here. Even trying to hardlink everything into a chroot environment under the user's home dir wouldn't work I don't think because of the complexity of login managers, and X in general. Now you might be able to find a file manager that can be set to limit views to certain paths, but without something at the OS layer locking things down they can always escape somehow if they know what they are doing (or bring up a shell). If I'm understanding what it is you're trying to do correctly, I'm afraid there may be no solution. However, if you perhaps redefine your policy goals of what exactly you're trying to protect against, perhaps you can achieve those goals without locking things down as drastically as you think you need to. _______________________________________________ Roundtable mailing list Roundtable@muug.ca<mailto:Roundtable@muug.ca> https://muug.ca/mailman/listinfo/roundtable -- John Lange
What distribution are you using successfully with x2go? And which desktop environment? I’m about to try implementing that myself… -Adam From: Roundtable [mailto:roundtable-bounces@muug.ca] On Behalf Of Grigory Shamov Sent: February 2, 2017 12:36 To: Continuation of Round Table discussion <roundtable@muug.ca> Subject: [RndTbl] limited Linux Desktop? Hi All, That is perhaps a naive question. I have never had much tho do with desktops. Now, we offer remote Linux desktop (Gnome mostly) to users with x2go. Is there a way to configure GNOME (or another) desktop somehow locked to the particular users and perhaps even particular apps? I.e., so that any Filemanager would stay under selected paths the user has access to? Access itself is not a problem, as it is controlled by UNIX groups, but just browsing say /home with a few thousand user directories gets slow and disk/CPU-intensive. (Or perhaps the way would be to auto mount users, but thats a rather big change for the rest of the system too) -- Grigory Shamov Westgrid/ComputeCanada Site Lead University of Manitoba E2-588 EITC Building, (204) 474-9625
Hi Adam, CentOS 6; works with Gnome (from the OS) and/or IceWM. I don't know how successfully: some of our users are using it. We are not doing anything special, just installed it. -- Grigory Shamov Westgrid/ComputeCanada Site Lead University of Manitoba E2-588 EITC Building, (204) 474-9625 From: Roundtable <roundtable-bounces@muug.ca<mailto:roundtable-bounces@muug.ca>> on behalf of Adam Thompson <athompso@athompso.net<mailto:athompso@athompso.net>> Reply-To: Continuation of Round Table discussion <roundtable@muug.ca<mailto:roundtable@muug.ca>> Date: Thursday, February 2, 2017 at 7:17 PM To: 'Continuation of Round Table discussion' <roundtable@muug.ca<mailto:roundtable@muug.ca>> Subject: Re: [RndTbl] limited Linux Desktop? What distribution are you using successfully with x2go? And which desktop environment? I'm about to try implementing that myself... -Adam From: Roundtable [mailto:roundtable-bounces@muug.ca] On Behalf Of Grigory Shamov Sent: February 2, 2017 12:36 To: Continuation of Round Table discussion <roundtable@muug.ca<mailto:roundtable@muug.ca>> Subject: [RndTbl] limited Linux Desktop? Hi All, That is perhaps a naive question. I have never had much tho do with desktops. Now, we offer remote Linux desktop (Gnome mostly) to users with x2go. Is there a way to configure GNOME (or another) desktop somehow locked to the particular users and perhaps even particular apps? I.e., so that any Filemanager would stay under selected paths the user has access to? Access itself is not a problem, as it is controlled by UNIX groups, but just browsing say /home with a few thousand user directories gets slow and disk/CPU-intensive. (Or perhaps the way would be to auto mount users, but thats a rather big change for the rest of the system too) -- Grigory Shamov Westgrid/ComputeCanada Site Lead University of Manitoba E2-588 EITC Building, (204) 474-9625
Also, what about simply “chown a-r,a+x /home” ? Would that break any apps? -Adam From: Roundtable [mailto:roundtable-bounces@muug.ca] On Behalf Of Grigory Shamov Sent: February 2, 2017 12:36 To: Continuation of Round Table discussion <roundtable@muug.ca> Subject: [RndTbl] limited Linux Desktop? Hi All, That is perhaps a naive question. I have never had much tho do with desktops. Now, we offer remote Linux desktop (Gnome mostly) to users with x2go. Is there a way to configure GNOME (or another) desktop somehow locked to the particular users and perhaps even particular apps? I.e., so that any Filemanager would stay under selected paths the user has access to? Access itself is not a problem, as it is controlled by UNIX groups, but just browsing say /home with a few thousand user directories gets slow and disk/CPU-intensive. (Or perhaps the way would be to auto mount users, but thats a rather big change for the rest of the system too) -- Grigory Shamov Westgrid/ComputeCanada Site Lead University of Manitoba E2-588 EITC Building, (204) 474-9625
chmod? it might break things, some of the users are using UNIX groups to share files. -- Grigory Shamov From: Roundtable <roundtable-bounces@muug.ca<mailto:roundtable-bounces@muug.ca>> on behalf of Adam Thompson <athompso@athompso.net<mailto:athompso@athompso.net>> Reply-To: Continuation of Round Table discussion <roundtable@muug.ca<mailto:roundtable@muug.ca>> Date: Thursday, February 2, 2017 at 7:19 PM To: 'Continuation of Round Table discussion' <roundtable@muug.ca<mailto:roundtable@muug.ca>> Subject: Re: [RndTbl] limited Linux Desktop? Also, what about simply "chown a-r,a+x /home" ? Would that break any apps? -Adam From: Roundtable [mailto:roundtable-bounces@muug.ca] On Behalf Of Grigory Shamov Sent: February 2, 2017 12:36 To: Continuation of Round Table discussion <roundtable@muug.ca<mailto:roundtable@muug.ca>> Subject: [RndTbl] limited Linux Desktop? Hi All, That is perhaps a naive question. I have never had much tho do with desktops. Now, we offer remote Linux desktop (Gnome mostly) to users with x2go. Is there a way to configure GNOME (or another) desktop somehow locked to the particular users and perhaps even particular apps? I.e., so that any Filemanager would stay under selected paths the user has access to? Access itself is not a problem, as it is controlled by UNIX groups, but just browsing say /home with a few thousand user directories gets slow and disk/CPU-intensive. (Or perhaps the way would be to auto mount users, but thats a rather big change for the rest of the system too) -- Grigory Shamov Westgrid/ComputeCanada Site Lead University of Manitoba E2-588 EITC Building, (204) 474-9625
participants (4)
-
Adam Thompson -
Grigory Shamov -
John Lange -
Trevor Cordes