Is there a possibility to restrict the number of programs within the command

 x2goruncommand

or an other X2Go setup by a list of executable or is there an other possibility to to that.

Details

Problem

I want to restrict a number of user to run only two programs in Single Application Mode on Windows. The back-end is a Ubuntu 18.04 system running in a LXC container. Unfortunately needs x2go a proper shell (/bin/bash), so that a restriction on a sshd level rssh will not work. On the other hand provides the Windows X2Go client the complete and feature rich session types and a client side restriction is questionable.

Idea (dirty hack)

1. I'm aware that chroot-ing could be a more professional option to restrict the user in some kind of a jail but for time reasons it is not an option.

2. I can restrict the interactive access by blocking the login in the as well as the execution of commands .profile script.

3. I've seen, that the complete "command expansion" is driven by the x2goruncommand.

4. My intention is to interfere after line 355 (Code Intention).

5. The script /usr/bin/x2go-access-test reads the list of allowed programs from the user home directory and returns an ALLOW or DENY statement for the program.

ALLOW: $HOME/bin/program1
ALLOW: $HOME/bin/program2 

Question

Is there a more professional option to achieve similar results in the x2go biotop.

Code Intention

    330 WCMD=`echo $cmd | cut -d " " -f 1`
    331 EXEC=`type -P $WCMD`
    332 EXEC_WRAPPER=""
    333 
    334 BNAME=`basename "$EXEC"`
    335 if [ "$BNAME" == "rdesktop" ]
    336 then
    337         if type padsp >/dev/null; then
    338                 EXEC_WRAPPER="padsp"
    339                 args=" -r sound:local"
    340         fi
    341         if [ -d "$HOME/media" ]; then
    342                 args+=" -r disk:X2GoMedia=$HOME/media"
    343         fi
    344 fi
    345 
    346 if [ "$X2GO_SESS_TYPE" == "P" ]
    347 then
    348         IMEXIT="true"
    349         EXEC="/bin/true"
    350         X2GO_SESS_TYPE="R"
    351 fi
    352 
    353 # run x2goserver-extensions for pre-runcommand
    354 x2gofeature X2GO_RUN_EXTENSIONS &>/dev/null && x2goserver-run-extensions "$X2GO_SESSION" pre-runcommand || true
    355 

        # HERE -------------------------------------
        TEST_EXEC=$(/usr/bin/x2go-access-test -e $EXEC -c $HOME/.x2go-access-restriction)
        case $TEST_EXEC in
             ALLOW*)
                "$X2GO_LIB_PATH/x2gosyslog" "$0" "info" "ERROR: command $EXEC execution accepted for user $USER"
             ;;
             DENY*)   
               "$X2GO_LIB_PATH/x2gosyslog" "$0" "warning" "WARNING: command $EXEC execution denied for user $USER"
                EXEC="NOT.ACCEPTED:$EXEC"
             ;;
        esac

    356 sucessful_run=false
    357 if [ "$EXEC" != "" ] && [ -x "$EXEC" ]; then

    406 else
    407         "$X2GO_LIB_PATH/x2gosyslog" "$0" "err" "ERROR: command $EXEC failed to execute"
    408         echo "X2GORUNCOMMAND ERR NOEXEC:$cmd" > "$MESSAGE_FILE"
    409 
    410         # run x2goserver-extensions for fail-runcommand
    411         x2gofeature X2GO_RUN_EXTENSIONS &>/dev/null && x2goserver-run-extensions "$X2GO_SESSION" fail-runcommand || true
    412 
    413 fi

x2go-access-test

#!/usr/bin/env perl
# ---------------------------------------------
# x2go-access-test - Tool to grant user access for
# certain executables
# ---------------------------------------------
use v5.20;
use strict;
use warnings;

# ---------------------------------------------
# Packages
# ---------------------------------------------
use locale;
use Pod::Usage qw(pod2usage);
use Getopt::Long qw(:config no_ignore_case bundling);
use Cwd qw(realpath);
# ---------------------------------------------
# Modern Perl
# ---------------------------------------------
use feature qw(signatures);
no warnings 'once';
no warnings 'experimental';
no warnings 'experimental::signatures';

# ---------------------------------------------
# GLOBALS
# ---------------------------------------------
my $DEBUG  = 0;
my $VERSION = 'V1.0';
my $HOME=$ENV{HOME};
my $FILE="$HOME/.access-restrictions";
my $COMMAND;

# ---------------------------------------------
# Usage sugar: help, man and version for the CLI
# ---------------------------------------------
my $IS_MANUAL;   # Flag show man page
my $IS_HELP;     # Flag show help page
my $IS_VERSION;  # Flag show version
my $IS_REQ_CMD;  # Flag to use the command

# Read commandline options
GetOptions(
    "c|config=s"   => \$FILE,
    "d|debug"      => \$DEBUG,
    "e|exec=s"     => \$COMMAND,
    "h|help"       => \$IS_HELP,
    "m|man"        => \$IS_MANUAL,
    "r|require-exec" => \$IS_REQ_CMD,
    "v|version"      => \$IS_VERSION,
);

# Show help if needed
pod2usage( -verbose => 1, -exitval => 0 ) if $IS_HELP;

# Show man page
pod2usage( -verbose => 2 ) if $IS_MANUAL;

# Print program version
&version if $IS_VERSION;

# No access restrictions are given
print STDERR "CONFIG: $FILE\n" if $DEBUG;

if (not -f $FILE) {
    print "ALLOW NO.RESTRICTIONS\n";
    exit;
}    

if (not defined $COMMAND) {
    if ($IS_REQ_CMD) {
        print "DENY NO.COMMAND\n";
        exit;
    } else {
        print "ALLOW NO.COMMAND\n";
        exit;
    }
}
# Clean up command

print STDERR "COMMAND INPUT $COMMAND\n" if $DEBUG;
($COMMAND)=split(/\s+/, $COMMAND);
print STDERR "COMMAND SPLIT $COMMAND\n" if $DEBUG;
$COMMAND = realpath($COMMAND);
print STDERR "COMMAND PATH $COMMAND\n" if $DEBUG;
my $TEST=`which $COMMAND`; chomp($TEST);
print "DENY WRONG.COMMAND\n" if not $TEST;
$COMMAND=$TEST;
print STDERR "COMMAND CANONICAL $COMMAND\n" if $DEBUG;


my %FILES;
open( my $ih, '<', $FILE) or &errCantOpen;
while(my $ln =<$ih>) {
  $ln =~s/^\s+//;
  $ln =~s/\s+$//;
  next unless $ln =~ /(^ALLOW\:\s|^DENY\:\s)/;
  my ($tkn, $cmd) = split(/\s+/, $ln);
  next if not defined $cmd;
  print STDERR "SETUP LIST $ln\n" if $DEBUG;  
  when($tkn) {
      given('ALLOW:') { $FILES{$cmd} = 1; }
      given('DENY:')  { $FILES{$cmd} = 0; }
  }
}
close($ih);

my $found=$FILES{$COMMAND};
if (not $found) { 
    print("DENY $COMMAND\n");
    exit;
}
print "ALLOW $COMMAND\n";

sub version {
    print STDERR $VERSION,"\n";\
    exit;
}

sub errCantOpen {
    print "DENY WRONG.FILE\n";
    exit;
}


__END__

=pod

=head1 NAME

The program C<x2go-access-test> checks if a given
binary is allowed in a certain context.

=head1 SYNOPSIS

  x2go-access-test --help
  x2go-access-test --man
  x2go-access-test --version
  x2go-access-test -e /bin/bash
  x2go-access-test -e /bin/bash -c ~/.access-restrictions
  x2go-access-test -e /bin/bash -c ~/.access-restrictions -r
  x2go-access-test -e /bin/bash -c ~/.access-restrictions -r -d

=head1 DESCRIPTION

The program C<x2go-access-test> checks if a given binary is allowed in
a certain context. The program was written to augment the utility
x2goruncommand with command restrictions in Single Application Mode.

Allowed or denied programs are defined by a configuration. This
configuratiob intended to be installed by the system administrator and
read-only access rights for the user. The config is a simple list the
leading DENY: and ALLOW: followed by whitespace and absolute path names
of the executable conform to the output of the program which.

Additional restrictions have to be made on the ~/.profile and ~/.bashrc.

=head1 OPTIONS

=over

=item -c, --config

The list of programs to allow or deny. DEFAULT is

    ~/.access-restrictions

and intended to be installed by the system
administrator and read-only access rights for the user.

=item -e, --exec

The executeable program requested for running.

=item -d, --debug

Show debug messages on the STDERR output channel.

=item -h, --help

Show the help context.

=item -m, --man

Show the manual pages context.

=item -r, --require-exec

The executable is required.

=item -v, --version

Show the program version.

=back

=head1 EXAMPLE CONFIG

  DENY:  /usr/bin/xterm
  ALLOW: /usr/bin/xclock

=cut

# ---------------------------------------------
# EOF
# ---------------------------------------------