X2Go Bug report logs - #1465
Allow running with restricted shell (rbash), or limit applications that can be run.

version graph

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: Vladislav Kurz <vladislav.kurz@webstep.net>

Date: Wed, 22 Apr 2020 16:25:01 UTC

Severity: wishlist

Found in version 4.1.0.3-0~1708~ubuntu16.04.1

Full log


Message #18 received at 1465@bugs.x2go.org (full text, mbox, reply):

Received: (at 1465) by bugs.x2go.org; 4 May 2020 12:07:02 +0000
From ulrich.sibiller@gmail.com  Mon May  4 14:07:00 2020
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
	ymir.das-netzwerkteam.de
X-Spam-Level: *
X-Spam-Status: No, score=1.2 required=3.0 tests=BAYES_40,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,FREEMAIL_REPLYTO,
	FREEMAIL_REPLYTO_END_DIGIT,SPF_HELO_NONE,URIBL_BLOCKED autolearn=no
	autolearn_force=no version=3.4.2
Received: from mail-yb1-xb43.google.com (mail-yb1-xb43.google.com [IPv6:2607:f8b0:4864:20::b43])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 4B43C5DAC1
	for <1465@bugs.x2go.org>; Mon,  4 May 2020 14:06:59 +0200 (CEST)
Received: by mail-yb1-xb43.google.com with SMTP id v9so2934098ybq.13
        for <1465@bugs.x2go.org>; Mon, 04 May 2020 05:06:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:reply-to:from:date:message-id
         :subject:to;
        bh=VbCEjJmz/tNSk2xC+j4a6CLhHmVNizb5eBoHSN5ws6I=;
        b=plzWN7YfDyNsLXdlRV/3tN5EIepxZ4nt5myhS4qu7ihCcWKkp4vGi+d3l8BUlbTrS3
         U/rgUxcBQT5IrsBcx6GbbQ60nCiWo3e6EQzciSZtHfqtdivrDoRhju33JcKOn03EkwIe
         JPobX1xp/TJmhYYjKMXoRydFjYqxNT21kIwwcfkyhhFog9EC1FoQtRgdMt4S6eqOSx+M
         vcTOnoUaRWw/upsybA8TVJKDU1tupvKKqHnmso06bc2CCtMRu4GhxFkZgQZy5uel1GZ4
         hXwbeNfX4YZun2GUILB795OiwXIwZpk3j4ZjEN4Wwaa08/BKBuXrsvr9NEOrVqt0Q2tE
         PnlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:reply-to
         :from:date:message-id:subject:to;
        bh=VbCEjJmz/tNSk2xC+j4a6CLhHmVNizb5eBoHSN5ws6I=;
        b=L5JzrtBBwaNohEAoklI3wIc8fJc5zkAej5TGNDLM34qN9KUeqW5rT7IJ5JwlIbkO3H
         4hy+btUd//7El7l3W2tmJUjMPZRLWuE/oteVH6qRN3XAi/k5GuFQv52aOwKbK9yixby7
         kOx3OujIpwk2VRgZncQ535PwQgbM0s2bkoUdfPPO/qhiP5kaPB5C0DzpARo+cG27l6Jn
         Bs4m5Tk0OYKck8cHGuFG3PI4mRL/oz/DlcElLwbc1OxbW0qdDSx8iUTmwvwpJQ1lnqAY
         YIMl5ABf5h7I7MNag4hiTMpxblOiQSFhJ74AqPV5Cdh5hFkml2ZOswb2sToZozzGT2le
         Js9A==
X-Gm-Message-State: AGi0PuZVA9PvP3hHADpSAcmgHG+MIQyBK8GVuQRXw091sj3fKthy6Q6N
	y+YWI/GEf8PA1lnLQHyYCclpT3+yn0PFdSolbEE=
X-Google-Smtp-Source: APiQypJ4b8saFY27fuaCY6FZ8T2miEUF4I4s9ofPQRRE6X6jO6VRHAqftkKZrhTLSgHJuI6ULpbUhbggbpF4BSqDxVE=
X-Received: by 2002:a25:aa0c:: with SMTP id s12mr25815401ybi.183.1588594017707;
 Mon, 04 May 2020 05:06:57 -0700 (PDT)
MIME-Version: 1.0
References: <b0f7f18d-b027-712a-9fec-5b91773d13c0@baur-itcs.de>
 <2807081.Gr0nKVqjWH@hex> <1902964.pRvSqubr2C@hex> <73e4e27f-a592-5730-2781-f0f80403bdd7@baur-itcs.de>
In-Reply-To: <73e4e27f-a592-5730-2781-f0f80403bdd7@baur-itcs.de>
Reply-To: uli42@gmx.de
From: Ulrich Sibiller <ulrich.sibiller@gmail.com>
Date: Mon, 4 May 2020 14:06:31 +0200
Message-ID: <CANVnVYKUiCR3T9BeYBvNR5ZO7vt7FuXiH=m0J=Z0FSaepu5+Zg@mail.gmail.com>
Subject: Re: [X2Go-Dev] Bug#1465: Bug#1465: Allow running with restricted
 shell (rbash), or limit applications that can be run.
To: Stefan Baur <X2Go-ML-1@baur-itcs.de>, 1465@bugs.x2go.org
Content-Type: text/plain; charset="UTF-8"
On Mon, May 4, 2020 at 1:15 PM Stefan Baur <X2Go-ML-1@baur-itcs.de> wrote:
> You need to realize the truth: What a user can see (as in "access"),
> they can copy.

Well, I basically agree with what you wrote. But the OP was mentioning
he just wants to provide _one_ single published application.

Now let us assume some pre-conditions:
- the application is unable to display the data you want to protect.
If not, all the ways you mocked up above could be used and the
approach will not work
- the application cannot start other apps like an xterm or a shell on
user request
- there's only ssh access
- the x2go scripts are sane and secure

Then all we'd need was
- a restricted ssh-key that only allows for the commands that are
required for the x2go session handling
- ensuring the x2go session handling will only start that single
application and no other user specified command.

The user then can still configure arbitrary sessions but they will
either always fail or ignore the user's command and run the one
application in question. We could also provide a server side setting
that only allows published application connects.

It will not work out of the box but I am pretty sure it could be implemented.

Also, IIRC Mihai added an explicit bash call into certain commands to
make it work fur users with a different login shell. And obviously the
original rbash instructions worked before. So you could also try to
set that up and do some research where to remove the explicit bash
calls.

Comments?

Uli


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Aug 13 12:24:44 2020; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.