From unknown Fri Mar 29 14:54:44 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#1465: [X2Go-Dev] Bug#1465: Bug#1465: Bug#1465: Bug#1465: Allow running with restricted shell (rbash), or limit applications that can be run. Reply-To: Stefan Baur , 1465@bugs.x2go.org Resent-From: Stefan Baur Resent-To: x2go-dev@lists.x2go.org Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Mon, 04 May 2020 14:10:01 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 1465 X-X2Go-PR-Package: x2goserver X-X2Go-PR-Keywords: References: <2807081.Gr0nKVqjWH@hex> <556ee27c-521d-be03-5a43-08843247b4fb@baur-itcs.de> <2807081.Gr0nKVqjWH@hex> <2471789.PIXMQkQJa5@hex> <2807081.Gr0nKVqjWH@hex> Received: via spool by 1465-submit@bugs.x2go.org id=B1465.1588601227887 (code B ref 1465); Mon, 04 May 2020 14:10:01 +0000 Received: (at 1465) by bugs.x2go.org; 4 May 2020 14:07:07 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.10]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 2BE245DAC1 for <1465@bugs.x2go.org>; Mon, 4 May 2020 16:07:00 +0200 (CEST) Received: from [192.168.0.15] ([78.43.58.112]) by mrelayeu.kundenserver.de (mreue108 [212.227.15.145]) with ESMTPSA (Nemesis) id 1N3sVq-1j5NhL3IZs-00zowm for <1465@bugs.x2go.org>; Mon, 04 May 2020 16:06:59 +0200 To: 1465@bugs.x2go.org From: Stefan Baur Autocrypt: addr=X2Go-ML-1@baur-itcs.de; prefer-encrypt=mutual; keydata= xsBNBFLfOiwBCACzIiDVwWVRvuMzgSAvXRFRaPaZOSB8s84PG1oGLfmqhwzF44vj1Xv4tcKD mvu0TsLTksOkvop8WwGYeeU8lDaxEG1zyN8SOu1WU/FPEKw2jITRox8yIrSkUsMkWYuxdjv/ 9XcAh9qaPsHP7E1jD6/wVZuYZkuX6W41Nxt06VsvDGCfrbQh4ya7w1IiSnoQeIHNNQVN9f3j xcHLj5S5YriSCThtbFCdr3AJXfF5iMolu8kLgAXM0bH1C7PxAjM/pQjWmdMVN/Y+uXXzcMO8 8aQ0f0q3QeGWxCAP2xwBapUfP6LHDRPp/tV7P7ji8wKlabrSGdv0M9Qd9pn/YCYQE0ZdABEB AAHNJlN0ZWZhbiBCYXVyIDxwb3N0bWFzdGVyQHN0ZWZhbmJhdXIuZGU+wsCCBBMBAgAsAhsj BwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4ACGQEFAlwtWmgFCRK0IbcACgkQbt30GM2+URkj nwgAixhVoMxijCsh9jxxCUYBj7lC5HYhJmlAB+bZOfl1XI8xqMLw8YGECfu0VSe++FlaOAuc gArofqu79E2+wKxPaqW2lC94eKR1+kgkDOJyqckYj2Xmyi+vDfrOWjbyawIwiq5FUW2CB6zv nkTr68ZQ43mAVC1zz2tpAikn2Af4/OdHwUBzSAOpUt4rDbXDe93WW34XuyG2RDma6kE1Cr0u ilqvzKOz5SYp5ASmCyaA0wCzs7fjTy2KuMlOCSFRzwPJpzddr8rS9ZiTLdia/BZvShBEjOq4 MZHWYv+RGK5RB4eDzw0KbPszXRJBUdXiZIcI0jqbC57Ht64ok3lXquXp987ATQRS3zosAQgA 4KPXmGU1XE8CTRJ/4m/f8MTri3JfEvGJTerWwC2hBuXHGWrSBmmRNAdJHzNTvq5IoR9tQ6Cb Nrqxf6alr/v34Vr2bUg0s+jlK9TWOkVLAFoz6zytm/2BrRBIZ5So6Ymfc6efwsScsHOI++wi pzqELkpluqtXysb13RsBVLxBdp5TZCVPjCc9pLWjudfjEagQt2oJgtO2WndasrKvoZYkfRi6 oSCK9B84YjNJoRF00LdK3n7K3SBvj4UPSl+ygzLVaD+3ZdIlbhX+bfn/Vp/10xdJ+/U8Fr7l 7umrBKr17D8eO3mRYMGY9w1qc+pfNGOR76GIbPWj2tPVaBD9nmUaowARAQABwsBlBBgBAgAP AhsMBQJcLVqtBQkStCH9AAoJEG7d9BjNvlEZInkIAIcchwZxurIpwJJR8qMMXD+RSvj7mY55 VIXOKUX0uAUTEoJTzFcqbdGkzcJB9y0NlUo9dv4chPT21M61y0bjJjhaDUshCLa1+YyFSSWp GBOKrLIsWusqC9zVwgf7TtjVmXt23jZwoDWjXoMlg9eQONMi5Z4u+lDOyPKD+lGJAcjJkQsI zL9hha3vuhmUclxgdALTJWzQBp+Y7u9QDub4uqf/TyuDpYASiP0winBRfTug+XjP5YZjU//P 07H9WhiUCsHp6L9j3QzvrovVy2zz0j7JhyhW3e957vHz2skkSVv3QGtHMswcgK3XaQ9YdgWO ELHmBhevaIcJIxDvTBl3pYQ= Message-ID: Date: Mon, 4 May 2020 16:06:59 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: <2471789.PIXMQkQJa5@hex> Content-Type: text/plain; charset=utf-8 Content-Language: de-DE Content-Transfer-Encoding: 8bit X-Provags-ID: V03:K1:dZwkUOseqarsCLwfQmEol8XI22yN5aHm9iVboEINQTun0b05Ppa LpyDNiFVXeahL7Rwrt0CtEavATng8hfHzcITgCN0pXBaabFahpg6SrwmO6+6GTG28W1DwVj vyIQw46RwxM1WP4qBV6AGit6azeZr/dDn2fULB1/fQ7DQ2SOAJubTFCLNDGOHkXSPvOMdCF fHhozYFZhwfT35ZzldbXA== X-UI-Out-Filterresults: notjunk:1;V03:K0:30Yx9zGWFOI=:dNavMXqnT5wbsFkdh91MpN mqARamymWvR0788eiqGKEs0dL0m4c35rwwP5KtOn43ZGiYjbIqThrxW1KlUKI2wJOFuxm5tKh D3/0lfPFbLP6a/s2JemxO15IBGBPtOMYG3/TkR/+/sGSLrJ8PrAsn6BwzTYQX6jO3ipWXn30S hxEsH4RE9KHf89hW8L/fM/+r7stnjdMYOECXNPLAgkM8Ki1I4lJIF7JDlw2pKdI6VZS0OJTzj NrD0xquUSG57ek71xyf0ga092gl70tz1HBxnNGk0LsBVJvHG65r6S9CMOmoVFhcmjd2gAAcRs Wo35JlvFMsakeD6pD7oXNTI+30lz9XiuuBB6tysyJlMFdULNAv6h1H+aHgXS6nbyOL2f4S9lr St1LF4c3DVJTq0lkVPURFrmBsH0F1SDP3BFAICsfXIEXO5ZEJ5+iQviSLYHsUNPszu890RE/x c/KwyV8NHYyQ2g3nwWxYoyvGlPM/RAOgrrU+JdSUXz+NnNGKOjY/tcB1+AknV9IDbuup5bTkJ vb96cOsFGvBSyPkf/+Ib83LJow1thGCMch9uTMPRjtBfVIAmX5K9LzcvRlhTRXNiYKMaAydR0 1Z1+ZIcWkQqV87jnJcBxAJnNdSPmjXT20/OW4cN1MP5vbPHCHUuOIFAOipq92dYhBedt0Ask/ BeJv4yUgLnuz+qluoHa5o8zKfB8h2n03/A2sVKjdLAuqAS0JtyxnWtZ3BsdDjwfxMzTECFnPp mKKtvLzQcj/ucOemZGSSTzlClln6VMdzs9SleLQQtgZQtzTzY/J6bXSFjeANM/VVRoXUMNx/I tY6sspo0XfRlBAq50XVnGtge+HcXJuws2LKi6YjEB9H5J7AQ0Oc1ZY/YUq3/JiC59BijptH Am 04.05.20 um 15:34 schrieb Vladislav Kurz: > Hello, > > I'm not sure If I should post to @bugs.x2go.org or x2go-dev mailing list. Since you opened a bug report, use <1465@bugs.x2go.org>, that way, all the right things (TM) will happen automagically. > I have to explain it. The protected thing is openoffice sheet with some complex > formulas. The formulas should be protected from viewing by openoffice somehow > (that was not my task so I did not really check that in detail). Users fill in > input data, get the results, and can print them via CUPS to PDF (or paper). We > do not want them to get the sheet and use it elsewhere. They are allowed to > make work copies of the sheet within the protected environment, but should not > be able to get it out. And that's your design flaw that you need to fix. You really need to separate the logic from the data, so the users can't access it. You could, for example, try using stored procedures in a database, and use Libreoffice or a Web browser as the GUI front end for the database access. Or you could try using Libreoffice in headless mode, by querying parameters from the users in a script, properly sanitizing them (whitelist the allowed input characters, instead of blacklisting potentially troublesome ones), then passing them on to be inserted in a template of your spreadsheet, and automatically print the result to a PDF. That way, the users won't be in direct contact with your precious formulas, but only with a script you wrote (which would then call libreoffice under a user id that has permission to access the spreadsheet), and with a PDF viewer. If the users have access to Libreoffice, and to your spreadsheet, they *will* be able to come up with a way to copy your file. And if it is formula by formula using a QR code or OCR. For example, Libreoffice Basic - the Macro language used by Libreoffice that any user can write macros in - allows raw file I/O. So it would be possible to read your spreadsheet file byte-by-byte (bypassing any Libreoffice-internal protections it may have), encode it in a QR code (current Libreoffice even has its own QR encoder built in), then scan that code on the client, and save the result as a file. And once it is stored on the attacker's machine, they can brute-force their way into whatever protection you tried to apply, until they see your formulas. There is NO WAY of making it safe if you don't separate formulas and data from each other. X2Go won't help you. Switching to a different remote access solution won't help you. Switching operating systems won't help you. Your problem is not X2Go, but how mighty and versatile Libreoffice is. You're trying to mitigate a severe security/privacy flaw in your basic design with kludgy workarounds, instead of fixing it properly. This is hopeless and won't end well. -Stefan -- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243