From: Oliver G. <og...@ub...> - 2008-01-16 10:11:03
|
hi, On Di, 2008-01-15 at 18:16 -0800, Raymond Irving wrote: > Hello, >=20 > Why is it so difficult to setup a system in which an > admin can restrict the applications that multiple > users/groups can access? did you try creating profiles with sabayon (or in case of kde kiosktool) the problems you describe are actually session oriented, so i'd use the desktop specific session profile editor to create matchng sessions with the given restrictions. >=20 > For example: I would like GroupsA and GroupB to be > able to launch and use FireFox. All other users/groups > will not be able to do so. >=20 > I had to enable extended attributes then load eiciel > or use setACL to configure the extend ACLs (which by > the way can't be copied to another ext3 drive). I then > later found out that all my ACLs were removed. I'm > using Ubuntu 7.04 >=20 > My point it why isn't there a system system in LTSP > that allows the admin to configure which user/group > can launch an application. no, and since thats very session specific that should be up to the desktops session lockdown software to provide such functionallity LTSP is a technique to enable diskless hardware, the more of it you integrate in the session management the harder your maintenance gets. LTSP should stay as independent from the server sided desktop system as possible, things that we have to work around on the session side are bugs in the desktop software imho.=20 in edubuntu we have a long ongoing spec (worked on by a volunteer who has very limited time so it takes some releases) for group driven menus, if you combine that with the functionallity of pessulus to disable commandline access etc. it should gain you eaxctly what you describe above but instead of doing it on a filesystem level you will have copyable configurations. >=20 > It could by default allow all apps to run but support > something like a restricted_apps config options >=20 > restricted_app =3D firefox | GroupA, GroupB, UserA; >=20 > The above would mean that a "LTSP client" will only be > able to launch firefox if he/she is a member of > GroupA, GroupB or is UserA. >=20 > What do you guys think about this idea? its a great idea but i would see it as a distinct app related to the desktop or integrated in the different lockdown editors ... ciao oli |