Opened 9 years ago

Last modified 8 years ago

#92 accepted enhancement

fine grained access rights for clients: globals + per session options

Reported by: Antoine Martin Owned by: Antoine Martin
Priority: major Milestone: 1.0
Component: Client Keywords:
Cc:

Description (last modified by Antoine Martin)

At the moment, if a client can login then he can access everything.


We must change the way we store authorization keys from the current ssh style (one line per file in .winswitch/client/authorized_keys - which should be in /server/ anyway) to a first class object: ClientPermissions, saved as UUID.conf


OTOH at minimum, we should have:

  • can_start_session
  • can_start_desktop
  • can_control_as_owner
  • can_control_as_actor
  • can_shadow_[local_display|vnc|nx]
  • can_tunnel_[sound|print|file]
  • can_grant_permissions
  • can_see_others_permissions


On login, we look it up and pass the permissions back to the user as part of the add_user command.
The ssh-add and local logins will grant all permissions automatically.


Some new session attributes (set on start and modifiable):

  • locked (only owner/actor can release it)

etc.


Some new commands:

  • set_session_attributes (and also overload start_session) to protect a session.

Change History (3)

comment:1 Changed 9 years ago by Antoine Martin

Milestone: 0.9.30.9.4
Owner: changed from Antoine Martin to Antoine Martin
Status: newaccepted

comment:2 Changed 9 years ago by Antoine Martin

Milestone: 0.9.41.0

comment:3 Changed 8 years ago by Antoine Martin

Description: modified (diff)
Note: See TracTickets for help on using tickets.