From vladislav.kurz@webstep.net Wed Apr 22 18:20:30 2020 Received: (at submit) by bugs.x2go.org; 22 Apr 2020 16:20:34 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.7 required=3.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mail.webstep.net (mail.webstep.net [195.201.172.199]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 2620F5DAF0 for ; Wed, 22 Apr 2020 18:20:30 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=webstep.net ; s=dkim; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID: Date:Subject:To:From:In-Reply-To:References:Sender:Reply-To:Cc:Content-ID: Content-Description; bh=CqS1JyKvsRe13uX2XMimmpn6IjVHe3pqewhCH37z9s0=; b=fNiLq NSg/EFKCFfYZPWqeFhJOIj8mOeserc3UPw2Wxjizhnz3+Vy56dcX+cYH+aCITFbdEE5cFANHrbGIY mzHjs3w66isH9bamgjQDYbKp20Vlmhc8yNVqjJuKZMXDj7b9Aizc5f7sLktKs0RLYsxY++xKHqxW1 KkSkzBB+50s4=; Received: from ip-89-102-32-92.net.upcbroadband.cz ([89.102.32.92]:33926 helo=hex.localnet) by mail.webstep.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jRI6v-0001iJ-NC for submit@bugs.x2go.org; Wed, 22 Apr 2020 18:20:29 +0200 From: Vladislav Kurz To: submit@bugs.x2go.org Subject: Allow running with restricted shell (rbash), or limit applications that can be run. Date: Wed, 22 Apr 2020 18:20:29 +0200 Message-ID: <2807081.Gr0nKVqjWH@hex> User-Agent: KMail/5.2.3 (Linux/4.9.0-12-amd64; KDE/5.28.0; x86_64; ; ) MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Package: x2goserver Version: 4.1.0.3-0~1708~ubuntu16.04.1 Severity: wishlist Hello all, we are using x2go to run a single application on remote server, and we want to lock all other access as much as possible. Essentially, we'd like to ensure that even if the user connects via SSH, he could start only one (or limited set) of applications. I found this guide https://wiki.x2go.org/doku.php/wiki:security:rbash but it seems to be somewhat outdated. I followed the instructions, created the wrapper command, set up the symlinks, and configured ssh, but then I get this error: Connection failed. rbash: bash: command not found Apparently x2go client is trying to execute "bash /usr/bin/x2goruncommand" instead of just "x2goruncommand". If I add bash to the path with allowed commands, it starts working. But it makes the whole use of rbash pointless. Also it allows me to run anything via x2go anyway - as x2goruncommand is a bash script, it escapes the restrictions of rbash. Is it possible to update that wiki page with current requirements - what commands are necessary in $PATH for restricted shell ? I found that at least nxagent should be there too. And to modify the login sequence so that bash is not needed in $PATH ? BTW is that defined on server or client? Where exactly? I also found a nice feature "published applications" https://wiki.x2go.org/doku.php/wiki:advanced:published-applications It would be nice, if the x2go server had a config option, allowing users to run only the "published applications", or use some other list of allowed commands. So far my attempts at limiting the access to other applications was not very successful. There's a lot of stuff needed internally by x2go, so I cannot just remove execute bit from many commands in (/usr)/bin/ Thanks for any advice or hotfix. Best Regards Vladislav Kurz