X2Go Bug report logs -
#1234
acl-users-allow=ALL superceeds acl-users-deny
Reported by: Walid MOGHRABI <w.moghrabi@servicemagic.eu>
Date: Tue, 21 Nov 2017 17:30:02 UTC
Severity: normal
Tags: patch, pending
Fixed in version 0.0.4.0
Done: X2Go Release Manager X2Go Release Manager <git-admin@x2go.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>
:
Bug#1234
; Package x2gobroker
.
(Tue, 21 Nov 2017 17:30:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Walid MOGHRABI <w.moghrabi@servicemagic.eu>
:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>
.
(Tue, 21 Nov 2017 17:30:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
package: x2gobroker
priority: normal
tags: patch
When using ACLs with the session broker, I wanted to give access to a session setting to ALL users EXCEPT some (namely "formation{1..9}").
I tried this but it didn't work :
=================================================
[TRAVAUX]
fullscreen=true
clipboard=none
name=TRAVAUX
host=tce-server (10.10.10.1)
acl-users-allow=ALL
acl-users-deny=formation1, formation2, formation3, formation4, formation5, formation6, formation7, formation8, formation9
acl-any-order=deny-allow
=================================================
I played with many settings, changing order, using only the "acl-users-deny" option, ... none of them worked as expected.
I ended in thinking that there was a bug with acl-users-allow=ALL which was taking over any other setting.
I did a little fix that seem to work, at least for this use case.
Regards,
Walid Moghrabi
TRAVAUX.COM
BAT I - PARC CEZANNE 2 290 AVENUE GALILEE - CS 80403
13591 AIX EN PROVENCE CEDEX 3
---
DISCLAIMER: This e-mail is private and confidential and may contain proprietary or legally privileged information. It is for the intended recipient only. If you have received this email in error, please notify the author by replying to it and then destroy it. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on this e-mail or any attachment. Thank you
[x2gobroker_acl-users-allow.patch (text/x-patch, attachment)]
Information forwarded
to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>
:
Bug#1234
; Package x2gobroker
.
(Sun, 26 Nov 2017 06:35:01 GMT) (full text, mbox, link).
Acknowledgement sent
to Mihai Moldovan <ionic@ionic.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>
.
(Sun, 26 Nov 2017 06:35:01 GMT) (full text, mbox, link).
Message #10 received at 1234@bugs.x2go.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
* On 11/21/2017 06:23 PM, Walid MOGHRABI wrote:
> When using ACLs with the session broker, I wanted to give access to a session setting to ALL users EXCEPT some (namely "formation{1..9}").
> I tried this but it didn't work :
> [...]
I really have no idea what the rules are supposed to be.
For users, the current rules are (simplified, the actual rules are longer but
also redundant):
[allow-deny]: allow && !deny
[deny-allow]: allow
(allow stands for "user explicitly listed in allow list", deny stands for "user
explicitly listed in deny list".)
This doesn't make sense to me.
For instance, a user not explicitly listed in the allowed list will be denied
access in deny-allow mode, while in allow-deny mode; a user that is explicitly
granted access will still be denied if it is listed in the denied list.
What was the original inspiration for this?
It's not Apache httpd, since that has different rules...
My naïve understanding of this would be that:
[allow-deny]: allow user if explicitly mentioned in allowed list, otherwise
allow if not explicitly denied
[deny-allow]: deny user if explicitly mentioned in denied list, otherwise allow
Examples for [allow-deny] ("..." denotes a list *not* containing user):
allow = { user, ... }; deny = { user, ... } => ALLOW
allow = { user, ... }; deny = { ... } => ALLOW
allow = { ... }; deny = { ... } => ALLOW
allow = { ... }; deny = { user, ...} => DENY
Examples for [deny-allow] ("..." denotes a list *not* containing user):
allow = { user, ... }; deny = { user, ... } => DENY
allow = { user, ... }; deny = { ... } => ALLOW
allow = { ... }; deny = { ... } => ALLOW
allow = { ... }; deny = { user, ... } => DENY
This is useful because it allows access in the case a user is not a member of
any list (emulating the behavior of not using any ACL for a specific user) and
otherwise giving correct precedence to a specific list.
The current behavior is not explicitly documented either, but only "implicitly"
by code and tests, which makes it difficult to understand what is intended and
what isn't.
For instance, one test case explicitly mentions:
[deny-allow] allow = { user }; deny = { ALL }; => ALLOW
which just doesn't make sense to me. If all users are denied and the order is
deny-allow, why would the user be allowed, even if it's in the allow list? The
order isn't allow-deny, so if all users are denied with the deny-allow order,
the allow list shouldn't even come into play.
Mihai
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>
:
Bug#1234
; Package x2gobroker
.
(Mon, 12 Feb 2018 15:00:01 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>
.
(Mon, 12 Feb 2018 15:00:02 GMT) (full text, mbox, link).
Message #15 received at 1234@bugs.x2go.org (full text, mbox, reply):
tag #1234 pending
fixed #1234 0.0.4.0
thanks
Hello,
X2Go issue #1234 (src:x2gobroker) reported by you has been
fixed in X2Go Git. You can see the changelog below, and you can
check the diff of the fix at:
http://code.x2go.org/gitweb?p=x2gobroker.git;a=commitdiff;h=75bc19e
The issue will most likely be fixed in src:x2gobroker (0.0.4.0).
light+love
X2Go Git Admin (on behalf of the sender of this mail)
---
commit 75bc19eea6433110733d53e4de23ab2703b19179
Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Mon Feb 12 15:53:33 2018 +0100
x2gobroker/brokers/base_broker.py: Entire rewrite of check_profile_acls() method. (Fixes: #1234).
diff --git a/debian/changelog b/debian/changelog
index 2d7940e..116897b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,8 @@ x2gobroker (0.0.4.0-0x2go1) UNRELEASED; urgency=medium
- x2gobroker/basicauth.py: Fix call of base64.decodestring on Python3.
- Unit tests: Fix deep misunderstanding in the way allow-deny vs.
deny-allow should actually work.
+ - x2gobroker/brokers/base_broker.py: Entire rewrite of
+ check_profile_acls() method. (Fixes: #1234).
* debian/{control,compat}: Bump to DH version level 9.
* debian/{control,x2gobroker-common.install}:
+ Split out common files into non-Pythonian bin:pkg.
Added tag(s) pending.
Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
to control@bugs.x2go.org
.
(Mon, 12 Feb 2018 15:00:02 GMT) (full text, mbox, link).
Marked as fixed in versions 0.0.4.0.
Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
to control@bugs.x2go.org
.
(Mon, 12 Feb 2018 15:00:02 GMT) (full text, mbox, link).
Message sent on
to Walid MOGHRABI <w.moghrabi@servicemagic.eu>
:
Bug#1234.
(Mon, 12 Feb 2018 15:00:02 GMT) (full text, mbox, link).
Information forwarded
to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>
:
Bug#1234
; Package x2gobroker
.
(Sat, 02 Feb 2019 21:10:07 GMT) (full text, mbox, link).
Acknowledgement sent
to X2Go Release Manager X2Go Release Manager <git-admin@x2go.org>
:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>
.
(Sat, 02 Feb 2019 21:10:07 GMT) (full text, mbox, link).
Message #27 received at 1234@bugs.x2go.org (full text, mbox, reply):
close #1234
thanks
Hello,
we are very hopeful that X2Go issue #1234 reported by you
has been resolved in the new release (0.0.4.0) of the
X2Go source project »src:x2gobroker«.
You can view the complete changelog entry of src:x2gobroker (0.0.4.0)
below, and you can use the following link to view all the code changes
between this and the last release of src:x2gobroker.
http://code.x2go.org/gitweb?p=x2gobroker.git;a=commitdiff;h=a2455880e34e31546054ce50abd1512c61430b51;hp=dbea0c7c20c58e6783ea796691f0881131ad6590
If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:x2gobroker.
Thanks a lot for contributing to X2Go!!!
light+love
X2Go Git Admin (on behalf of the sender of this mail)
---
X2Go Component: src:x2gobroker
Version: 0.0.4.0-0x2go1
Status: RELEASE
Date: Sat, 02 Feb 2019 21:50:29 +0100
Fixes: 1013 1234 1240 1252 1315
Changes:
x2gobroker (0.0.4.0-0x2go1) RELEASED; urgency=medium
.
[ Mike Gabriel ]
* New upstream version (0.0.4.0):
- Bump upstream version to 0.0.4.0.
- Port to Python 3. (Fixes: #1240).
- Drop left-over debug print() call.
- Makefile: Assure that setup.py is run under Python3.
- Improve debugging messages during authentication phase.
- x2gobroker/basicauth.py: Fix call of base64.decodestring on Python3.
- Unit tests: Fix deep misunderstanding in the way allow-deny vs.
deny-allow should actually work.
- x2gobroker/brokers/base_broker.py: Entire rewrite of
check_profile_acls() method. (Fixes: #1234).
- x2gobroker/tests/test_web_plain_base.py: Add test case for passwords
with accentuated characters (using the testsuite_authmech for now).
- Makefile: Support skipping installation of the x2gobroker PyModule.
Useful when building with CDBS on Debian.
- Makefile: Compress man pages.
- Makefile: Run setup.py build at build time.
- tmpfiles.d utilization: Create RUNDIR/x2gobroker via tmpfiles.d system.
Fixes missing dir and flawed permissions when running under systemd.
- etc/x2gobroker.conf: Mention the per-profile option for enabling/disabling
load checker support.
- sbin/{x2gobroker-pubkeyauthorizer,x2gobroker-keygen}: Use proper octal
numbers for file permissions.
- sbin/x2gobroker-pubkeyauthorizer: Fix key lookup in os.environ for
Python3.
- sbin/x2gobroker-pubkeyauthorizer: Some string/bytecode fixes for Python3.
Plus urllib -> urllib.request.
- sbin/x2gobroker-pubkeyauthorizer: Improve key integrity checker and move
it further up. Plus one more Python2 -> Python3 issue fixed.
- sbin/x2gobroker-pubkeyauthorizer: Drop unused binascii import.
- x2gobroker-pubkeyauthorizer: Tiny Python2to3 fix.
- load checker integration: Make the default-use-load-checker option work
like all other default-* options.
- uccs frontend: Convert datetime.datetime object to string before answering
the http request with it.
- x2gobroker/agent (check_load()): Bail out if no remote agent is given.
- x2gobroker-testagent: Convert to Python3 (using 2to3 tool).
- x2gobroker-loadchecker: Python3'ify iteration over dict keys.
- x2gobroker/utils.py: Provide helper functions for pretty-formatting key
fingerprints.
- x2gobroker-keygen: Use new fingerprint formatting functions.
- x2gobroker/agent.py: Bail out if no hostaddr contained in remote_agent.
- x2gobroker/agent.py: No load-checking when remote_agent is set to 'LOCAL'.
- x2gobroker/agent.py: Better sanity checks for remote_agent and its dict
keys hostname and hostaddr.
- x2gobroker/loadchecker.py: Report properly to the logger if we fail to
obtain a load factor.
- x2gobroker-loadchecker.service: loadchecker service needs to chuid to
system user x2gobroker. (Fixes: #1252).
- x2gobroker-loadchecker.service: File ownership should be
x2gobroker:x2gobroker, too.
- x2gobroker-loadchecker: No chown/chmod if we are not running as root
(which is mostly the case).
- x2gobroker/brokers/inifile_broker.py: Make sure profile['name'] has a
fallback if not given in the session profile.
- x2gobroker/brokers/inifile_broker.py: Also check for presence of 'host'
and 'sshport'.
- UCCS API change for X2Go Sessions: Rename "SessionType" to "Command".
- obligatory profile keys: Move from inifile backend to UCCS frontend, as
those requirements are frontend specific.
- UCCS: Start working on API version 5.
- x2gobroker/uccsjson.py: Hide private Python class properties from JSON
dict (like <obj>._api_version).
- UCCS frontend: Fix API version check.
- UCSS frontend: Propagate API version onwards to the X2GoServer JSON
generator class.
- infile broker backend: Fix handling of empty lists in session profile
and session profile defaults.
- etc/x2gobroker-wsgi.apache.*: Drop Apache2.2 support.
- Log to system broker.log file when run via x2gobroker-ssh.
- Getting started documentation: Rework document, convert to markdown,
install into x2gobroker bin:pkg (on DEB based systems).
- Makefile.docupload: Add apidoc target (running sphinx-apidoc).
- docs/source: Initialize Sphinx API documentation's .rst files.
- bin/x2gobroker: If binding the http server fails, a non-zero exit code
should be returned. (Fixes: #1013).
- x2gobroker/loadchecker.py: Don't re-read the x2gobroker.conf during
each cycle of the load checking loop. Rather read it on service startup
and require a service restart when x2gobroker.conf has been changed.
- x2gobroker/loadchecker.py: Avoid rare cases where at the end of a load
checking cycle a negative sleep time would have been calculated.
(Fixes: #1315). Thanks to Walid Moghrabi for catching this.
- HTTP broker: Add &login=<server_user> support to plain and json broker
frontends.
- SSH broker: Add --login option. This now supports X2Go Broker user and
X2Go Server username being different accounts.
- bin/x2gobroker: Correctly use split_host_address() function call.
- bin/x2gobroker: Don't override already defined logger objects, define
them properly where needed.
- Convert one more unicode object into (Python3) string.
- x2gobroker/tests/test_broker_agent.py: Assure that tests are run without
loadchecker usage.
- broker-use-load-checker profile option: Also tolerate 'TRUE' and 'True'.
- x2gobroker/agent.py: Fix failing execution of LOCAL broker agent. As
the LOCAL broker agent is executed setuid root, we cannot
Popen.terminate() (which is unneeded anyway) the process after its
execution.
- Ignore SSH broker events for now. Not sure if we will ever support that.
- Finalize API documentation.
- Fix regression flaw in x2gobroker/web/json.py, introduced by commit
9fa371e9.
* debian/*:
+ Trigger Makefile's install target and install those files. Drop debhelper
from-source-installation magic.
* debian/{control,compat}: Bump to DH version level 9.
* debian/{control,x2gobroker-common.install}:
+ Split out common files into non-Pythonian bin:pkg.
* debian/*.install:
+ Add EOLs at EOF.
+ Add tmpfiles.d files into bin:pkgs.
+ Fix installation to /usr/lib/python3.x paths.
* debian/control:
+ Drop from D (several bin:pkgs): python3-argparse, argparse is shipped
with Python3 core.
+ Switch from libapache2-mod-wsgi to libapache2-mod-wsgi-py3.
+ Add B-D: dh-python.
+ Add B-D: python3-netaddr (for unit tests).
* debian/x2gobroker-loadchecker.postinst:
+ Do chown/chmod on the correct file (not authservice.log, but
loadchecker.log).
* debian/python-x2gobroker-doc.doc-base:
+ Drop leading white-space in Abstract: field.
* x2gobroker.spec:
+ Adapt to Python3 port.
+ Bump package version.
+ CentOS 6 + 7 have python34-devel, not python3-devel.
+ Enable debug_packages for openSUSE Tumbleweed (suse_version > 1500).
+ CentOS 6 + 7 have python34-setuptools, not python3-setuptools.
+ Fix removal of conf files in tmpfiles.d where needed.
+ Install tmpfiles.d configs into bin:pkgs.
+ Only install tmpfiles.d configs on systems that support/have systemd.
+ Some path fixes for the new tmpfiles.d/.
+ Make sure the build chroot has all it needs to run the PyModule's unit
tests.
+ Let's try to get unit tests working on Fedora first...
.
[ Mihai Moldovan ]
* New upstream version (0.0.4.0):
- src/x2gobroker-{agent,ssh}.c: catch errors in setuid wrappers and add
general return clause to make compilers happy.
- Makefile: make sure that we actually append our custom CFLAGS and
LDFLAGS values, even if passed in through the make command line.
- src/x2gobroker-{agent,ssh}.c: fix compile warnings/errors.
- src/x2gobroker-{agent,ssh}.c: fix more compile errors.
- misc: copyright update.
- misc: switch to HTTPS-based URLs where appropriate.
- man/*: update date and version stamps pre-release.
- misc: add missing coding modelines.
* x2gobroker.spec:
- Add %debug_package macro when debugging is to be enabled, hoping that it
will actually generate proper debuginfo (and -source) sub packages
owning files.
- Whitespace only.
- Remove obsolete EPEL 5 support.
- Switch to HTTPS-based links.
- Use more curly braces.
- Pull in gcc and redhat-rpm-config.
- Re-enable debug file generation to see which OS versions still fail.
- %exclude does not work with curly braces, revert.
- Remove %debug_package macro usage, breaks builds nowadays.
- Pass down global flags in CFLAGS and LDFLAGS.
- Fix %{__global_ldflags} usage if variable does not exist.
- Commands don't seem to work when wrapped in curly braces (at least on
*SuSE), so revert.
Marked Bug as done
Request was from X2Go Release Manager X2Go Release Manager <git-admin@x2go.org>
to control@bugs.x2go.org
.
(Sat, 02 Feb 2019 21:10:20 GMT) (full text, mbox, link).
Notification sent
to Walid MOGHRABI <w.moghrabi@servicemagic.eu>
:
Bug acknowledged by developer.
(Sat, 02 Feb 2019 21:10:20 GMT) (full text, mbox, link).
Message sent on
to Walid MOGHRABI <w.moghrabi@servicemagic.eu>
:
Bug#1234.
(Sat, 02 Feb 2019 21:10:25 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.x2go.org>
to internal_control@bugs.x2go.org
.
(Sun, 03 Mar 2019 06:24:01 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
X2Go Developers <owner@bugs.x2go.org>.
Last modified:
Thu Nov 21 12:15:38 2024;
Machine Name:
ymir.das-netzwerkteam.de
X2Go Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.