Reinhard Tartler | 24 Dec 15:32 2012
Picon

Re: [X2Go-User] Problem with KDE, Network Manager and X2Go

Dear Daniel,

Network manager defines a default security policy that allows altering
networking-related settings only when the user sits in front of the
computer. This policy in general does make sense, otherwise users
would be able to break their active session.

It seems unfortunate that this policy seems to affect VPN settings as
well. This issue should definitely be discussed with the Network
Manager maintainers. However before doing that, I think should learn
more about the current situation. For instance, I'm not sure if x2go
registers a proper console-kit session besides the one that is created
as part of the ssh connection. I could imagine having a configuration
switch to consider 'x2go' remote sessions as "local" at least for
testing purposes. I fear we in x2go should really revisit and properly
document the design of session management - it is not trivial at all!

Unfortunately, none of the current developers seem to have the
resources to do this properly. For instance, as you have noticed
yourself, x2goserver-xsession is not installed by default, but TBH, I
think this is a bug that is related to the overly strict recommend
relationship declaration on the x2goserver package (another wtf from
my side). The only documentation for this package is here:
http://code.x2go.org/gitweb?p=x2goserver.git;a=blob;f=x2goserver-xsession/doc/README.Xsession-x2go
- Unfortunately, it leaves a lot of questions (such as "what is a
Xsession config file", etc.). I'm not sure how to proceed from here,
hence, I copy the x2go-dev mailing list as I feel that this user issue
indicates a larger, conceptional problem.

What you propose is to introduce a completely new security policy:
everyone in a certain group 'netdev' may change everything. This may
be appropriate in your scenario, but may not be in others. For
instance, have you considered what other packages "use" the netdev
group? Are you fully aware about the consequences in terms of
additional privileges users gain by being put in that group? Moreover,
in a managed environment, where all users are in a network directory
such as NIS or LDAP, it is not that simple to add a user to a
computer-local group, as the group may have a different group ID on
different machines. Such scenarios are not uncommon for larger x2go
deployments at all!

Merry Holidays!

On Mon, Dec 24, 2012 at 9:39 AM, Daniel Lindgren <bd.dali <at> gmail.com> wrote:
> ... and these steps are also necessary to be able to fully use Network
> Manager:
>
> * Add user to the netdev group.
>
> * Create
> /etc/polkit-1/localauthority/50-local.d/org.freedesktop.NetworkManager.pkla
> with these settings:
>
> [nm-applet]
> Identity=unix-group:netdev
> Action=org.freedesktop.NetworkManager.*
> ResultAny=yes
> ResultInactive=no
> ResultActive=yes
>
> * Reboot.
>
>
> _______________________________________________
> X2Go-User mailing list
> X2Go-User <at> lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/x2go-user

--

-- 
regards,
    Reinhard

Gmane