Re: [Ltsp-developer] LTSP User/Group access to applications

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

hi,
On Di, 2008-01-15 at 18:16 -0800, Raymond Irving wrote:
> Hello,
>=20
> Why is it so difficult to setup a system in which an
> admin can restrict the applications that multiple
> users/groups can access?
did you try creating profiles with sabayon (or in case of kde kiosktool)
the problems you describe are actually session oriented, so i'd use the
desktop specific session profile editor to create matchng sessions with
the given restrictions.
>=20
> For example: I would like GroupsA and GroupB to be
> able to launch and use FireFox. All other users/groups
> will not be able to do so.
>=20
> I had to enable extended attributes then load eiciel
> or use setACL to configure the extend ACLs (which by
> the way can't be copied to another ext3 drive). I then
> later found out that all my ACLs were removed. I'm
> using Ubuntu 7.04
>=20
> My point it why isn't there a system system in LTSP
> that allows the admin to configure which user/group
> can  launch an application.
no, and since thats very session specific that should be up to the
desktops session lockdown software to provide such functionallity
LTSP is a technique to enable diskless hardware, the more of it you
integrate in the session management the harder your maintenance gets.

LTSP should stay as independent from the server sided desktop system as
possible, things that we have to work around on the session side are
bugs in the desktop software imho.=20

in edubuntu we have a long ongoing spec (worked on by a volunteer who
has very limited time so it takes some releases) for group driven menus,
if you combine that with the functionallity of pessulus to disable
commandline access etc. it should gain you eaxctly what you describe
above but instead of doing it on a filesystem level you will have
copyable configurations.

>=20
> It could by default allow all apps to run but support
> something like a restricted_apps config options
>=20
> restricted_app =3D firefox | GroupA, GroupB, UserA;
>=20
> The above would mean that a "LTSP client" will only be
> able to launch firefox if he/she is a member of
> GroupA, GroupB or is UserA.
>=20
> What do you guys think about this idea?
its a great idea but i would see it as a distinct app related to the
desktop or integrated in the different lockdown editors ...

ciao
	oli