From vladislav.kurz@webstep.net Mon May 4 18:00:44 2020 Received: (at 1465) by bugs.x2go.org; 4 May 2020 16:00:48 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-0.1 required=3.0 tests=BAYES_40,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from mail.webstep.net (mail.webstep.net [195.201.172.199]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id B26EE5DAC1 for <1465@bugs.x2go.org>; Mon, 4 May 2020 18:00:42 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=webstep.net ; s=dkim; h=Content-Type:Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-ID: Content-Description; bh=KRWJHIwGvEEQQ/R3MEGpjEIMgVYpO8VcBIi/f2ZpjgA=; b=ZvkDq TdYDxHLqDM4IYIU2A8fjsvTd2GfeYySS/ZHzUVI+TFiEHoQOJTE/VbEhecFObM9k8TfAG78F80gcx BEvDycKf7sn3VmzLAOHK6WNj0UuVTTyWvQyRPw/6P90Q+QOqkg6ZYDBqz0wS6VfCR6GEjSBNpV6QM WAA36Yaexdh0=; Received: from ip-89-102-32-92.net.upcbroadband.cz ([89.102.32.92]:60482 helo=hex.localnet) by mail.webstep.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jVdWM-0005sc-Gr for 1465@bugs.x2go.org; Mon, 04 May 2020 18:00:42 +0200 From: Vladislav Kurz To: 1465@bugs.x2go.org Subject: Re: [X2Go-Dev] Bug#1465: Bug#1465: Bug#1465: Bug#1465: Allow running with restricted shell (rbash), or limit applications that can be run. Date: Mon, 04 May 2020 18:00:42 +0200 Message-ID: <1869583.Jh6TSF2MMF@hex> User-Agent: KMail/5.2.3 (Linux/4.9.0-12-amd64; KDE/5.28.0; x86_64; ; ) In-Reply-To: <3d0ec19b-9273-4db0-2363-6ff18a4ebc00@baur-itcs.de> References: <2807081.Gr0nKVqjWH@hex> <3d0ec19b-9273-4db0-2363-6ff18a4ebc00@baur-itcs.de> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" Dne pond=C4=9Bl=C3=AD 4. kv=C4=9Btna 2020 17:01:10 CEST, Stefan Baur napsal= (a): > And here's the next catch: They intend to use Libreoffice as their > single published application. Which allows the user to write their own > macros in Libreoffice Basic. Which allows them to read binary files and > do things with them. Like convert them to a bunch of QR codes and > display them. So to do the things that need to be done, they (the > owners) are depending on an executable which the user can do so much > more with than they want it to do. And there's no way to limit that, > other than to refrain from using Libreoffice as a front-end. >=20 > -Stefan With full respect to the users, if they were capable of that, they would=20 probably be able to write similar spreadsheet from scratch (and have some=20 other job). I know that redesigning the whole calculation as web application would be m= uch=20 better. But if protection against 80% of users can be done with 20% effort,= I=20 would do it. You say that 100 % protection is not possible, so there is no= =20 reason to do anything... All I want is to close this one obvious hole: ssh somewhere "cat file" > file I cannot remove exec bit from /bin/cat, cause it is required to set up x2go= =20 session. If the rbash guide I referenced at the beginning worked, this woul= d=20 be possible. Best regards Vladislav Kurz