On Tue, 2010-10-05 at 09:37 +0200, Oleksandr Shneyder wrote: > Hello Rob, list > > In multi-user environment session informations of all users are stored > in one data base table. If we granting access to this table for all > users, each user will be able to view or change data of other users, > that's unacceptable. Using sudo we can give access for user only to his > own data. It's simplest way we have found to protect data of other > users. In postgresql we could use views, but not all DBMS have such > mechanisms. We cannot although create single table for every user, > because all users should know which DISPLAYs/ports are currently in use > by other users. > > Rob you are right. The user which execute sql queries not necessarily > should be root. As you can see, in x2gopgwrapper.local all queries are > executed with user postgres. We could make same changes in > x2gopgwrapper_local and x2gopgwrapper_net, but wee need to add a new > user into a system (as user "x2go" in your example). Unfortunately since > x2goserver version 3_0.1-9 > (http://x2go.obviously-nice.de/deb/pool-heuler/x2goserver/) > there is one more reason to run x2gopgwrapper as root. Running with > argument "startshadowagent" x2gopgwrapper should start x2gostartagent as > user which desktop will be displayed. I don't see the simple way to do > this without root privileges. <snip> We were quite uncomfortable running as the postgres user in our environment. We altered the scripts so that they used schemas instead. Each user can see only their schema within the single PostgreSQL database. We then created a separate table to sessions with the information needed to be held in common. That was visible to postgres and we used triggers to synchronize the common table with the individual schemas. Finally, we moved all functionality which needed the postgres and root users to the x2gocleansessions daemon so that users have very restricted access to the database and the underling system. I don't know if those changes would be portable to your system - John
_______________________________________________ X2go-dev mailing list X2go-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
